From 16a564e2d4119f49e8017f3cd11f6ec81dea90df Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 22 May 2019 17:23:43 +0200 Subject: [PATCH 001/247] generic ssh updated to new SCA rules --- sca/generic/system_audit_ssh.yml | 49 ++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index 04adc0edf..a71d02796 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -18,17 +18,16 @@ policy: requirements: title: "Check that the SSH service is installed on the system" description: "Requirements for running the SCA scan against the SSH policy." - condition: "all required" + condition: "all" rules: - - 'f:/etc/ssh/sshd_config;' + - f:/etc/ssh/sshd_config; variables: $sshd_file: /etc/ssh/sshd_config; - checks: - id: 1500 - title: "SSH Hardening - 1: Port 22" + title: "SSH Hardening - 1: Port should not be 22" description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." remediation: "Change the Port option value in the sshd_config file." @@ -36,9 +35,10 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> IN !r:^# && r:Port\.+22;' + - f:$sshd_file -> !r:^# && n:Port\s*\t*(\d+) compare != 22 + - id: 1501 - title: "SSH Hardening - 2: Protocol 1" + title: "SSH Hardening - 2: Protocol should not be 1" description: "The SSH protocol should not be 1." rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." remediation: "Change the Protocol option value in the sshd_config file." @@ -46,15 +46,17 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> IN !r:^# && r:Protocol\.+1;' + - f:$sshd_file -> !r:^# && n:Protocol\s*\t*(\d+) compare > 1 + - id: 1502 - title: "SSH Hardening - 3: Root can log in" + title: "SSH Hardening - 3: Root account should not be able to log in" description: "The option PermitRootLogin should be set to no." rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." remediation: "Change the PermitRootLogin option value in the sshd_config file." condition: any rules: - - 'f:$sshd_file -> !r:^\s*PermitRootLogin\.+no;' + - f:$sshd_file -> r:^\s*PermitRootLogin\.+no + - id: 1503 title: "SSH Hardening - 4: No Public Key authentication" description: "The option PubkeyAuthentication should be set yes." @@ -64,9 +66,10 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*PubkeyAuthentication\.+yes;' + - f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes + - id: 1504 - title: "SSH Hardening - 5: Password Authentication" + title: "SSH Hardening - 5: Password Authentication should be disabled" description: "The option PasswordAuthentication should be set to no." rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." remediation: "Change the PasswordAuthentication option value in the sshd_config file." @@ -74,9 +77,10 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*PasswordAuthentication\.+no;' + - f:$sshd_file -> r:^\s*PasswordAuthentication\.+no + - id: 1505 - title: "SSH Hardening - 6: Empty passwords allowed" + title: "SSH Hardening - 6: Empty passwords should not be allowed" description: "The option PermitEmptyPasswords should be set to no." rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." @@ -84,9 +88,10 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*PermitEmptyPasswords\.+no;' + - f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no + - id: 1506 - title: "SSH Hardening - 7: Rhost or shost used for authentication" + title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" description: "The option IgnoreRhosts should be set to yes." rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." remediation: "Change the IgnoreRhosts option value in the sshd_config file." @@ -94,24 +99,26 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*IgnoreRhosts\.+yes;' + - f:$sshd_file -> r:^\s*IgnoreRhosts\.+yes + - id: 1507 - title: "SSH Hardening - 8: Wrong Grace Time." - description: "The option LoginGraceTime should be set to 30." + title: "SSH Hardening - 8: Grace Time should be 30 or less." + description: "The option LoginGraceTime should be set to 30 or less." rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." remediation: "Change the LoginGraceTime option value in the sshd_config file." compliance: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*LoginGraceTime\s+30\s*$;' + - f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+) compare <= 30 + - id: 1508 title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" - description: "The option MaxAuthTries should be set to 4." + description: "The option MaxAuthTries should be set to 4 or less." rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." remediation: "Change the MaxAuthTries option value in the sshd_config file." compliance: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;' + - f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4 From a6c8954f75a51276ae97169d2ba534cafda10011 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Thu, 23 May 2019 14:36:19 +0200 Subject: [PATCH 002/247] Account for default values --- sca/generic/system_audit_ssh.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index a71d02796..654c04fb6 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -46,7 +46,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - f:$sshd_file -> !r:^# && n:Protocol\s*\t*(\d+) compare > 1 + - f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1 - id: 1502 title: "SSH Hardening - 3: Root account should not be able to log in" @@ -88,7 +88,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no + - not f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+yes - id: 1506 title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" @@ -99,7 +99,7 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - f:$sshd_file -> r:^\s*IgnoreRhosts\.+yes + - not f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+no - id: 1507 title: "SSH Hardening - 8: Grace Time should be 30 or less." @@ -122,3 +122,14 @@ checks: condition: any rules: - f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4 + + - id: 1509 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - pci_dss: "4.1" + condition: any + rules: + - not f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes From 740e785befa19265c6af711bb934ffa521778a94 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Thu, 23 May 2019 14:39:39 +0200 Subject: [PATCH 003/247] Rename policy to web_vuln --- sca/generic/web_vulnerabilities.yml | 150 ++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 sca/generic/web_vulnerabilities.yml diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml new file mode 100644 index 000000000..7627bebba --- /dev/null +++ b/sca/generic/web_vulnerabilities.yml @@ -0,0 +1,150 @@ +# Security Configuration assessment +# Checks for auditing Linux systems +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation + +policy: + id: "web_vulnerabilities" + file: "web_vulnerabilities".yml" + name: "System audit for web-related vulnerabilities" + description: "Guidance for establishing a secure configuration for web-related vulnerabilities." + +variables: + $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini; + $web_dirs: /var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; + +requirements: + title: Check if web-server files are present + description: "Requirements for running the SCA scan against the web-vulnerability policy." + condition: any + rules: + - f:$php.ini + - d:$web_dirs + +# PHP checks +checks: + - id: 1000 + title: "PHP - Register globals are enabled" + condition: any + rules: + - f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off + - not f:$php.ini -> r:^register_globals\s*\t*=\s*\t*On|register_globals\s*\t*=\s*\t*on + + - id: 1001 + title: "PHP - Expose PHP is enabled" + condition: any + rules: + - f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off + - not f:$php.ini -> r:^expose_php\s*\t*=\s*\t*On|^expose_php\s*\t*=\s*\t*on + + - id: 1002 + title: "PHP - Allow URL fopen is enabled" + condition: any + rules: + - f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off + - not f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*On|^allow_url_fopen\s*\t*=\s*\t*on + + - id: 1003 + title: "PHP - Displaying of errors is enabled" + condition: any + rules: + - f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off + - not f:$php.ini -> r:^display_errors\s*\t*=\s*\t*On|^display_errors\s*\t*=\s*\t*on + +# WEB checks + - id: 1004 + title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^.yop$ + + - id: 1005 + title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^id$; + + - id: 1006 + title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^.ssh$ + - id: 1007 + title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^...$ + - id: 1008 + title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^.shell$ +# Outdated Web applications + - id: 1009 + title: "Web vulnerability - Outdated WordPress installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:wp_version = ''4.4.2'' + - id: 1010 + title: "Web vulnerability - Outdated Joomla installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:''3.4.8'' + - id: 1011 + title: "Web vulnerability - Outdated osCommerce (v2.2) installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2- +# Known backdoors + - id: 1012 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo + - id: 1013 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + condition: any + rules: + - not d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST + - id: 1014 + title: "Web vulnerability - .htaccess file compromised" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - not 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google + - id: 1015 + title: "Web vulnerability - .htaccess file compromised - auto append" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - not d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file From 79175a429fd6bdf34bf2f49cf98e2eb6acb2ee13 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Thu, 23 May 2019 14:42:22 +0200 Subject: [PATCH 004/247] Remove system_audic_rcl --- sca/generic/system_audit_rcl.yml | 133 ------------------------------- 1 file changed, 133 deletions(-) delete mode 100644 sca/generic/system_audit_rcl.yml diff --git a/sca/generic/system_audit_rcl.yml b/sca/generic/system_audit_rcl.yml deleted file mode 100644 index b378453d3..000000000 --- a/sca/generic/system_audit_rcl.yml +++ /dev/null @@ -1,133 +0,0 @@ -# Security Configuration assessment -# Checks for auditing Linux systems -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation - -policy: - id: "system_audit" - file: "system_audit_rcl.yml" - name: "System audit for web-related vulnerabilities" - description: "Guidance for establishing a secure configuration for web-related vulnerabilities." - -variables: - $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini; - $web_dirs: /var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; - - -# PHP checks -checks: - - id: 1000 - title: "PHP - Register globals are enabled" - condition: any - rules: - - 'f:$php.ini -> r:^register_globals = On;' - - id: 1001 - title: "PHP - Expose PHP is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^expose_php = On;' - - id: 1002 - title: "PHP - Allow URL fopen is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^allow_url_fopen = On;' - - id: 1003 - title: "PHP - Displaying of errors is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^display_errors = On;' -# WEB checks - - id: 1004 - title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^.yop$;' - - id: 1005 - title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^id$;' - - id: 1006 - title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^.ssh$;' - - id: 1007 - title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^...$;' - - id: 1008 - title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^.shell$;' -# Outdated Web applications - - id: 1009 - title: "Web vulnerability - Outdated WordPress installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2'';' - - id: 1010 - title: "Web vulnerability - Outdated Joomla installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8'';' - - id: 1011 - title: "Web vulnerability - Outdated osCommerce (v2.2) installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" -# Known backdoors - - id: 1012 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo;' - - id: 1013 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST;' - - id: 1014 - title: "Web vulnerability - .htaccess file compromised" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google;' - - id: 1015 - title: "Web vulnerability - .htaccess file compromised - auto append" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;' From 0af37fd025d3295b136b2e07a87068fcb40def9e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 24 May 2019 11:09:57 +0200 Subject: [PATCH 005/247] Rewrite rules with more restrictive semantics --- sca/generic/system_audit_pw.yml | 188 +++++++++++++++++----------- sca/generic/system_audit_ssh.yml | 44 +++---- sca/generic/web_vulnerabilities.yml | 85 +++++++------ 3 files changed, 184 insertions(+), 133 deletions(-) mode change 100755 => 100644 sca/generic/system_audit_pw.yml diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml old mode 100755 new mode 100644 index b8e8a89ac..3a1d6b7fd --- a/sca/generic/system_audit_pw.yml +++ b/sca/generic/system_audit_pw.yml @@ -7,7 +7,7 @@ # License (version 2) as published by the FSF - Free Software # Foundation # -# Based mainly on +# Mostly based on # Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 # Center for Internet Security Red Hat Enterprise Linux 7 v2.2.0 - 12-27-2017 # Center for Internet Security SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017 @@ -24,10 +24,13 @@ policy: requirements: title: "Check that password-related files are present on the system" description: "Requirements for running the SCA scan against the password-related policy." - condition: "any required" + condition: any rules: - - 'f:/etc/passwd;' - - 'f:/etc/shadow;' + - 'f:/etc/passwd' + - 'f:/etc/shadow' + +variables: + $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd checks: # 5.3 Configure PAM @@ -41,46 +44,104 @@ checks: - cis_csc: "4.4, 5.7, 16.12" references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any + condition: all rules: - - 'f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;' - - 'f:/etc/pam.d/common-password -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;' - - 'f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;' - - 'f:/etc/pam.d/password-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;' - - 'f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;' - - 'f:/etc/pam.d/system-auth -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;' - - 'f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass;' - - 'f:/etc/pam.d/system-auth-ac -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+;' - - 'f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass|^@include\s+common-password;' - - 'f:/etc/pam.d/passwd -> !r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=\d+|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry=\d+|^@include\s+common-password;' - - 'f:/etc/pam.d/common-password -> IN r:pam_cracklib.so && !r:minlen=\d\d+;' - - 'f:/etc/pam.d/password-auth -> IN r:pam_cracklib.so && !r:minlen=\d\d+;' - - 'f:/etc/pam.d/system-auth -> IN r:pam_cracklib.so && !r:minlen=\d\d+;' - - 'f:/etc/pam.d/passwd -> IN r:pam_cracklib.so && !r:minlen=\d\d+;' - - 'f:/etc/security/pwquality.conf -> !r:^minlen=\d\d+;' - - 'f:/etc/pam.d/common-password -> IN r:pam_cracklib.so && !r:dcredit=\p*\d+;' - - 'f:/etc/pam.d/password-auth -> IN r:pam_cracklib.so && !r:dcredit=\p*\d+;' - - 'f:/etc/pam.d/system-auth -> IN r:pam_cracklib.so && !r:dcredit=\p*\d+;' - - 'f:/etc/pam.d/passwd -> IN r:pam_cracklib.so && !r:dcredit=\p*\d+;' - - 'f:/etc/security/pwquality.conf -> !r:^dcredit=\p*\d+;' - - 'f:/etc/pam.d/common-password -> IN r:pam_cracklib.so && !r:lcredit=\p*\d+;' - - 'f:/etc/pam.d/password-auth -> IN r:pam_cracklib.so && !r:lcredit=\p*\d+;' - - 'f:/etc/pam.d/system-auth -> IN r:pam_cracklib.so && !r:lcredit=\p*\d+;' - - 'f:/etc/pam.d/passwd -> IN r:pam_cracklib.so && !r:lcredit=\p*\d+;' - - 'f:/etc/security/pwquality.conf -> !r:^lcredit=\p*\d+;' - - 'f:/etc/pam.d/common-password -> IN r:pam_cracklib.so && !r:ocredit=\p*\d+;' - - 'f:/etc/pam.d/password-auth -> IN r:pam_cracklib.so && !r:ocredit=\p*\d+;' - - 'f:/etc/pam.d/system-auth -> IN r:pam_cracklib.so && !r:ocredit=\p*\d+;' - - 'f:/etc/pam.d/passwd -> IN r:pam_cracklib.so && !r:ocredit=\p*\d+;' - - 'f:/etc/security/pwquality.conf -> !r:^ocredit=\p*\d+;' - - 'f:/etc/pam.d/common-password -> IN r:pam_cracklib.so && !r:ucredit=\p*\d+;' - - 'f:/etc/pam.d/password-auth -> IN r:pam_cracklib.so && !r:ucredit=\p*\d+;' - - 'f:/etc/pam.d/system-auth -> IN r:pam_cracklib.so && !r:ucredit=\p*\d+;' - - 'f:/etc/pam.d/passwd -> IN r:pam_cracklib.so && !r:ucredit=\p*\d+;' - - 'f:/etc/security/pwquality.conf -> !r:^ucredit=\p*\d+;' + - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' + - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + - id: 13001 - title: "Ensure password hashing algorithm is SHA-512" - description: "The password encryption should use a strong hashing algorithm such as SHA-256 or SHA-512 instead of MD5." + title: "Ensure passwords are longer than 13 characters" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) >= 14' + - 'f:/etc/security/pwquality.conf -> n:minlen=(\d+) >= 14' + + - id: 13002 + title: "Ensure passwords contain at least one digit" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^dcredit=\p*\d' + + - id: 13003 + title: "Ensure passwords contain at least one lowercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' + + - id: 13004 + title: "Ensure passwords contain at least one uppercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' + + - id: 13005 + title: "Ensure passwords contain at least one uppercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^ucredit=\p*\d' + + - id: 13006 + title: "Ensure passwords contain at least one special character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^ocredit=\p*\d' + + - id: 13007 + title: "Ensure password hashing algorithm is SHA-256 or higher" + description: "Password hashing should use a cryptographically secure algorithm such as SHA-256 or SHA-512 instead of MD5." rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." remediation: "Edit the /etc/pam.d/common-password file or /etc/pam.d/password-auth and /etc/pam.d/system-auth files (depending on the Linux distribution used) to include the sha512 option for pam_unix.so." compliance: @@ -91,19 +152,11 @@ checks: - https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html condition: any rules: - - 'f:/etc/security/policy.conf -> IN !r:^# && r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__;' - - 'f:/etc/security/policy.conf -> !r:^CRYPT_DEFAULT=\d;' - - 'f:/etc/login.defs -> IN !r:^# && r:^ENCRYPT_METHOD\s+MD5|^ENCRYPT_METHOD\s+DES;' - - 'f:/etc/login.defs -> !r:^ENCRYPT_METHOD\s+SHA512|^ENCRYPT_METHOD\s+SHA256;' - - 'f:/etc/pam.d/common-password -> IN !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;' - - 'f:/etc/pam.d/common-password -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;' - - 'f:/etc/pam.d/password-auth -> IN !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;' - - 'f:/etc/pam.d/password-auth -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;' - - 'f:/etc/pam.d/system-auth -> IN !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;' - - 'f:/etc/pam.d/system-auth -> IN !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;' - - 'f:/etc/pam.d/system-auth-ac -> IN !r:^# && r:password\.+pam_unix.so\.+md5|password\.+pam_unix.so\.+des;' - - 'f:/etc/pam.d/system-auth-ac -> !r:^password\.+pam_unix.so\.+sha512|^password\.+pam_unix.so\.+sha256;' - - id: 13002 + - 'f:/etc/security/policy.conf -> r:^CRYPT_DEFAULT=\d && !r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__' + - 'f:$pam_d_files -> n:^password\.+pam_unix.so\.+sha(\d+) >= 256' + - 'f:/etc/login.defs -> r:^ENCRYPT_METHOD\s+ && n:SHA(\d+) >= 256' + + - id: 13008 title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." @@ -111,22 +164,16 @@ checks: references: - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html - condition: any + condition: none rules: - - 'f:/etc/shadow -> IN !r:^# && !r:^\w+:NP:\d+:\d*:\d*:\d*:\d*:\d*:\d*$ && r:^\w+:\w\.*:\d+:\d*:\d*:\d*:\d*:\d*:\d*$;' - - 'f:/etc/shadow -> IN !r:^# && r:\w+:\$1\$\.+;' - - 'f:/etc/shadow -> IN !r:^# && r:\w+:\$2\$\.+;' - - 'f:/etc/shadow -> IN !r:^# && r:\w+:\$2a\$\.+;' - - 'f:/etc/shadow -> IN !r:^# && r:\w+:\$2x\$\.+;' - - 'f:/etc/shadow -> IN !r:^# && r:\w+:\$2y\$\.+;' - - 'f:/etc/shadow -> IN !r:^# && r:\w+:\$md5\$\.+;' - - 'f:/etc/shadow -> IN !r:^# && r:\w+:\$__unix__\$\.+;' + - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' + # 5.4 User accounts and Environment - - id: 13003 + - id: 13009 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." - remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs." + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." compliance: - cis: "5.4.1.1" - cis_csc: "4.4, 16" @@ -134,10 +181,5 @@ checks: - https://www.thegeekdiary.com/understanding-etclogin-defs-file condition: any rules: - - 'f:/etc/default/passwd -> !r:^MAXWEEKS=\d\d$;' - - 'f:/etc/default/passwd -> !r:^MINWEEKS=\d;' - - 'f:/etc/default/passwd -> !r:^WARNWEEKS=\d;' - - 'f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s*\t*\d\d$;' - - 'f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s*\t*\d;' - - 'f:/etc/login.defs -> !r:^PASS_WARN_AGE\s*\t*\d;' - + - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' + - 'f:/etc/login.defs -> n:PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index 654c04fb6..e78a7889a 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -20,10 +20,10 @@ requirements: description: "Requirements for running the SCA scan against the SSH policy." condition: "all" rules: - - f:/etc/ssh/sshd_config; + - 'f:/etc/ssh/sshd_config' variables: - $sshd_file: /etc/ssh/sshd_config; + $sshd_file: /etc/ssh/sshd_config checks: - id: 1500 @@ -33,9 +33,9 @@ checks: remediation: "Change the Port option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: all rules: - - f:$sshd_file -> !r:^# && n:Port\s*\t*(\d+) compare != 22 + - 'f:$sshd_file -> !r:^# && n:Port\s*\t*(\d+) compare != 22' - id: 1501 title: "SSH Hardening - 2: Protocol should not be 1" @@ -44,18 +44,18 @@ checks: remediation: "Change the Protocol option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: all rules: - - f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1 + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' - id: 1502 title: "SSH Hardening - 3: Root account should not be able to log in" description: "The option PermitRootLogin should be set to no." rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." remediation: "Change the PermitRootLogin option value in the sshd_config file." - condition: any + condition: all rules: - - f:$sshd_file -> r:^\s*PermitRootLogin\.+no + - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' - id: 1503 title: "SSH Hardening - 4: No Public Key authentication" @@ -64,9 +64,9 @@ checks: remediation: "Change the PubkeyAuthentication option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: all rules: - - f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes + - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' - id: 1504 title: "SSH Hardening - 5: Password Authentication should be disabled" @@ -75,9 +75,9 @@ checks: remediation: "Change the PasswordAuthentication option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: all rules: - - f:$sshd_file -> r:^\s*PasswordAuthentication\.+no + - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' - id: 1505 title: "SSH Hardening - 6: Empty passwords should not be allowed" @@ -86,9 +86,9 @@ checks: remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: none rules: - - not f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+yes + - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+yes' - id: 1506 title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" @@ -97,9 +97,9 @@ checks: remediation: "Change the IgnoreRhosts option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: none rules: - - not f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+no + - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+no' - id: 1507 title: "SSH Hardening - 8: Grace Time should be 30 or less." @@ -108,9 +108,9 @@ checks: remediation: "Change the LoginGraceTime option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: all rules: - - f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+) compare <= 30 + - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+) compare <= 30' - id: 1508 title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" @@ -119,9 +119,9 @@ checks: remediation: "Change the MaxAuthTries option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: any + condition: all rules: - - f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4 + - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' - id: 1509 title: "Ensure SSH HostbasedAuthentication is disabled" @@ -130,6 +130,6 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - pci_dss: "4.1" - condition: any + condition: none rules: - - not f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml index 7627bebba..c5d460a80 100644 --- a/sca/generic/web_vulnerabilities.yml +++ b/sca/generic/web_vulnerabilities.yml @@ -22,129 +22,138 @@ requirements: description: "Requirements for running the SCA scan against the web-vulnerability policy." condition: any rules: - - f:$php.ini - - d:$web_dirs + - 'f:$php.ini' + - 'd:$web_dirs' # PHP checks checks: - id: 1000 title: "PHP - Register globals are enabled" - condition: any + condition: all rules: - - f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off - - not f:$php.ini -> r:^register_globals\s*\t*=\s*\t*On|register_globals\s*\t*=\s*\t*on + - 'f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^register_globals\s*\t*=\s*\t*On|register_globals\s*\t*=\s*\t*on' - id: 1001 title: "PHP - Expose PHP is enabled" - condition: any + condition: all rules: - - f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off - - not f:$php.ini -> r:^expose_php\s*\t*=\s*\t*On|^expose_php\s*\t*=\s*\t*on + - 'f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^expose_php\s*\t*=\s*\t*On|^expose_php\s*\t*=\s*\t*on' - id: 1002 title: "PHP - Allow URL fopen is enabled" - condition: any + condition: all rules: - - f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off - - not f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*On|^allow_url_fopen\s*\t*=\s*\t*on + - 'f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*On|^allow_url_fopen\s*\t*=\s*\t*on' - id: 1003 title: "PHP - Displaying of errors is enabled" - condition: any + condition: all rules: - - f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off - - not f:$php.ini -> r:^display_errors\s*\t*=\s*\t*On|^display_errors\s*\t*=\s*\t*on + - 'f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^display_errors\s*\t*=\s*\t*On|^display_errors\s*\t*=\s*\t*on' # WEB checks - id: 1004 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^.yop$ + - 'd:$web_dirs -> ^.yop$' - id: 1005 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^id$; + - 'd:$web_dirs -> ^id$' - id: 1006 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^.ssh$ + - 'd:$web_dirs -> ^.ssh$' + - id: 1007 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^...$ + - 'd:$web_dirs -> ^...$' + - id: 1008 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^.shell$ + - 'd:$web_dirs -> ^.shell$' + # Outdated Web applications - id: 1009 title: "Web vulnerability - Outdated WordPress installation" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:wp_version = ''4.4.2'' + - "d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:wp_version = ''4.4.2''" + - id: 1010 title: "Web vulnerability - Outdated Joomla installation" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:''3.4.8'' + - "d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:''3.4.8''" + - id: 1011 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2- + - 'd:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-' + # Known backdoors - id: 1012 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' + - id: 1013 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - pci_dss: "6.5, 6.6, 11.4" - condition: any + condition: none rules: - - not d:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' + - id: 1014 title: "Web vulnerability - .htaccess file compromised" compliance: - pci_dss: "6.5, 6.6, 11.4" references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any + condition: none rules: - - not 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google + - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' + - id: 1015 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: - pci_dss: "6.5, 6.6, 11.4" references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any + condition: none rules: - - not d:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file + - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' From 68238c8ca3c795b98f6a6585da684938da4c6dd2 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 24 May 2019 11:27:47 +0200 Subject: [PATCH 006/247] Adapt Debian rules --- sca/debian/cis_debian_linux_rcl.yml | 226 ++++--- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 812 +++++++++++++---------- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 291 ++++---- 3 files changed, 742 insertions(+), 587 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index c14ddb3d2..3ac5b179d 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -23,10 +23,10 @@ policy: requirements: title: "Check Debian version" description: "Requirements for running the SCA scan against Debian/Ubuntu." - condition: "all required" + condition: all rules: - - 'f:/etc/debian_version;' - - 'f:/proc/sys/kernel/ostype -> Linux;' + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' checks: # Section 1.1 - Filesystem Configuration @@ -41,9 +41,11 @@ checks: references: - https://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + - id: 5001 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -53,9 +55,11 @@ checks: - cis_csc: "5.1" - cis: "1.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:ext2|ext3 && r:/tmp && r:nodev;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && r:nodev' + - id: 5002 title: "Ensure separate partition exists for /opt" description: "The /opt directory is a world-writable directory used for temporary storage by all users and some applications." @@ -68,8 +72,9 @@ checks: - https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/opt;' - - 'f:/etc/fstab -> !r:/opt;' + - 'd:/opt' + - 'f:/etc/fstab -> !r:^# && r:/opt' + - id: 5003 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." @@ -80,9 +85,11 @@ checks: - cis: "1.1.6" references: - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/var;' + - 'd:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' + - id: 5004 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." @@ -93,7 +100,8 @@ checks: - cis: "1.1.7" condition: all rules: - - 'f:/etc/fstab -> !r:/var/tmp;' + - 'f:/etc/fstab -> r:/var/tmp' + - id: 5005 title: "Ensure nodev option set on /var/tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -103,9 +111,10 @@ checks: - cis_csc: "5.1" - cis: "1.1.8" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:ext2|ext3 && r:/var/tmp && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var/tmp && r:nodev' + - id: 5006 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -115,9 +124,10 @@ checks: - cis_csc: "5.1" - cis: "1.1.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:ext2|ext3 && r:/home && r:nodev ;' + - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && r:nodev' + - id: 5007 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -126,9 +136,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "1.1.14" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - id: 5008 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." @@ -137,9 +148,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "1.1.15" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - id: 5009 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." @@ -148,9 +160,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "1.1.16" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - id: 5010 title: "Ensure nodev option set on removable media partitions" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -160,9 +173,10 @@ checks: - cis_csc: "5.1" - cis: "1.1.18" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + - id: 5011 title: "Ensure nosuid option set on removable media partitions" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." @@ -172,9 +186,10 @@ checks: - cis_csc: "5.1" - cis: "1.1.19" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + # Section 1.4 - Secure boot settings - id: 5012 title: "Ensure bootloader password is set (GRUB)" @@ -187,9 +202,10 @@ checks: - pci_dss: "2.2.4" references: - https://help.ubuntu.com/community/Grub2/Passwords - condition: any + condition: all rules: - - 'f:/boot/grub/menu.lst -> NIN !r:^# && r:password;' + - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + - id: 5013 title: "Ensure bootloader password is set (LILO)" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" @@ -199,10 +215,11 @@ checks: - cis_csc: "5.1" - cis: "1.4.2" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/lilo.conf -> NIN !r:^# && r:restricted;' - - 'f:/etc/lilo.conf -> NIN !r:^# && r:password=;' + - 'f:/etc/lilo.conf -> !r:^# && r:restricted' + - 'f:/etc/lilo.conf -> !r:^# && r:password=' + # Section 1.7 - Warning banners - id: 5014 title: "Ensure GDM login banner is configured" @@ -213,9 +230,10 @@ checks: - cis_csc: "5.1" - cis: "1.7.2" - pci_dss: "2.2.2" - condition: any + condition: all rules: - - 'f:/etc/inittab -> IN !r:^# && r:id:5;' + - 'f:/etc/inittab -> !r:^# && r:id:5' + # Section 2 - Filesystem Configuration - Debian 7 - id: 5015 title: "Add nodev Option to /run/shm Partition" @@ -226,9 +244,10 @@ checks: - cis_csc: "5.1" - cis: "2.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> IN !r:^# && r:ext2|ext3 && r:/run/shm && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/run/shm && r:nodev' + - id: 5016 title: "Add nosuid Option to /run/shm Partition" description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." @@ -237,9 +256,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "2.15" - condition: any + condition: all rules: - - 'f:/etc/fstab -> IN !r:^# && r:/run/shm && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:nosuid' + - id: 5017 title: "Add noexec Option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." @@ -248,9 +268,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "2.16" - condition: any + condition: all rules: - - 'f:/etc/fstab -> IN !r:^# && r:/run/shm && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:noexec' + # Section 2.1 - Inetd services - id: 5018 title: "Ensure inetd is not installed" @@ -261,10 +282,11 @@ checks: - cis_csc: "9.2" - cis: "2.1.2" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'p:inetd;' - - 'f:!/etc/inetd.conf -> IN !r:^# && r:wait;' + - 'p:inetd' + - 'f:/etc/inetd.conf -> !r:^# && r:wait' + # Section 2.2 - Special purpose services - id: 5019 title: "Ensure FTP Server is not enabled" @@ -275,9 +297,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.9" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:/ftp;' + - 'f:/etc/inetd.conf -> !r:^# && r:/ftp' + - id: 5020 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." @@ -287,9 +310,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.9" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:tftp;' + - 'f:/etc/inetd.conf -> !r:^# && r:tftp' + - id: 5021 title: "Ensure IMAP and POP3 server is not enabled (IMAP)" description: "exim is an open source IMAP and POP3 server for Linux based systems." @@ -299,9 +323,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.11" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:imap;' + - 'f:/etc/inetd.conf -> !r:^# && r:imap' + - id: 5022 title: "Ensure IMAP and POP3 server is not enabled (POP3)" description: "exim is an open source IMAP and POP3 server for Linux based systems." @@ -311,9 +336,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.11" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:pop;' + - 'f:/etc/inetd.conf -> !r:^# && r:pop' + - id: 5023 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." @@ -323,9 +349,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.12" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/init.d/samba;' + - 'f:/etc/init.d/samba' + - id: 5024 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." @@ -335,11 +362,12 @@ checks: - cis_csc: "9.2" - cis: "2.2.7" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/init.d/nfs-common;' - - 'f:/etc/init.d/nfs-user-server;' - - 'f:/etc/init.d/nfs-kernel-server;' + - 'f:/etc/init.d/nfs-common' + - 'f:/etc/init.d/nfs-user-server' + - 'f:/etc/init.d/nfs-kernel-server' + - id: 5025 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." @@ -349,9 +377,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.17" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/init.d/nis;' + - 'f:/etc/init.d/nis' + - id: 5026 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." @@ -361,10 +390,11 @@ checks: - cis_csc: "9.2" - cis: "2.2.10" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/init.d/apache;' - - 'f:/etc/init.d/apache2;' + - 'f:/etc/init.d/apache' + - 'f:/etc/init.d/apache2' + - id: 5027 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." @@ -374,9 +404,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.8" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/init.d/bind;' + - 'f:/etc/init.d/bind' + - id: 5028 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." @@ -386,9 +417,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.13" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/init.d/squid;' + - 'f:/etc/init.d/squid' + # Section 2.3 - Service clients - id: 5029 title: "Ensure rsh client is not installed" @@ -399,9 +431,10 @@ checks: - cis_csc: "2.6, 4.5" - cis: "2.3.2" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:shell|login;' + - 'f:/etc/inetd.conf -> !r:^# && r:shell|login' + - id: 5030 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." @@ -411,9 +444,10 @@ checks: - cis_csc: "2.6, 4.5" - cis: "2.3.4" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:telnet;' + - 'f:/etc/inetd.conf -> !r:^# && r:telnet' + # Section 3.1 - Network Parameters (Host Only) - id: 5031 title: "Ensure IPv4 forwarding is disabled" @@ -423,9 +457,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "3.1.1" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - id: 5032 title: "Ensure IPv6 forwarding is disabled" description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." @@ -434,9 +469,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "3.1.1" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + # Section 3.2 - Network Parameters (Host and Router) - id: 5033 title: "Ensure source routed packets are not accepted" @@ -446,9 +482,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "3.2.1" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - id: 5034 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." @@ -457,9 +494,10 @@ checks: compliance: - cis_csc: "5.1" - cis: "3.2.5" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + # Section 5.2 - SSH Server Configuration - id: 5035 title: "Ensure SSH Protocol is set to 2" @@ -470,9 +508,10 @@ checks: - cis_csc: "14.4" - cis: "5.2.4" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> NIN !r:^# && r:Protocol\.+2;' + - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - id: 5036 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." @@ -482,9 +521,10 @@ checks: - cis_csc: "9.2" - cis: "5.2.8" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:IgnoreRhosts\.+no;' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+no' + - id: 5037 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." @@ -494,9 +534,10 @@ checks: - cis_csc: "16.3" - cis: "5.2.9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:HostbasedAuthentication\.+yes;' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' + - id: 5038 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." @@ -506,9 +547,10 @@ checks: - cis_csc: "4.3" - cis: "5.2.10" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitRootLogin\.+yes;' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' + - id: 5039 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." @@ -518,9 +560,10 @@ checks: - cis_csc: "16.3" - cis: "5.2.11" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:^PermitEmptyPasswords\.+yes;' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' + # Section 6.2 - User and Group Settings - id: 5040 title: "Ensure password fields are not empty" @@ -531,9 +574,10 @@ checks: - cis_csc: "4.4" - cis: "6.2.1" - pci_dss: "10.2.5" - condition: any + condition: none rules: - - 'f:/etc/shadow -> r:^\w+::;' + - 'f:/etc/shadow -> r:^\w+::' + - id: 5041 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." @@ -543,6 +587,6 @@ checks: - cis_csc: "5.1" - cis: "6.2.5" - pci_dss: "10.2.5" - condition: any + condition: none rules: - - 'f:/etc/passwd -> IN !r:^# && !r:^root: && r:^\w+:\w+:0:;' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index 2547833f0..d4ef2d7a8 100755 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -22,16 +22,16 @@ policy: requirements: title: "Check Debian version" description: "Requirements for running the SCA scan against Debian/Ubuntu." - condition: "all required" + condition: all rules: - - 'f:/etc/debian_version;' - - 'f:/proc/sys/kernel/ostype -> Linux;' + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' variables: - $rc_dirs: /etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d; - $rsyslog_files: /etc/rsyslog.conf,/etc/rsyslog.d/*; - $profiledfiles: /etc/profile.d/*; - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; + $rc_dirs: /etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d + $rsyslog_files: /etc/rsyslog.conf,/etc/rsyslog.d/* + $profiledfiles: /etc/profile.d/* + $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ checks: # 2 Filesystem Configuration @@ -44,9 +44,10 @@ checks: - cis: "2.1" references: - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp' + - id: 10501 title: "Set nodev option for /tmp Partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -54,9 +55,10 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - cis: "2.2" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nodev;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nodev' + - id: 10502 title: "Set nosuid option for /tmp Partition" description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." @@ -64,9 +66,10 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - cis: "2.3" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*nosuid;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nosuid' + - id: 10503 title: "Set noexec option for /tmp Partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." @@ -74,9 +77,10 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" compliance: - cis: "2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp\s+\w+\s+\.*noexec;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*noexec' + - id: 10504 title: " Create Separate Partition for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." @@ -86,19 +90,21 @@ checks: - cis: "2.5" references: - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/var;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var' + - id: 10505 title: "Bind Mount the /var/tmp directory to /tmp" description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." - rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." + rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" compliance: - cis: "2.6" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0' + - id: 10506 title: "Create Separate Partition for /var/log" description: "The /var/log directory is used by system services to store log data." @@ -108,9 +114,10 @@ checks: - cis: "2.7" references: - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/var/log;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log' + - id: 10507 title: "Create Separate Partition for /var/log/audit" description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." @@ -120,9 +127,10 @@ checks: - cis: "2.8" references: - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/var/log/audit;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log/audit' + - id: 10508 title: "Create Separate Partition for /home" description: "The /home directory is used to support disk storage needs of local users." @@ -132,9 +140,10 @@ checks: - cis: "2.9" references: - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/home;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home' + - id: 10509 title: "Add nodev Option to /home" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." @@ -142,9 +151,10 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - cis: "2.10" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/home\s+\w+\s+\.*nodev;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home\s+\w+\s+\.*nodev' + - id: 10510 title: "Add nodev Option to Removable Media Partitions" description: "Set nodev on removable media to prevent character and block special devices that are present on the removable media from being treated as device files." @@ -152,9 +162,10 @@ checks: remediation: "Edit the /etc/fstab file and add \"nodev\" to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." compliance: - cis: "2.11" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nodev;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*nodev' + - id: 10511 title: "Add noexec Option to Removable Media Partitions" description: "Set noexec on removable media to prevent programs from executing from the removable media." @@ -162,9 +173,10 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." compliance: - cis: "2.12" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*noexec;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*noexec' + - id: 10512 title: "Add nosuid Option to Removable Media Partitions" description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." @@ -172,9 +184,10 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." compliance: - cis: "2.13" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/media\.*\s+\w+\s+\.*nosuid;' + - 'f:/etc/fstab -> r:/media\.*\s+\w+\s+\.*nosuid' + - id: 10513 title: "Add nodev Option to /run/shm Partition" description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." @@ -182,9 +195,10 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" compliance: - cis: "2.14" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nodev;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nodev' + - id: 10514 title: "Add nosuid Option to /run/shm Partition" description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." @@ -192,9 +206,10 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" compliance: - cis: "2.15" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*nosuid;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nosuid' + - id: 10515 title: "Add noexec Option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." @@ -202,9 +217,10 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" compliance: - cis: "2.16" - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/run/shm\s+\w+\s+\.*noexec;' + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*noexec' + - id: 10516 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." @@ -212,9 +228,10 @@ checks: remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - cis: "2.25" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:autofsc;' + - 'd:$rc_dirs -> S -> r:autofsc' + # 3 Secure Boot Settings - id: 10517 title: "Set Boot Loader Password" @@ -223,12 +240,11 @@ checks: remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" compliance: - cis: "3.3" - condition: any + condition: all rules: - - 'f:/boot/grub/grub.cfg -> !r:^set superusers;' - - 'f:/boot/grub/grub.cfg -> !r:^password;' - - 'f:/etc/grub.d -> !r:^set superusers;' - - 'f:/etc/grub.d -> !r:^password;' + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' + - id: 10518 title: "Require Authentication for Single-User Mode" description: "Setting a password for the root user will force authentication in single user mode." @@ -236,12 +252,10 @@ checks: remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - cis: "3.4" - condition: any + condition: all rules: - - 'f:/etc/shadow -> r:^root:!:;' - - 'f:/etc/shadow -> r:^root:*:;' - - 'f:/etc/shadow -> r:^root:*!:;' - - 'f:/etc/shadow -> r:^root:!*:;' + - 'f:/etc/shadow -> r:^root:\$' + # 4 Additional Process Hardening - id: 10519 title: "Restrict Core Dumps" @@ -250,10 +264,11 @@ checks: remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - cis: "4.1" - condition: any + condition: all rules: - - 'f:/etc/security/limits.conf -> !r:^* hard core 0;' - - 'f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0;' + - 'f:/etc/security/limits.conf -> !r:^* hard core 0' + - 'f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0' + - id: 10520 title: "Enable Randomized Virtual Memory Region Placement" description: "Set the system flag to force randomized virtual memory region placement." @@ -261,9 +276,10 @@ checks: remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" compliance: - cis: "4.3" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> !r:^kernel.randomize_va_space = 2;' + - 'f:/etc/sysctl.conf -> r:^kernel.randomize_va_space = 2' + # 5 OS Services - id: 10521 title: "Ensure NIS is not installed" @@ -272,141 +288,155 @@ checks: remediation: "Uninstall the nis package: # apt-get purge nis" compliance: - cis: "5.1.1" - condition: any + condition: none rules: - - 'f:/etc/init.d/nis;' + - 'f:/etc/init.d/nis' + - id: 10522 - title: "Ensure rsh server is not enabled" + title: "Ensure rsh server is disabled" description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" compliance: - cis: "5.1.2" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:shell|login|exec;' + - 'f:/etc/inetd.conf -> !r:^# && r:shell|login|exec' + - id: 10523 - title: "Ensure talk server is not enabled" + title: "Ensure talk server is disabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" compliance: - cis: "5.1.4" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:talk|ntalk;' + - 'f:/etc/inetd.conf -> !r:^# && r:talk|ntalk' + - id: 10524 - title: "Ensure telnet server is not enabled" + title: "Ensure telnet server is disabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" compliance: - cis: "5.1.6" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:telnet;' + - 'f:/etc/inetd.conf -> !r:^# && r:telnet' + - id: 10525 - title: "Ensure tftp-server is not enabled" + title: "Ensure tftp-server is disabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" compliance: - cis: "5.1.7" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:tftp;' + - 'f:/etc/inetd.conf -> !r:^# && r:tftp' + - id: 10526 - title: "Ensure xinetd is not enabled" + title: "Ensure xinetd is disabled" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Disable xinetd: # update-rc.d xinetd disable" compliance: - cis: "5.1.8" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:xinetd;' + - 'd:$rc_dirs -> S -> r:xinetd' + - id: 10527 - title: "Ensure chargen is not enabled" + title: "Ensure chargen is disabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" compliance: - cis: "5.2" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:chargen;' + - 'f:/etc/inetd.conf -> !r:^# && r:chargen' + - id: 10528 - title: "Ensure daytime is not enabled" + title: "Ensure daytime is disabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" compliance: - cis: "5.3" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:daytime;' + - 'f:/etc/inetd.conf -> !r:^# && r:daytime' + - id: 10529 - title: "Ensure echo is not enabled" + title: "Ensure echo is disabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" compliance: - cis: "5.4" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:echo;' + - 'f:/etc/inetd.conf -> !r:^# && r:echo' + - id: 10530 - title: "Ensure discard is not enabled" + title: "Ensure discard is disabled" description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" compliance: - cis: "5.5" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:discard;' + - 'f:/etc/inetd.conf -> !r:^# && r:discard' + - id: 10531 - title: "Ensure time is not enabled" + title: "Ensure time is disabled" description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" compliance: - cis: "5.6" - condition: any + condition: none rules: - - 'f:/etc/inetd.conf -> IN !r:^# && r:time;' + - 'f:/etc/inetd.conf -> !r:^# && r:time' + # 6 Special Purpose Services - id: 10532 - title: "Ensure Avahi Server is not enabled" + title: "Ensure Avahi Server is disabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" compliance: - cis: "6.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:avahi-daemon;' + - 'd:$rc_dirs -> S -> r:avahi-daemon' + - id: 10533 - title: "Ensure print server is not enabled" + title: "Ensure print server is disabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Disable cups: # update-rc.d cups disable" compliance: - cis: "6.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:cups;' - - 'd:$rc_dirs -> S -> r:cups-browsed;' + - 'd:$rc_dirs -> S -> r:cups' + - 'd:$rc_dirs -> S -> r:cups-browsed' + - id: 10534 - title: "Ensure DHCP Server is not enabled" + title: "Ensure DHCP Server is disabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." remediation: "Disable isc-dhcp-server: # update-rc.d isc-dhcp-server disable" compliance: - cis: "6.4" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:disc-dhcp-server;' + - 'd:$rc_dirs -> S -> r:disc-dhcp-server' + - id: 10535 title: "Configure Network Time Protocol (NTP)" description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." @@ -416,13 +446,14 @@ checks: - cis: "6.5" references: - http://www.ntp.org/ - condition: any + condition: all rules: - - 'f:/etc/ntp.conf -> !r:^restrict -4 default kod nomodify notrap nopeer noquery;' - - 'f:/etc/ntp.conf -> !r:^restrict -6 default kod nomodify notrap nopeer noquery;' - - 'f:/etc/ntp.conf -> !r:^server\s\.+;' + - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server\s\.+' + - id: 10536 - title: "Ensure LDAP is not enabled" + title: "Ensure LDAP is disabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Uninstall the slapd package: # apt-get purge slapd" @@ -430,90 +461,99 @@ checks: - cis: "6.6" references: - http://www.openldap.org - condition: any + condition: none rules: - - 'd:/etc/init.d -> r:ldap;' + - 'd:/etc/init.d -> r:ldap' + - id: 10537 - title: "Ensure NFS and RPC are not enabled" + title: "Ensure NFS and RPC are disabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" compliance: - cis: "6.7" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:rpcbind;' - - 'd:$rc_dirs -> S -> r:nfs-kernel-server;' + - 'd:$rc_dirs -> S -> r:rpcbind' + - 'd:$rc_dirs -> S -> r:nfs-kernel-server' + - id: 10538 - title: "Ensure DNS Server is not enabled" + title: "Ensure DNS Server is disabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable bind9: # update-rc.d bind9 disable" compliance: - cis: "6.8" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:bind9;' + - 'd:$rc_dirs -> S -> r:bind9' + - id: 10539 - title: "Ensure FTP Server is not enabled" + title: "Ensure FTP Server is disabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable vsftpd: # update-rc.d vsftpd disable" compliance: - cis: "6.9" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:vsftpd;' + - 'd:$rc_dirs -> S -> r:vsftpd' + - id: 10540 - title: "Ensure HTTP Server is not enabled" + title: "Ensure HTTP Server is disabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable apache2: # update-rc.d apache2 disable" compliance: - cis: "6.10" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:apache2;' + - 'd:$rc_dirs -> S -> r:apache2' + - id: 10541 - title: "Ensure IMAP and POP server is not enabled" + title: "Ensure IMAP and POP server is disabled" description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "Disable dovecot: # update-rc.d dovecot disable" compliance: - cis: "6.11" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:dovecot;' + - 'd:$rc_dirs -> S -> r:dovecot' + - id: 10542 - title: "Ensure Samba is not enabled" + title: "Ensure Samba is disabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Disable samba: # update-rc.d samba disable" compliance: - cis: "6.12" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:samba;' + - 'd:$rc_dirs -> S -> r:samba' + - id: 10543 - title: "Ensure HTTP Proxy Server is not enabled" + title: "Ensure HTTP Proxy Server is disabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Disable squid3: # update-rc.d squid3 disable" compliance: - cis: "6.13" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:squid3;' + - 'd:$rc_dirs -> S -> r:squid3' + - id: 10544 - title: "Ensure SNMP Server is not enabled" + title: "Ensure SNMP Server is disabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Disable snmpd: # update-rc.d snmpd disable" compliance: - cis: "6.14" - condition: any + condition: none rules: - - 'd:$rc_dirs -> S -> r:snmpd;' + - 'd:$rc_dirs -> S -> r:snmpd' + - id: 10545 title: "Configure Mail Transfer Agent for Local-Only Mode" description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." @@ -521,19 +561,21 @@ checks: remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" compliance: - cis: "6.15" - condition: any + condition: all rules: - - 'f:/etc/exim4/update-exim4.conf.conf -> NIN r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$;' + - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' + - id: 10546 - title: "Ensure rsync service is not enabled" + title: "Ensure rsync service is disabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" compliance: - cis: "6.16" - condition: any + condition: all rules: - - 'f:/etc/default/rsync -> NIN !r:^# && r:^RSYNC_ENABLE=false;' + - 'f:/etc/default/rsync -> !r:^# && r:^RSYNC_ENABLE=false' + # 7 Network Configuration and Firewall - id: 10547 title: "Disable IP Forwarding" @@ -542,10 +584,10 @@ checks: remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.1.1" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.ip_forward=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.ip_forward=0;' + - 'f:/etc/sysctl.conf -> !r:^\s*\t*# && r:net.ipv4.ip_forward=0' + - id: 10548 title: "Disable Send Packet Redirects" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." @@ -553,10 +595,13 @@ checks: remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.1.2" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.all.send_redirects\s*=\s*1;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.default.send_redirects\s*=\s*1;' + - 'c:sysctl net.ipv4.conf.all.send_redirects -> 0' + - 'c:sysctl net.ipv4.conf.default.send_redirects -> 0' + - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.send_redirects\s*=\s*0' + - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.send_redirects\s*=\s*0' + - id: 10549 title: "Disable Source Routed Packet Acceptance" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." @@ -564,12 +609,13 @@ checks: remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.1" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.all.accept_source_route=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_source_route=0;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.default.accept_source_route=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_source_route=0;' + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> 0' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_source_route=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_source_route=0' + - id: 10550 title: "Disable ICMP Redirect Acceptance" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." @@ -577,12 +623,13 @@ checks: remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.2" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.all.accept_redirects=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.accept_redirects=0;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.default.accept_redirects=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.accept_redirects=0;' + - 'c:sysctl net.ipv4.conf.all.accept_redirects -> 0' + - 'c:sysctl net.ipv4.conf.default.accept_redirects -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_redirects=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_redirects=0' + - id: 10551 title: "Disable Secure ICMP Redirect Acceptance" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." @@ -590,12 +637,13 @@ checks: remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.3" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.all.secure_redirects=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.secure_redirects=0;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.default.secure_redirects=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.secure_redirects=0;' + - 'c:sysctl net.ipv4.conf.all.secure_redirects -> 0' + - 'c:sysctl net.ipv4.conf.default.secure_redirects -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.secure_redirects=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.secure_redirects=0' + - id: 10552 title: "Log Suspicious Packets" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." @@ -603,12 +651,13 @@ checks: remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.4" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.all.log_martians=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.log_martians=1;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.default.log_martians=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.log_martians=1;' + - 'c:sysctl net.ipv4.conf.all.log_martians -> 1' + - 'c:sysctl net.ipv4.conf.default.log_martians -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.log_martians=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.log_martians=1' + - id: 10553 title: "Enable Ignore Broadcast Requests" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." @@ -616,10 +665,11 @@ checks: remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.5" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.icmp_echo_ignore_broadcasts=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_echo_ignore_broadcasts=1;' + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts=1' + - id: 10554 title: "Enable Bad Error Message Protection" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." @@ -627,10 +677,11 @@ checks: remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.6" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.icmp_ignore_bogus_error_responses=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.icmp_ignore_bogus_error_responses=1;' + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses=1' + - id: 10555 title: "Enable RFC-recommended Source Route Validation" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." @@ -638,12 +689,13 @@ checks: remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.7" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.all.rp_filter=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.all.rp_filter=1;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.conf.default.rp_filter=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.conf.default.rp_filter=1;' + - 'c:sysctl net.ipv4.conf.all.rp_filter -> 1' + - 'c:sysctl net.ipv4.conf.default.rp_filter -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.rp_filter=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.rp_filter=1' + - id: 10556 title: "Enable TCP SYN Cookies" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." @@ -651,10 +703,11 @@ checks: remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "7.2.8" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv4.tcp_syncookies=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv4.tcp_syncookies=1;' + - 'c:sysctl net.ipv4.tcp_syncookies -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.tcp_syncookies=1' + - id: 10557 title: "Disable IPv6 Router Advertisements" description: "This setting disables the systems ability to accept router advertisements" @@ -662,12 +715,13 @@ checks: remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - cis: "7.3.1" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv6.conf.all.accept_ra=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_ra=0;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv6.conf.default.accept_ra=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_ra=0;' + - 'c:sysctl net.ipv6.conf.all.accept_ra -> 0' + - 'c:sysctl net.ipv6.conf.default.accept_ra -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_ra=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_ra=0' + - id: 10558 title: "Disable IPv6 Redirect Acceptance" description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." @@ -675,12 +729,13 @@ checks: remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - cis: "7.3.2" - condition: any + condition: all rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv6.conf.all.accept_redirects=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.accept_redirects=0;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv6.conf.default.accept_redirects=1;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.accept_redirects=0;' + - 'c:sysctl net.ipv6.conf.all.accept_redirects -> 0' + - 'c:sysctl net.ipv6.conf.default.accept_redirects -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_redirects=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_redirects=0' + - id: 10559 title: "Disable IPv6" description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." @@ -688,14 +743,15 @@ checks: remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" compliance: - cis: "7.3.3" - condition: any - rules: - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv6.conf.all.disable_ipv6=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv6.conf.all.disable_ipv6=1;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv6.conf.default.disable_ipv6=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv6.conf.default.disable_ipv6=1;' - - 'f:/etc/sysctl.conf -> IN !r:^# && r:net.ipv6.conf.lo.disable_ipv6=0;' - - 'f:/etc/sysctl.conf -> !r:^net.ipv6.conf.lo.disable_ipv6=1;' + condition: all + rules: + - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> 1' + - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> 1' + - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6=1' + - id: 10560 title: "Create /etc/hosts.allow" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." @@ -703,10 +759,11 @@ checks: remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - cis: "7.4.2" - condition: any + condition: all rules: - - 'f:!/etc/hosts.allow;' - - 'f:/etc/hosts.allow -> !r:^ALL:\.*;' + - 'f:/etc/hosts.allow' + - 'f:/etc/hosts.allow -> r:^ALL:\.*' + - id: 10561 title: "Create /etc/hosts.deny" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." @@ -714,10 +771,11 @@ checks: remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - cis: "7.4.4" - condition: any + condition: all rules: - - 'f:!/etc/hosts.deny;' - - 'f:/etc/hosts.deny -> !r:^ALL:\s*ALL;' + - 'f:/etc/hosts.deny' + - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' + - id: 10562 title: "Disable DCCP" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." @@ -725,10 +783,11 @@ checks: remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.1" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install dccp /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install dccp /bin/true' + - id: 10563 title: "Disable SCTP" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." @@ -736,10 +795,11 @@ checks: remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.2" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install sctp /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install sctp /bin/true' + - id: 10564 title: "Disable RDS" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." @@ -747,10 +807,11 @@ checks: remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.3" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install rds /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install rds /bin/true' + - id: 10565 title: "Disable TIPC" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." @@ -758,10 +819,11 @@ checks: remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.4" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install tipc /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install tipc /bin/true' + - id: 10566 title: "Ensure Firewall is active" description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules. Other methods are available which may be in use in your environment and may conflict with these steps." @@ -769,12 +831,13 @@ checks: remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" compliance: - cis: "7.7" - condition: any + condition: all rules: - - 'f:!/etc/rc2.d/S01iptables-persistent;' - - 'f:!/etc/rc3.d/S01iptables-persistent;' - - 'f:!/etc/rc4.d/S01iptables-persistent;' - - 'f:!/etc/rc5.d/S01iptables-persistent;' + - 'f:/etc/rc2.d/S01iptables-persistent' + - 'f:/etc/rc3.d/S01iptables-persistent' + - 'f:/etc/rc4.d/S01iptables-persistent' + - 'f:/etc/rc5.d/S01iptables-persistent' + # 8 Logging and Auditing - id: 10567 title: "Ensure the rsyslog Service is activated" @@ -783,12 +846,13 @@ checks: remediation: "Enable rsyslog: # update-rc.d rsyslog enable" compliance: - cis: "8.2.2" - condition: any + condition: all rules: - - 'f:!/etc/rc2.d/S01rsyslog;' - - 'f:!/etc/rc3.d/S01rsyslog;' - - 'f:!/etc/rc4.d/S01rsyslog;' - - 'f:!/etc/rc5.d/S01rsyslog;' + - 'f:/etc/rc2.d/S01rsyslog' + - 'f:/etc/rc3.d/S01rsyslog' + - 'f:/etc/rc4.d/S01rsyslog' + - 'f:/etc/rc5.d/S01rsyslog' + - id: 10568 title: "Configure /etc/rsyslog.conf" description: "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." @@ -798,23 +862,24 @@ checks: - cis: "8.2.3" references: - rsyslog.conf(5) man page - condition: any - rules: - - 'f:$rsyslog_files -> !r:^*.emerg\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^mail.*\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^mail.info\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^mail.warning\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^mail.err\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^news.crit\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^news.err\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^news.notice\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^*.=warning;*.=err\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^*.crit\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^*.*;mail.none;news.none\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^local0,local1.*\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^local2,local3.*\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^local4,local5.*\s*\t*\s*\S;' - - 'f:$rsyslog_files -> !r:^local6,local7.*\s*\t*\s*\S;' + condition: all + rules: + - 'f:$rsyslog_files -> r:^*.emerg\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.info\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.warning\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.err\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^news.crit\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^news.err\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^news.notice\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^*.=warning;*.=err\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^*.crit\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^*.*;mail.none;news.none\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local0,local1.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local2,local3.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local4,local5.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local6,local7.*\s*\t*\s*\S' + - id: 10569 title: "Configure rsyslog to Send Logs to a Remote Log Host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." @@ -824,9 +889,10 @@ checks: - cis: "8.2.5" references: - rsyslog.conf(5) man page - condition: any + condition: all rules: - - 'f:/etc/rsyslog.conf -> !r:^*.* @@\w+.\w+.\w+;' + - 'f:/etc/rsyslog.conf -> r:^*.* @@\w+.\w+.\w+' + - id: 10570 title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." @@ -836,10 +902,11 @@ checks: - cis: "8.2.6" references: - rsyslog.conf(8) man page - condition: any + condition: all rules: - - 'f:$rsyslog_files -> !r:^\$ModLoad imtcp.so;' - - 'f:$rsyslog_files -> !r:^\$InputTCPServerRun 514;' + - 'f:$rsyslog_files -> r:^\$ModLoad imtcp.so' + - 'f:$rsyslog_files -> r:^\$InputTCPServerRun 514' + - id: 10571 title: "Configure logrotate" description: "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog." @@ -847,10 +914,11 @@ checks: remediation: "Edit the /etc/logrotate.d/rsyslog file to include appropriate system logs according to your site policy." compliance: - cis: "8.4" - condition: any + condition: all rules: - - 'f:!/etc/logrotate.d/rsyslog;' - - 'f:/etc/logrotate.d/rsyslog -> !r:\S+;' + - 'f:/etc/logrotate.d/rsyslog' + - 'f:/etc/logrotate.d/rsyslog -> r:\S+' + # 9 System Access, Authentication and Authorization - id: 10572 title: "Enable cron Daemon" @@ -859,16 +927,17 @@ checks: remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" compliance: - cis: "9.1.1" - condition: any - rules: - - 'f:!/etc/rc2.d/S15anacron;' - - 'f:!/etc/rc2.d/S15cron;' - - 'f:!/etc/rc3.d/S15anacron;' - - 'f:!/etc/rc3.d/S15cron;' - - 'f:!/etc/rc4.d/S15anacron;' - - 'f:!/etc/rc4.d/S15cron;' - - 'f:!/etc/rc5.d/S15anacron;' - - 'f:!/etc/rc5.d/S15cron;' + condition: all + rules: + - 'f:/etc/rc2.d/S15anacron' + - 'f:/etc/rc2.d/S15cron' + - 'f:/etc/rc3.d/S15anacron' + - 'f:/etc/rc3.d/S15cron' + - 'f:/etc/rc4.d/S15anacron' + - 'f:/etc/rc4.d/S15cron' + - 'f:/etc/rc5.d/S15anacron' + - 'f:/etc/rc5.d/S15cron' + - id: 10573 title: "Restrict at/cron to Authorized Users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." @@ -876,10 +945,15 @@ checks: remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - cis: "9.1.8" - condition: any - rules: - - 'f:!/etc/cron.allow;' - - 'f:!/etc/at.allow;' + condition: all + rules: + - 'f:/etc/cron.allow' + - 'f:/etc/at.allow' + - 'not f:/etc/cron.deny' + - 'not f:/etc/at.deny' + - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-\d00' + - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-\d00' + - id: 10574 title: "Set Password Creation Requirement Parameters Using pam_cracklib" description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." @@ -887,9 +961,10 @@ checks: remediation: "Install the libpam-cracklib package: # apt-get install libpam-cracklib Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" compliance: - cis: "9.2.1" - condition: any + condition: all rules: - - 'f:/etc/pam.d/common-password -> !r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+;' + - 'f:/etc/pam.d/common-password -> r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+' + - id: 10575 title: " Set Lockout for Failed Password Attempts" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." @@ -897,9 +972,10 @@ checks: remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." compliance: - cis: "9.2.2" - condition: any + condition: all rules: - - 'f:/etc/pam.d/login -> !r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+;' + - 'f:/etc/pam.d/login -> r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+' + - id: 10576 title: "Limit Password Reuse" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." @@ -907,9 +983,10 @@ checks: remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." compliance: - cis: "9.2.3" - condition: any + condition: all rules: - - 'f:/etc/pam.d/common-password -> !r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d;' + - 'f:/etc/pam.d/common-password -> r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d' + - id: 10577 title: "Set SSH Protocol to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." @@ -917,9 +994,10 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - cis: "9.3.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> NIN !r:^# && r:Protocol\.+2;' + - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - id: 10578 title: "Set LogLevel to INFO" description: "The INFO parameter specifices that record login and logout activity will be logged." @@ -927,9 +1005,10 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - cis: "9.3.2" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^LogLevel\s+INFO;' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s+INFO' + - id: 10579 title: "Disable SSH X11 Forwarding" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." @@ -937,9 +1016,10 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" compliance: - cis: "9.3.4" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s+no;' + - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' + - id: 10580 title: "Set SSH MaxAuthTries to 4 or Less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." @@ -947,15 +1027,11 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - cis: "9.3.5" - condition: any - rules: - - 'f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s+\d;' - - 'f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+\d\d+;' - - 'f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+5;' - - 'f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+6;' - - 'f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+7;' - - 'f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+8;' - - 'f:/etc/ssh/sshd_config -> r:^MaxAuthTries\s+9;' + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - 'not f:/etc/ssh/sshd_config -> !r:^\s*\t*# && n:^MaxAuthTries\s+(\d+) compare > 4' + - id: 10581 title: "Set SSH IgnoreRhosts to Yes" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." @@ -963,9 +1039,11 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - cis: "9.3.6" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s+yes;' + - 'f:/etc/ssh/sshd_config -> r:^IgnoreRhosts\s+yes' + - 'not f:/etc/ssh/sshd_config -> !r:^\s*\t*# && r:IgnoreRhosts\s+yes' + - id: 10582 title: "Set SSH HostbasedAuthentication to No" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." @@ -973,9 +1051,11 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - cis: "9.3.7" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^HostbasedAuthentication\s+no;' + - 'f:/etc/ssh/sshd_config -> r:^HostbasedAuthentication\s+no' + - 'not f:/etc/ssh/sshd_config -> !r:^\s*\t*# && r:HostbasedAuthentication\s+yes' + - id: 10583 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." @@ -983,10 +1063,11 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - cis: "9.3.8" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitRootLogin\s+yes;' - - 'f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s+no;' + - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s+no' + - 'not f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes' + - id: 10584 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." @@ -994,10 +1075,11 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - cis: "9.3.9" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitEmptyPasswords\s+yes;' - - 'f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s+no;' + - 'f:/etc/ssh/sshd_config -> r:^PermitEmptyPasswords\s+no' + - 'not f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+yes' + - id: 10585 title: "Do Not Allow Users to Set Environment Options" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." @@ -1005,10 +1087,11 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - cis: "9.3.10" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitUserEnvironment\s+yes;' - - 'f:/etc/ssh/sshd_config -> !r:^PermitUserEnvironment\s+no;' + - 'f:/etc/ssh/sshd_config -> r:^PermitUserEnvironment\s+no' + - 'not f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+yes' + - id: 10586 title: "Set Idle Timeout Interval for User Login" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." @@ -1016,10 +1099,11 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - cis: "9.3.12" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^ClientAliveInterval\s+\d+;' - - 'f:/etc/ssh/sshd_config -> !r:^ClientAliveCountMax\s+\d;' + - 'f:/etc/ssh/sshd_config -> n:^ClientAliveInterval\s+(\d+) compare <= 300' + - 'f:/etc/ssh/sshd_config -> r:^ClientAliveCountMax\s+0' + - id: 10587 title: "Limit Access via SSH" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." @@ -1027,9 +1111,10 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - cis: "9.3.13" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+;' + - 'f:/etc/ssh/sshd_config -> r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' + - id: 10588 title: "Set SSH Banner" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." @@ -1037,9 +1122,10 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - cis: "9.3.14" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^Banner\s+\S+;' + - 'f:/etc/ssh/sshd_config -> r:^Banner /etc/issue.net' + - id: 10589 title: "Restrict Access to the su Command" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." @@ -1047,9 +1133,10 @@ checks: remediation: "Add the following line to the /etc/pam.d/su file. auth required pam_wheel.so use_uid Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." compliance: - cis: "9.5" - condition: any + condition: all rules: - - 'f:/etc/pam.d/su -> !r:auth required pam_wheel.so use_uid;' + - 'f:/etc/pam.d/su -> r:auth required pam_wheel.so use_uid' + # 10 User Accounts and Environment - id: 10590 title: "Set Password Expiration Days" @@ -1058,19 +1145,10 @@ checks: remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " compliance: - cis: "10.1.1" - condition: any - rules: - - 'f:/etc/login.defs -> !r:^PASS_MAX_DAYS\s+\d+;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+\d\d\d+;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+91;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+92;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+93;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+94;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+95;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+96;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+97;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+98;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MAX_DAYS\s+99;' + condition: all + rules: + - 'f:/etc/login.defs -> !n:^PASS_MAX_DAYS\s+(\d+) compare <= 90' + - id: 10591 title: "Set Password Change Minimum Number of Days" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." @@ -1078,15 +1156,10 @@ checks: remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " compliance: - cis: "10.1.2" - condition: any - rules: - - 'f:/etc/login.defs -> !r:^PASS_MIN_DAYS\s+\d+;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MIN_DAYS\s+1;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MIN_DAYS\s+2;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MIN_DAYS\s+3;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MIN_DAYS\s+4;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MIN_DAYS\s+5;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_MIN_DAYS\s+6;' + condition: all + rules: + - 'f:/etc/login.defs -> r:^PASS_MIN_DAYS\s+(\d+) compare <= 7' + - id: 10592 title: "Set Password Expiring Warning Days" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." @@ -1094,15 +1167,10 @@ checks: remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " compliance: - cis: "10.1.3" - condition: any - rules: - - 'f:/etc/login.defs -> !r:^PASS_WARN_DAYS\s+\d+;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_WARN_DAYS\s+1;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_WARN_DAYS\s+2;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_WARN_DAYS\s+3;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_WARN_DAYS\s+4;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_WARN_DAYS\s+5;' - - 'f:/etc/login.defs -> IN !r:^# && r:PASS_WARN_DAYS\s+6;' + condition: all + rules: + - 'f:/etc/login.defs -> r:^PASS_WARN_DAYS\s+(\d+) compare <= 7' + - id: 10593 title: "Set Default Group for root Account" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." @@ -1110,9 +1178,10 @@ checks: remediation: "# usermod -g 0 root" compliance: - cis: "10.3" - condition: any + condition: all rules: - - 'f:/etc/passwd -> !r:^root:\w+:\w+:0:;' + - 'f:/etc/passwd -> r:^root:\w+:\w+:0:' + - id: 10594 title: "Set Default umask for Users" description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." @@ -1120,10 +1189,11 @@ checks: remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" compliance: - cis: "10.4" - condition: any + condition: all rules: - - 'f:$profiledfiles -> !r:^umask 077;' - - 'f:/etc/bash.bashrc -> !r:^umask 077;' + - 'f:$profiledfiles -> r:^umask 077' + - 'f:/etc/bash.bashrc -> r:^umask 077' + - id: 10595 title: "Lock Inactive User Accounts" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." @@ -1131,9 +1201,10 @@ checks: remediation: "# useradd -D -f 35" compliance: - cis: "10.5" - condition: any + condition: all rules: - - 'f:/etc/default/useradd -> !r:^INACTIVE=\d\d*;' + - 'f:/etc/default/useradd -> r:^INACTIVE=(\d+) compare <= 35' + # 11 Warning Banners - id: 10596 title: "Set Warning Banner for Standard Login Services" @@ -1142,11 +1213,12 @@ checks: remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" compliance: - cis: "11.1" - condition: any + condition: all rules: - - 'f:!/etc/motd;' - - 'f:!/etc/issue;' - - 'f:!/etc/issue.net;' + - 'f:/etc/motd' + - 'f:/etc/issue' + - 'f:/etc/issue.net' + - id: 10597 title: "Remove OS Information from Login Warning Banners" description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." @@ -1154,9 +1226,10 @@ checks: remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." compliance: - cis: "11.2" - condition: any + condition: none rules: - - 'f:/etc/motd -> r:debian|gnu|linux;' + - 'f:/etc/motd -> r:debian|gnu|linux' + # 13 Review User and Group Settings - id: 10598 title: "Ensure Password Fields are Not Empty" @@ -1165,9 +1238,10 @@ checks: remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - cis: "13.1" - condition: any + condition: none rules: - - 'f:/etc/shadow -> r:^\w+::;' + - 'f:/etc/shadow -> r:^\w+::' + - id: 10599 title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." @@ -1175,9 +1249,10 @@ checks: remediation: "Delete these entries if they exist." compliance: - cis: "13.2" - condition: any + condition: none rules: - - 'f:/etc/passwd -> IN !r:^# && r:^+:;' + - 'f:/etc/passwd -> !r:^# && r:^+:' + - id: 10600 title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." @@ -1185,9 +1260,9 @@ checks: remediation: "Delete these entries if they exist." compliance: - cis: "13.3" - condition: any + condition: none rules: - - 'f:/etc/shadow -> IN !r:^# && r:^+:;' + - 'f:/etc/shadow -> !r:^# && r:^+:' - id: 10601 title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." @@ -1195,9 +1270,10 @@ checks: remediation: "Delete these entries if they exist." compliance: - cis: "13.4" - condition: any + condition: none rules: - - 'f:/etc/group -> IN !r:^# && r:^+:;' + - 'f:/etc/group -> !r:^# && r:^+:' + - id: 10602 title: "Verify No UID 0 Accounts Exist Other Than root" description: "Any account with UID 0 has superuser privileges on the system." @@ -1205,9 +1281,10 @@ checks: remediation: "Delete any other entries that are displayed." compliance: - cis: "13.5" - condition: any + condition: none rules: - - 'f:/etc/passwd -> NIN !r:^# && r:^root: && r:^\w+:\w+:0:;' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - id: 10603 title: "Check for Presence of User .rhosts Files" description: "While no .rhosts files are shipped by default, users can easily create them." @@ -1215,9 +1292,10 @@ checks: remediation: "If any users have .rhosts files determine why they have them." compliance: - cis: "13.10" - condition: any + condition: none rules: - - 'd:$home_dirs -> r:^.rhosts$;' + - 'd:$home_dirs -> r:^.rhosts$' + - id: 10604 title: "Check for Presence of User .netrc Files" description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." @@ -1225,9 +1303,10 @@ checks: remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." compliance: - cis: "13.18" - condition: any + condition: none rules: - - 'd:$home_dirs -> r:^.netrc$;' + - 'd:$home_dirs -> r:^.netrc$' + - id: 10605 title: "Check for Presence of User .forward Files" description: "The .forward file specifies an email address to forward the user's mail to." @@ -1235,9 +1314,10 @@ checks: remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." compliance: - cis: "13.19" - condition: any + condition: none rules: - - 'd:$home_dirs -> r:^.forward$;' + - 'd:$home_dirs -> r:^.forward$' + - id: 10606 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." @@ -1245,6 +1325,6 @@ checks: remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - cis: "13.20" - condition: any + condition: none rules: - - 'f:/etc/group -> IN !r:^# && r:shadow:\w*:\w*:\S+;' + - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index 426dcbfcc..611df2c64 100755 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -22,10 +22,10 @@ policy: requirements: title: "Check Debian version" description: "Requirements for running the SCA scan against Debian/Ubuntu" - condition: "all required" + condition: all rules: - - 'f:/etc/debian_version;' - - 'f:/proc/sys/kernel/ostype -> Linux;' + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' checks: # 2 Filesystem Configuration @@ -36,10 +36,11 @@ checks: remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" compliance: - cis: "2.18" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install cramfs /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install cramfs /bin/true' + - id: 11001 title: "Disable Mounting of freevxfs Filesystems" description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." @@ -47,10 +48,11 @@ checks: remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" compliance: - cis: "2.19" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install freevxfs /bin/true;' + - f:/etc/modprobe.d/CIS.conf + - f:/etc/modprobe.d/CIS.conf -> r:^install freevxfs /bin/true + - id: 11002 title: "Disable Mounting of jffs2 Filesystems" description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." @@ -58,10 +60,11 @@ checks: remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" compliance: - cis: "2.20" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install jffs2 /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install jffs2 /bin/true' + - id: 11003 title: "Disable Mounting of hfs Filesystems" description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." @@ -69,10 +72,11 @@ checks: remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" compliance: - cis: "2.21" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install hfs /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfs /bin/true' + - id: 11004 title: "Disable Mounting of hfsplus Filesystems" description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." @@ -80,10 +84,11 @@ checks: remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" compliance: - cis: "2.22" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install hfsplus /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfsplus /bin/true' + - id: 11005 title: "Disable Mounting of squashfs Filesystems" description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." @@ -91,10 +96,11 @@ checks: remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" compliance: - cis: "2.23" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install squashfs /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install squashfs /bin/true' + - id: 11006 title: "Disable Mounting of udf Filesystems" description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" @@ -102,10 +108,11 @@ checks: remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" compliance: - cis: "2.24" - condition: any + condition: all rules: - - 'f:!/etc/modprobe.d/CIS.conf;' - - 'f:/etc/modprobe.d/CIS.conf -> !r:^install udf /bin/true;' + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install udf /bin/true' + # 4 Additional Process Hardening - id: 11007 title: "Activate AppArmor" @@ -114,9 +121,10 @@ checks: remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." compliance: - cis: "4.5" - condition: any + condition: all rules: - - 'f:/etc/default/grub -> NIN r:apparmor=1 && r:security=apparmor;' + - 'f:/etc/default/grub -> r:apparmor=1 && r:security=apparmor' + # 8.1 Configure System Accounting (auditd) - id: 11008 title: "Configure Audit Log Storage Size" @@ -125,11 +133,12 @@ checks: remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." compliance: - cis: "8.1.1.1" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/auditd.conf;' - - 'f:/etc/audit/auditd.conf -> !r:max_log_file\s*=\s*\d+;' + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' + - id: 11009 title: "Disable System on Audit Log Full" description: "The auditd daemon can be configured to halt the system when the audit logs are full." @@ -137,15 +146,16 @@ checks: remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - cis: "8.1.1.2" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/auditd.conf;' - - 'f:/etc/audit/auditd.conf -> !r:^space_left_action\s*=\s*email;' - - 'f:/etc/audit/auditd.conf -> IN !r:^# && r:space_left_action\s*=\s*ignore|syslog|suspend|single|halt;' - - 'f:/etc/audit/auditd.conf -> !r:^action_mail_acct\s*=\s*root;' - - 'f:/etc/audit/auditd.conf -> !r:^admin_space_left_action\s*=\s*halt;' - - 'f:/etc/audit/auditd.conf -> IN !r:^# && r:admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single;' + - 'd:!/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' + - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*ignore|syslog|suspend|single|halt' + - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single' + - id: 11010 title: "Keep All Auditing Information" description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." @@ -153,12 +163,13 @@ checks: remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" compliance: - cis: "8.1.1.3" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/auditd.conf;' - - 'f:/etc/audit/auditd.conf -> !r:^max_log_file_action\s*=\s*keep_logs;' - - 'f:/etc/audit/auditd.conf -> IN !r:^# && r:max_log_file_action\s*=\s*ignore|syslog|suspend|rotate;' + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' + - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*ignore|syslog|suspend|rotate' + - id: 11011 title: "Enable Auditing for Processes That Start Prior to auditd" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." @@ -166,23 +177,27 @@ checks: remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" compliance: - cis: "8.1.3" - condition: any + condition: all rules: - - 'f:/etc/default/grub -> !r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*;' + - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' + - id: 11012 title: "Record Events That Modify Date and Time Information" description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - cis: "8.1.4" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S clock_settime -k time-change;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/localtime -p wa -k time-change;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S clock_settime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S clock_settime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime -p wa -k time-change' + - id: 11013 title: "Record Events That Modify User/Group Information" description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." @@ -190,15 +205,16 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - cis: "8.1.5" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/group -p wa -k identity;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/passwd -p wa -k identity;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/gshadow -p wa -k identity;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/shadow -p wa -k identity;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/security/opasswd -p wa -k identity;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/group -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/passwd -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/gshadow -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd -p wa -k identity' + - id: 11014 title: "Record Events That Modify the System's Network Environment" description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." @@ -206,15 +222,16 @@ checks: remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - cis: "8.1.6" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/issue -p wa -k system-locale;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/issue.net -p wa -k system-locale;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/hosts -p wa -k system-locale;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/network -p wa -k system-locale;' + - 'f:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/network -p wa -k system-locale' + - id: 11015 title: "Record Events That Modify the System's Mandatory Access Controls" description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." @@ -222,11 +239,12 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - cis: "8.1.7" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/selinux/ -p wa -k MAC-policy;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ -p wa -k MAC-policy' + - id: 11016 title: "Collect Login and Logout Events" description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" @@ -234,13 +252,14 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - cis: "8.1.8" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /var/log/faillog -p wa -k logins;' - - 'f:/etc/audit/audit.rules -> !r:^-w /var/log/lastlog -p wa -k logins;' - - 'f:/etc/audit/audit.rules -> !r:^-w /var/log/tallylog -p wa -k logins;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/faillog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog -p wa -k logins' + - id: 11017 title: "Collect Session Initiation Information" description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" @@ -248,13 +267,14 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" compliance: - cis: "8.1.9" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /var/run/utmp -p wa -k session;' - - 'f:/etc/audit/audit.rules -> !r:^-w /var/log/wtmp -p wa -k session;' - - 'f:/etc/audit/audit.rules -> !r:^-w /var/log/btmp -p wa -k session;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/run/utmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp -p wa -k session' + - id: 11018 title: "Collect Discretionary Access Control Permission Modification Events" description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" @@ -262,15 +282,17 @@ checks: remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - cis: "8.1.10" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\;' - - 'f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k perm_mod;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\;' - - 'f:/etc/audit/audit.rules -> !r:^lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - id: 11019 title: "Collect Unsuccessful Unauthorized Access Attempts to Files" description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" @@ -278,13 +300,15 @@ checks: remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - cis: "8.1.11" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\;' - - 'f:/etc/audit/audit.rules -> !r:^-F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access;' - - 'f:/etc/audit/audit.rules -> !r:^-F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + - id: 11020 title: "Collect Successful File System Mounts" description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" @@ -292,11 +316,12 @@ checks: remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - cis: "8.1.13" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - id: 11021 title: "Collect File Deletion Events by User" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." @@ -304,12 +329,13 @@ checks: remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - cis: "8.1.14" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\;' - - 'f:/etc/audit/audit.rules -> !r:^-F auid!=4294967295 -k delete;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + - id: 11022 title: "Collect Changes to System Administration Scope (sudoers)" description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" @@ -317,11 +343,12 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - cis: "8.1.15" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /etc/sudoers -p wa -k scope;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers -p wa -k scope' + - id: 11023 title: "Collect System Administrator Actions (sudolog)" description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." @@ -329,11 +356,12 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" compliance: - cis: "8.1.16" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /var/log/sudo.log -p wa -k actions;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log -p wa -k actions' + - id: 11024 title: "Collect Kernel Module Loading and Unloading" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." @@ -341,14 +369,15 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" compliance: - cis: "8.1.17" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /sbin/insmod -p x -k modules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /sbin/rmmod -p x -k modules;' - - 'f:/etc/audit/audit.rules -> !r:^-w /sbin/modprobe -p x -k modules;' - - 'f:/etc/audit/audit.rules -> !r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|-a always,exit -F arch=b64 -S init_module -S delete_module -k modules;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/insmod -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|^-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' + - id: 11025 title: "Make the Audit Configuration Immutable" description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" @@ -356,11 +385,12 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" compliance: - cis: "8.1.18" - condition: any + condition: all rules: - - 'f:!/etc/audit;' - - 'f:!/etc/audit/audit.rules;' - - 'f:/etc/audit/audit.rules -> !r:^-e 2$;' + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-e 2$' + # 8.3 Advanced Intrusion Detection Environment (AIDE) - id: 11026 title: "Install AIDE" @@ -369,9 +399,10 @@ checks: remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." compliance: - cis: "8.3.1" - condition: any + condition: all rules: - - 'f:!/usr/sbin/aideinit;' + - 'f:/usr/sbin/aideinit' + - id: 11027 title: "Implement Periodic Execution of File Integrity" description: "Implement periodic file checking, in compliance with site policy" @@ -379,6 +410,6 @@ checks: remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - cis: "8.3.2" - condition: any + condition: all rules: - - 'f:/etc/crontab -> !r:/usr/sbin/aide --check;' + - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide --check' From 13a42a19614b9a55f4749b133bde077038ca6f41 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 24 May 2019 15:38:17 +0200 Subject: [PATCH 007/247] Remove constraint not included in CIS --- sca/debian/cis_debian_linux_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index 3ac5b179d..768943a60 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -58,7 +58,7 @@ checks: condition: all rules: - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/tmp && r:nodev' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' - id: 5002 title: "Ensure separate partition exists for /opt" From 288fc6690b29aa32dc51345a912f28c8610e2cbb Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 24 May 2019 15:43:04 +0200 Subject: [PATCH 008/247] Remove +x permission --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 0 sca/debian/cis_debianlinux7-8_L2_rcl.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 sca/debian/cis_debianlinux7-8_L1_rcl.yml mode change 100755 => 100644 sca/debian/cis_debianlinux7-8_L2_rcl.yml diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml old mode 100755 new mode 100644 diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml old mode 100755 new mode 100644 From 9d6dca677c45aa67c82a9017a9c91d8c7963c234 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 24 May 2019 15:45:13 +0200 Subject: [PATCH 009/247] Adapt cis_rhel7_linux_rcl.yml --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 475 +++++++++++++++++------------ 1 file changed, 274 insertions(+), 201 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 2087cae82..33af83962 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -20,20 +20,14 @@ policy: requirements: title: "Check RHEL7 version" - description: "Requirements for running the SCA scan against RHEL 7." - condition: "any required" + description: "Requirements for running the SCA scan against RHEL 7 family." + condition: all rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 7;' - - 'f:/etc/redhat-release -> IN r:^CentOS && r:release 7;' - - 'f:/etc/redhat-release -> IN r:^Cloud && r:release 7;' - - 'f:/etc/redhat-release -> IN r:^Oracle && r:release 7;' - - 'f:/etc/redhat-release -> IN r:^Better && r:release 7;' - - 'f:/etc/redhat-release -> IN r:^OpenVZ && r:release 7;' + - 'f:/etc/redhat-release -> IN r:^Red Hat Enterprise Linux|^CentOS|^Cloud|^Oracle|^Better|^OpenVZ && r:release 7;' variables: - $sshd_file: /etc/ssh/sshd_config; -# RC scripts location - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; + $sshd_file: /etc/ssh/sshd_config + $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # 1.1.2 /tmp: partition @@ -46,9 +40,11 @@ checks: - cis: "1.1.2" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + # 1.1.3 /tmp: nodev - id: 6501 title: "Ensure nodev option set on /tmp partition" @@ -58,9 +54,11 @@ checks: compliance: - cis: "1.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nodev;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + # 1.1.4 /tmp: nosuid - id: 6502 title: "Ensure nosuid option set on /tmp partition" @@ -70,9 +68,10 @@ checks: compliance: - cis: "1.1.4" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + # 1.1.5 /tmp: noexec - id: 6503 title: "Ensure noexec option set on /tmp partition" @@ -83,9 +82,10 @@ checks: - cis: "1.1.5" - cis_csc: "2" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + # 1.1.6 Build considerations - Partition scheme. - id: 6504 title: "Ensure separate partition exists for /var" @@ -96,9 +96,11 @@ checks: - cis: "1.1.6" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r^# && r:/var;' + - 'd:/var' + - 'f:/etc/fstab -> !r^# && r:/var' + # 1.1.7 bind mount /var/tmp to /tmp - id: 6505 title: "Ensure separate partition exists for /var/tmp" @@ -107,9 +109,10 @@ checks: remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - cis: "1.1.7" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/tmp;' + - 'f:/etc/fstab -> !r:^# && r:/var/tmp' + # 1.1.11 /var/log: partition - id: 6506 title: "Ensure separate partition exists for /var/log" @@ -123,7 +126,8 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: any rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log;' + - 'f:/etc/fstab -> !r:^# && r:/var/log' + # 1.1.12 /var/log/audit: partition - id: 6507 title: "Ensure separate partition exists for /var/log/audit" @@ -135,9 +139,10 @@ checks: - cis_csc: "6.3" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log/audit;' + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + # 1.1.13 /home: partition - id: 6508 title: "Ensure separate partition exists for /home" @@ -148,9 +153,10 @@ checks: - cis: "1.1.13" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home;' + - 'f:/etc/fstab -> !r:^# && r:/home' + # 1.1.14 /home: nodev - id: 6509 title: "Ensure nodev option set on /home partition" @@ -160,9 +166,10 @@ checks: compliance: - cis: "1.1.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + # 1.1.18 nodev on removable media partitions (not scored) - id: 6510 title: "Ensure nodev option set on removable media partitions" @@ -172,9 +179,10 @@ checks: compliance: - cis: "1.1.18" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + # 1.1.19 nosuid on removable media partitions (not scored) - id: 6511 title: "Ensure nosuid option set on removable media partitions" @@ -184,9 +192,10 @@ checks: compliance: - cis: "1.1.19" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + # 1.1.20 noexec on removable media partitions (not scored) - id: 6512 title: "Ensure noexec option set on removable media partitions" @@ -197,9 +206,10 @@ checks: - cis: "1.1.20" - cis_csc: "8" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + # 1.1.15 /dev/shm: nodev - id: 6513 title: "Ensure nodev option set on /dev/shm partition" @@ -209,9 +219,10 @@ checks: compliance: - cis: "1.1.15" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + # 1.1.16 /dev/shm: nosuid - id: 6514 title: "Ensure nosuid option set on /dev/shm partition" @@ -224,6 +235,7 @@ checks: condition: any rules: - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nosuid;' + # 1.1.17 /dev/shm: noexec - id: 6515 title: "Ensure noexec option set on /dev/shm partition" @@ -234,9 +246,10 @@ checks: - cis: "1.1.17" - cis_csc: "2" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + ############################################### # 1.6 Configure SELinux ############################################### @@ -250,10 +263,11 @@ checks: - cis: "1.6.1.1" - cis_csc: "14.4" - pci_dss: "2.2.4" - condition: any + condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0;' - - 'f:/etc/grub2.cfg -> r:selinux=0;' + - 'f:/etc/grub.conf -> r:selinux=0' + - 'f:/etc/grub2.cfg -> r:selinux=0' + # 1.6.1.2 Set selinux state - id: 6517 title: "Ensure the SELinux state is enforcing" @@ -264,9 +278,10 @@ checks: - cis: "1.6.1.2" - cis_csc: "14.4" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;' + - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + # 1.6.1.3 Set selinux policy - id: 6518 title: "Ensure SELinux policy is configured" @@ -276,9 +291,10 @@ checks: compliance: - cis: "1.6.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;' + - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + # 1.6.1.4 Remove SETroubleshoot - id: 6519 title: "Ensure SETroubleshoot is not installed" @@ -288,10 +304,11 @@ checks: compliance: - cis: "1.6.1.4" - pci_dss: "2.2.4" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$;' - - 'f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert;' + - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + - 'f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert' + # 1.6.1.5 Disable MCS Translation service mcstrans - id: 6520 title: "Ensure the MCS Translation Service (mcstrans) is not installed" @@ -301,10 +318,11 @@ checks: compliance: - cis: "1.6.1.5" - pci_dss: "2.2.4" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$;' - - 'f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd;' + - 'd:$rc_dirs -> ^S\d\dmctrans$' + - 'f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd' + ############################################### # 1.4 Secure Boot Settings ############################################### @@ -318,9 +336,10 @@ checks: - cis: "1.4.2" - cis_csc: "5.1" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/boot/grub2/grub.cfg -> NIN !r:^# && r:password;' + - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + ############################################### # 1.5 Additional Process Hardening ############################################### @@ -333,9 +352,10 @@ checks: compliance: - cis: "1.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'f:/etc/security/limits.conf -> NIN !r:^# && r:hard\.+core\.+0;' + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6523 title: "Ensure address space layout randomization (ASLR) is enabled" @@ -345,9 +365,10 @@ checks: compliance: - cis: "1.5.3" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> !r:^2$;' + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$;' + ############################################### # 2 OS Services ############################################### @@ -356,7 +377,7 @@ checks: ############################################### # 2.2.19 Remove telnet-server (Scored) - id: 6524 - title: "Ensure telnet server is not enabled" + title: "Ensure telnet server is is disabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" @@ -364,13 +385,14 @@ checks: - cis: "2.2.19" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/telnet -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;' + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' + # 2.2.17 Remove rsh-server (Scored) - id: 6525 - title: "Ensure rsh server is not enabled" + title: "Ensure rsh server is is disabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " @@ -378,14 +400,15 @@ checks: - cis: "2.2.17" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any - rules: - - 'f:/etc/xinetd.d/rlogin -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/rsh -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/shell -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;' - - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;' - - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;' + condition: none + rules: + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' + # 2.3.1 Remove NIS Client (Scored) - id: 6526 title: "Ensure NIS Client is not installed" @@ -396,13 +419,14 @@ checks: - cis: "2.3.1" - cis_csc: "2" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$;' - - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec;' + - 'd:$rc_dirs -> ^S\d\dypbind$' + - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' + # 2.2.16 Remove NIS Server (Scored) - id: 6527 - title: "Ensure NIS Server is not enabled" + title: "Ensure NIS Server is is disabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" @@ -410,13 +434,14 @@ checks: - cis: "2.2.16" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$;' - - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec;' + - 'd:$rc_dirs -> ^S\d\dypserv$' + - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' + # 2.2.20 Remove tftp-server (Scored) - id: 6528 - title: "Ensure tftp server is not enabled" + title: "Ensure tftp server is is disabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" @@ -424,13 +449,14 @@ checks: - cis: "2.2.20" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec;' + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' + # 2.1.18 Remove talk-server (Scored) - id: 6529 - title: "Ensure talk server is not enabled" + title: "Ensure talk server is is disabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # systemctl disable ntalk" @@ -438,94 +464,102 @@ checks: - cis: "2.2.18" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/talk -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec;' + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' + # 2.1.7 Remove xinetd (Scored) - id: 6530 - title: "Ensure xinetd is not enabled" + title: "Ensure xinetd is is disabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" compliance: - cis: "2.1.7" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec;' + - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' + # 2.1.1 Disable chargen-dgram (Scored) - id: 6531 - title: "Ensure chargen services are not enabled" + title: "Ensure chargen services are is disabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" compliance: - cis: "2.1.1" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/chargen-dgram -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no' + # 2.1.1 Disable chargen-stream (Scored) - id: 6532 - title: "Ensure chargen services are not enabled" + title: "Ensure chargen services are is disabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" compliance: - cis: "2.1.1" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/chargen-stream -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no' + # 2.1.2 Disable daytime-dgram (Scored) - id: 6533 - title: "Ensure daytime services are not enabled" + title: "Ensure daytime services are is disabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" compliance: - cis: "2.1.2" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/daytime-dgram -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no' + # 2.1.2 Disable daytime-stream (Scored) - id: 6534 - title: "Ensure daytime services are not enabled" + title: "Ensure daytime services are is disabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" compliance: - cis: "2.1.2" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/daytime-stream -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no' + # 2.1.4 Disable echo-dgram (Scored) - id: 6535 - title: "Ensure echo services are not enabled" + title: "Ensure echo services are is disabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" compliance: - cis: "2.1.4" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/echo-dgram -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no' + # 2.1.4 Disable echo-stream (Scored) - id: 6536 - title: "Ensure echo services are not enabled" + title: "Ensure echo services are is disabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" compliance: - cis: "2.1.4" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/echo-stream -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no' + # 2.2.2 Remove X Windows (Scored) - id: 6537 title: "Ensure X Window System is not installed" @@ -536,12 +570,13 @@ checks: - cis: "2.2.2" - cis_csc: "2" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'p:gdm-x-session;' + - 'p:gdm-x-session' + # 2.2.3 Disable Avahi Server (Scored) - id: 6538 - title: "Ensure Avahi Server is not enabled" + title: "Ensure Avahi Server is is disabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" @@ -549,12 +584,13 @@ checks: - cis: "2.2.3" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'p:avahi-daemon;' + - 'p:avahi-daemon' + # 2.2.5 Remove DHCP Server (Scored) - id: 6539 - title: "Ensure DHCP Server is not enabled" + title: "Ensure DHCP Server is is disabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" @@ -563,9 +599,10 @@ checks: - cis_csc: "9.1" references: - More detailed documentation on DHCP is available at https://www.isc.org - condition: any + condition: none rules: - - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;' + - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' + # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored) - id: 6540 title: "Ensure time synchronization is in use" @@ -576,13 +613,16 @@ checks: - cis: "2.2.1.1" - cis_csc: "6.1" - pci_dss: "2.2.2" - condition: any + condition: all rules: - - 'f:/etc/ntp.conf -> IN r:restrict default kod nomodify notrap nopeer noquery && r:^server;' - - 'f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";' + - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server\.+$' + - 'f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"' + # 2.2.7 Disable NFS and RPC (Not Scored) - id: 6541 - title: "Ensure NFS and RPC are not enabled" + title: "Ensure NFS and RPC are is disabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # systemctl disable nfs; # systemctl disable nfs-server; # systemctl disable rpcbind" @@ -590,13 +630,14 @@ checks: - cis: "2.2.7" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$;' - - 'd:$rc_dirs -> ^S\d\dnfslock$;' + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' + # 2.2.9 Remove FTP Server (Not Scored) - id: 6542 - title: "Ensure FTP Server is not enabled" + title: "Ensure FTP Server is is disabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" @@ -604,24 +645,26 @@ checks: - cis: "2.2.9" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + # 2.2.10 Remove HTTP Server (Not Scored) - id: 6543 - title: "Ensure HTTP server is not enabled" + title: "Ensure HTTP server is is disabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # systemctl disable httpd" compliance: - cis: "2.2.10" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$;' + - 'd:$rc_dirs -> ^S\d\dhttpd$' + # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) - id: 6544 - title: "Ensure IMAP and POP3 server is not enabled" + title: "Ensure IMAP and POP3 server is is disabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" @@ -629,11 +672,12 @@ checks: - cis: "2.2.11" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + - id: 6545 - title: "Ensure IMAP and POP3 server is not enabled" + title: "Ensure IMAP and POP3 server is is disabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" @@ -641,12 +685,13 @@ checks: - cis: "2.2.11" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/dovecot -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + # 2.2.12 Remove Samba (Not Scored) - id: 6546 - title: "Ensure Samba is not enabled" + title: "Ensure Samba is is disabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # systemctl disable smb" @@ -654,13 +699,14 @@ checks: - cis: "2.2.12" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$;' - - 'd:$rc_dirs -> ^S\d\dsmb$;' + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' + # 2.2.13 Remove HTTP Proxy Server (Not Scored) - id: 6547 - title: "Ensure HTTP Proxy Server is not enabled" + title: "Ensure HTTP Proxy Server is is disabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" @@ -668,12 +714,13 @@ checks: - cis: "2.2.13" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$;' + - 'd:$rc_dirs -> ^S\d\dsquid$' + # 2.2.14 Remove SNMP Server (Not Scored) - id: 6548 - title: "Ensure SNMP Server is not enabled" + title: "Ensure SNMP Server is is disabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" @@ -681,9 +728,10 @@ checks: - cis: "2.2.14" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$;' + - 'd:$rc_dirs -> ^S\d\dsnmpd$' + ############################################### # 3 Network Configuration and Firewalls ############################################### @@ -700,9 +748,10 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - id: 6550 title: "Ensure IPv6 forwarding is disabled" description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." @@ -712,9 +761,10 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + # 3.1.2 Disable Send Packet Redirects (Scored) - id: 6551 title: "Ensure packet redirect sending is disabled" @@ -725,10 +775,11 @@ checks: - cis: "3.1.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + ############################################### # 3.2 Modify Network Parameters (Host and Router) ############################################### @@ -742,9 +793,10 @@ checks: - cis: "3.2.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 6553 title: "Ensure ICMP redirects are not accepted" @@ -755,10 +807,11 @@ checks: - cis: "3.2.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 6554 title: "Ensure secure ICMP redirects are not accepted" @@ -769,10 +822,11 @@ checks: - cis: "3.2.3" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + # 3.2.4 Log Suspicious Packets (Scored) - id: 6555 title: "Ensure suspicious packets are logged" @@ -783,9 +837,10 @@ checks: - cis: "3.2.4" - cis_csc: "6" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 6556 title: "Ensure broadcast ICMP requests are ignored" @@ -796,9 +851,10 @@ checks: - cis: "3.2.5" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 6557 title: "Enable Bad Error Message Protection" @@ -808,9 +864,10 @@ checks: compliance: - cis: "3.2.6" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - id: 6558 title: "Ensure Reverse Path Filtering is enabled" @@ -820,10 +877,11 @@ checks: compliance: - cis: "3.2.7" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 6559 title: "Ensure TCP SYN Cookies is enabled" @@ -834,9 +892,10 @@ checks: - cis: "3.2.8" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 0;' + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + ############################################### # 5 System Access, Authentication and Authorization ############################################### @@ -853,9 +912,10 @@ checks: - cis: "5.2.2" - cis_csc: "3.4" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:Protocol\.+1;' + - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + # 5.2.3 Set LogLevel to INFO (Scored) - id: 6561 title: "Ensure SSH LogLevel is set to INFO" @@ -866,9 +926,10 @@ checks: - cis: "5.2.3" - cis_csc: "16" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> NIN !r:^# && r:LogLevel\.+INFO;' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\.+INFO;' + # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 6562 title: "Ensure SSH MaxAuthTries is set to 4 or less" @@ -881,7 +942,8 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:$sshd_file -> !r:^\s*MaxAuthTries\s+4\s*$;' + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 6563 title: "Ensure SSH IgnoreRhosts is enabled" @@ -892,9 +954,10 @@ checks: - cis: "5.2.6" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:IgnoreRhosts\.+no;' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' + # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 6564 title: "Ensure SSH HostbasedAuthentication is disabled" @@ -905,9 +968,10 @@ checks: - cis: "5.2.7" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:HostbasedAuthentication\.+yes;' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' + # 5.2.8 Disable SSH Root Login (Scored) - id: 6565 title: "Ensure SSH root login is disabled" @@ -918,9 +982,10 @@ checks: - cis: "5.2.8" - cis_csc: "5.8" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:$sshd_file -> !r:^\s*PermitRootLogin\.+no;' + - 'f:$sshd_file -> r:^\s\t**PermitRootLogin\.+no' + # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 6566 title: "Ensure SSH PermitEmptyPasswords is disabled" @@ -931,9 +996,10 @@ checks: - cis: "5.2.9" - cis_csc: "16" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:$sshd_file -> !r:^\s*PermitEmptyPasswords\.+no;' + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + ############################################### # 6 System Maintenance ############################################### @@ -950,55 +1016,62 @@ checks: - cis: "6.2.5" - cis_csc: "5.1" - pci_dss: "10.2.5" - condition: any + condition: none rules: - - 'f:/etc/passwd -> IN !r:^# && !r:^root: && r:^\w+:\w+:0:;' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + # Other/Legacy Tests - id: 6568 title: "Account with empty password present" compliance: - pci_dss: "10.2.5" - condition: any + condition: none rules: - - 'f:/etc/shadow -> r:^\w+::;' + - 'f:/etc/shadow -> r:^\w+::' + - id: 6569 title: "User-mounted removable partition allowed on the console" compliance: - condition: any + condition: none rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ;' - - 'f:/etc/security/console.perms -> r:^ \d+ ;' + - 'f:/etc/security/console.perms -> r:^ \d+ ' + - 'f:/etc/security/console.perms -> r:^ \d+ ' + - id: 6570 title: "Disable standard boot services - Kudzu hardware detection Enabled" compliance: - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$;' + - 'd:$rc_dirs -> ^S\d\dkudzu$' + - id: 6571 title: "Disable standard boot services - PostgreSQL server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$;' + - 'd:$rc_dirs -> ^S\d\dpostgresql$' + - id: 6572 title: "Disable standard boot services - MySQL server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$;' + - 'd:$rc_dirs -> ^S\d\dmysqld$' + - id: 6573 title: "Disable standard boot services - DNS server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnamed$;' + - 'd:$rc_dirs -> ^S\d\dnamed$' + - id: 6574 title: "Disable standard boot services - NetFS Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$;' + - 'd:$rc_dirs -> ^S\d\dnetfs$' From 0cdf9424bba6012eda05110b2164499fb562e222 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 24 May 2019 15:51:36 +0200 Subject: [PATCH 010/247] Remove +x permission --- sca/sunos/cis_solaris11_rcl.yml | 0 sca/windows/acsc_office2016_rcl.yml | 0 sca/windows/cis_win10_enterprise_L1_rcl.yml | 0 sca/windows/cis_win10_enterprise_L2_rcl.yml | 0 4 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 sca/sunos/cis_solaris11_rcl.yml mode change 100755 => 100644 sca/windows/acsc_office2016_rcl.yml mode change 100755 => 100644 sca/windows/cis_win10_enterprise_L1_rcl.yml mode change 100755 => 100644 sca/windows/cis_win10_enterprise_L2_rcl.yml diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml old mode 100755 new mode 100644 diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016_rcl.yml old mode 100755 new mode 100644 diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml old mode 100755 new mode 100644 diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml old mode 100755 new mode 100644 From 5f488036408982dafe5d43e50d34826f5c61c722 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 10:39:47 +0200 Subject: [PATCH 011/247] Fix requirements --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 33af83962..7ecded4f8 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -23,7 +23,7 @@ requirements: description: "Requirements for running the SCA scan against RHEL 7 family." condition: all rules: - - 'f:/etc/redhat-release -> IN r:^Red Hat Enterprise Linux|^CentOS|^Cloud|^Oracle|^Better|^OpenVZ && r:release 7;' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux|^CentOS|^Cloud|^Oracle|^Better|^OpenVZ && r:release 7' variables: $sshd_file: /etc/ssh/sshd_config From 5b3cbb179a4108873315b19b623df675a81ee547 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 11:51:54 +0200 Subject: [PATCH 012/247] Fixed rule bug + some typos --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 67 ++++++++++++++++-------------- 1 file changed, 35 insertions(+), 32 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 7ecded4f8..61dbe57e2 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -20,10 +20,15 @@ policy: requirements: title: "Check RHEL7 version" - description: "Requirements for running the SCA scan against RHEL 7 family." - condition: all + description: "Requirements for running the policy against RHEL 7 family." + condition: any rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux|^CentOS|^Cloud|^Oracle|^Better|^OpenVZ && r:release 7' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 7' + - 'f:/etc/redhat-release -> r:^CentOS && r:release 7' + - 'f:/etc/redhat-release -> r:^Cloud && r:release 7' + - 'f:/etc/redhat-release -> r:^Oracle && r:release 7' + - 'f:/etc/redhat-release -> r:^Better && r:release 7' + - 'f:/etc/redhat-release -> r:^OpenVZ && r:release 7' variables: $sshd_file: /etc/ssh/sshd_config @@ -124,7 +129,7 @@ checks: - cis_csc: "6.3" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - 'f:/etc/fstab -> !r:^# && r:/var/log' @@ -232,9 +237,9 @@ checks: compliance: - cis: "1.1.16" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' # 1.1.17 /dev/shm: noexec - id: 6515 @@ -367,7 +372,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$;' + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' ############################################### # 2 OS Services @@ -377,7 +382,7 @@ checks: ############################################### # 2.2.19 Remove telnet-server (Scored) - id: 6524 - title: "Ensure telnet server is is disabled" + title: "Ensure telnet server is disabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" @@ -392,7 +397,7 @@ checks: # 2.2.17 Remove rsh-server (Scored) - id: 6525 - title: "Ensure rsh server is is disabled" + title: "Ensure rsh server is disabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " @@ -426,7 +431,7 @@ checks: # 2.2.16 Remove NIS Server (Scored) - id: 6527 - title: "Ensure NIS Server is is disabled" + title: "Ensure NIS Server is disabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" @@ -441,7 +446,7 @@ checks: # 2.2.20 Remove tftp-server (Scored) - id: 6528 - title: "Ensure tftp server is is disabled" + title: "Ensure tftp server is disabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" @@ -456,7 +461,7 @@ checks: # 2.1.18 Remove talk-server (Scored) - id: 6529 - title: "Ensure talk server is is disabled" + title: "Ensure talk server is disabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # systemctl disable ntalk" @@ -471,7 +476,7 @@ checks: # 2.1.7 Remove xinetd (Scored) - id: 6530 - title: "Ensure xinetd is is disabled" + title: "Ensure xinetd is disabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" @@ -576,7 +581,7 @@ checks: # 2.2.3 Disable Avahi Server (Scored) - id: 6538 - title: "Ensure Avahi Server is is disabled" + title: "Ensure Avahi Server is disabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" @@ -590,7 +595,7 @@ checks: # 2.2.5 Remove DHCP Server (Scored) - id: 6539 - title: "Ensure DHCP Server is is disabled" + title: "Ensure DHCP Server is disabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" @@ -606,7 +611,7 @@ checks: # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored) - id: 6540 title: "Ensure time synchronization is in use" - description: "System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them." + description: "System time should be synchronized between all systems in an environment. This typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them." rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." remediation: "On physical systems or virtual systems where host based time synchronization is not available run one of the following commands to install either ntp or chrony: # yum install ntp; # yum install chrony; On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization." compliance: @@ -637,7 +642,7 @@ checks: # 2.2.9 Remove FTP Server (Not Scored) - id: 6542 - title: "Ensure FTP Server is is disabled" + title: "Ensure FTP Server is disabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" @@ -651,7 +656,7 @@ checks: # 2.2.10 Remove HTTP Server (Not Scored) - id: 6543 - title: "Ensure HTTP server is is disabled" + title: "Ensure HTTP server is disabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # systemctl disable httpd" @@ -664,7 +669,7 @@ checks: # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) - id: 6544 - title: "Ensure IMAP and POP3 server is is disabled" + title: "Ensure IMAP and POP3 server is disabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" @@ -677,7 +682,7 @@ checks: - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - id: 6545 - title: "Ensure IMAP and POP3 server is is disabled" + title: "Ensure IMAP and POP3 server is disabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" @@ -691,7 +696,7 @@ checks: # 2.2.12 Remove Samba (Not Scored) - id: 6546 - title: "Ensure Samba is is disabled" + title: "Ensure Samba is disabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # systemctl disable smb" @@ -706,7 +711,7 @@ checks: # 2.2.13 Remove HTTP Proxy Server (Not Scored) - id: 6547 - title: "Ensure HTTP Proxy Server is is disabled" + title: "Ensure HTTP Proxy Server is disabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" @@ -720,7 +725,7 @@ checks: # 2.2.14 Remove SNMP Server (Not Scored) - id: 6548 - title: "Ensure SNMP Server is is disabled" + title: "Ensure SNMP Server is disabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" @@ -873,7 +878,7 @@ checks: title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." - remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf:net.ipv4.conf.all.rp_filter=1; net.ipv4.conf.default.rp_filter=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1; # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1; # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1; net.ipv4.conf.default.rp_filter=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1; # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1; # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - cis: "3.2.7" - pci_dss: "2.2.4" @@ -914,7 +919,7 @@ checks: - pci_dss: "4.1" condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' # 5.2.3 Set LogLevel to INFO (Scored) - id: 6561 @@ -928,7 +933,7 @@ checks: - pci_dss: "4.1" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\.+INFO;' + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 6562 @@ -947,7 +952,7 @@ checks: # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 6563 title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: @@ -956,7 +961,7 @@ checks: - pci_dss: "4.1" condition: none rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 6564 @@ -970,7 +975,7 @@ checks: - pci_dss: "4.1" condition: none rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' # 5.2.8 Disable SSH Root Login (Scored) - id: 6565 @@ -982,7 +987,7 @@ checks: - cis: "5.2.8" - cis_csc: "5.8" - pci_dss: "4.1" - condition: none + condition: all rules: - 'f:$sshd_file -> r:^\s\t**PermitRootLogin\.+no' @@ -1031,7 +1036,6 @@ checks: - id: 6569 title: "User-mounted removable partition allowed on the console" - compliance: condition: none rules: - 'f:/etc/security/console.perms -> r:^ \d+ ' @@ -1039,7 +1043,6 @@ checks: - id: 6570 title: "Disable standard boot services - Kudzu hardware detection Enabled" - compliance: condition: none rules: - 'd:$rc_dirs -> ^S\d\dkudzu$' From f29ef3b4e74a6169dce6376fb7e92d682d2ed95d Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 11:56:18 +0200 Subject: [PATCH 013/247] Adapt RHEL6 --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 497 ++++++++++++++++++----------- 1 file changed, 310 insertions(+), 187 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 81baff119..1bbba64ea 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -20,17 +20,18 @@ policy: requirements: title: "Check RHEL6 version" - description: "Requirements for RHEL 6 check" - condition: "any required" + description: "Requirements for running the policy against RHEL 6 family." + condition: "any" rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 6;' - - 'f:/etc/redhat-release -> IN r:^CentOS && r:release 6;' - - 'f:/etc/redhat-release -> IN r:^Cloud && r:release 6;' - - 'f:/etc/redhat-release -> IN r:^Oracle && r:release 6;' - - 'f:/etc/redhat-release -> IN r:^Better && r:release 6;' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' + - 'f:/etc/redhat-release -> r:^CentOS && r:release 6' + - 'f:/etc/redhat-release -> r:^Cloud && r:release 6' + - 'f:/etc/redhat-release -> r:^Oracle && r:release 6' + - 'f:/etc/redhat-release -> r:^Better && r:release 6' variables: - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; + $sshd_file: /etc/ssh/sshd_config + $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # 1.1.2 /tmp: partition @@ -43,9 +44,11 @@ checks: - cis: "1.1.2" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + # 1.1.3 /tmp: nodev - id: 6001 title: "Ensure nodev option set on /tmp partition" @@ -55,9 +58,11 @@ checks: compliance: - cis: "1.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nodev;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + # 1.1.4 /tmp: nosuid - id: 6002 title: "Ensure nosuid option set on /tmp partition" @@ -67,9 +72,10 @@ checks: compliance: - cis: "1.1.4" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + # 1.1.5 /tmp: noexec - id: 6003 title: "Ensure noexec option set on /tmp partition" @@ -80,9 +86,10 @@ checks: - cis: "1.1.5" - cis_csc: "2" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + # 1.1.6 Build considerations - Partition scheme. - id: 6004 title: "Ensure separate partition exists for /var" @@ -93,9 +100,11 @@ checks: - cis: "1.1.6" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r^# && r:/var;' + - 'd:/var' + - 'f:/etc/fstab -> !r^# && r:/var' + # 1.1.7 bind mount /var/tmp to /tmp - id: 6005 title: "Ensure separate partition exists for /var/tmp" @@ -104,9 +113,10 @@ checks: remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - cis: "1.1.7" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/tmp && r:bind;' + - 'f:/etc/fstab -> !r:^# && r:/var/tmp' + # 1.1.11 /var/log: partition - id: 6006 title: "Ensure separate partition exists for /var/log" @@ -118,9 +128,10 @@ checks: - cis_csc: "6.3" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log;' + - 'f:/etc/fstab -> !r:^# && r:/var/log' + # 1.1.12 /var/log/audit: partition - id: 6007 title: "Ensure separate partition exists for /var/log/audit" @@ -132,9 +143,10 @@ checks: - cis_csc: "6.3" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log/audit;' + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + # 1.1.13 /home: partition - id: 6008 title: "Ensure separate partition exists for /home" @@ -145,9 +157,10 @@ checks: - cis: "1.1.13" references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home;' + - 'f:/etc/fstab -> !r:^# && r:/home' + # 1.1.14 /home: nodev - id: 6009 title: "Ensure nodev option set on /home partition" @@ -157,9 +170,10 @@ checks: compliance: - cis: "1.1.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + # 1.1.18 nodev on removable media partitions (not scored) - id: 6010 title: "Ensure nodev option set on removable media partitions" @@ -169,9 +183,10 @@ checks: compliance: - cis: "1.1.18" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + # 1.1.19 nosuid on removable media partitions (not scored) - id: 6011 title: "Ensure nosuid option set on removable media partitions" @@ -181,9 +196,10 @@ checks: compliance: - cis: "1.1.19" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + # 1.1.20 noexec on removable media partitions (not scored) - id: 6012 title: "Ensure noexec option set on removable media partitions" @@ -194,9 +210,10 @@ checks: - cis: "1.1.20" - cis_csc: "8" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + # 1.1.15 /dev/shm: nodev - id: 6013 title: "Ensure nodev option set on /dev/shm partition" @@ -206,9 +223,10 @@ checks: compliance: - cis: "1.1.15" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + # 1.1.16 /dev/shm: nosuid - id: 6014 title: "Ensure nosuid option set on /dev/shm partition" @@ -218,9 +236,10 @@ checks: compliance: - cis: "1.1.16" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + # 1.1.17 /dev/shm: noexec - id: 6015 title: "Ensure noexec option set on /dev/shm partition" @@ -231,9 +250,10 @@ checks: - cis: "1.1.17" - cis_csc: "2" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + ############################################### # 1.4 Configure SELinux ############################################### @@ -247,9 +267,10 @@ checks: - cis: "1.6.1.1" - cis_csc: "14.4" - pci_dss: "2.2.4" - condition: any + condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0;' + - 'f:/etc/grub.conf -> r:selinux=0' + # 1.6.1.2 Set selinux state - id: 6017 title: "Ensure the SELinux state is enforcing" @@ -260,9 +281,10 @@ checks: - cis: "1.6.1.2" - cis_csc: "14.4" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;' + - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + # 1.6.1.3 Set seliux policy - id: 6018 title: "Ensure SELinux policy is configured" @@ -272,9 +294,10 @@ checks: compliance: - cis: "1.6.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;' + - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + # 1.6.1.4 Remove SETroubleshoot - id: 6019 title: "Ensure SETroubleshoot is not installed" @@ -284,9 +307,10 @@ checks: compliance: - cis: "1.6.1.4" - pci_dss: "2.2.4" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$;' + - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + # 1.6.1.5 Disable MCS Translation service mcstrans - id: 6020 title: "Ensure the MCS Translation Service (mcstrans) is not installed" @@ -296,9 +320,10 @@ checks: compliance: - cis: "1.6.1.5" - pci_dss: "2.2.4" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$;' + - 'd:$rc_dirs -> ^S\d\dmctrans$' + ############################################### # 1.4 Secure Boot Settings ############################################### @@ -312,9 +337,10 @@ checks: - cis: "1.4.2" - cis_csc: "5.1" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/boot/grub/menu.lst -> NIN !r:^# && r:password;' + - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + # 1.4.3 Require Authentication for Single-User Mode (Scored) - id: 6022 title: "Ensure authentication required for single user mode" @@ -327,10 +353,11 @@ checks: - pci_dss: "2.2.4" condition: any rules: - - 'f:/etc/inittab -> IN !r:^# && r:S:wait;' + - 'f:/etc/inittab -> !r:^# && r:S:wait' + # 1.4.4 Disable Interactive Boot (Scored) - id: 6023 - title: "Ensure interactive boot is not enabled" + title: "Ensure interactive boot is disabled" description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no" @@ -338,9 +365,10 @@ checks: - cis: "1.4.4" - cis_csc: "5.1" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/sysconfig/init -> NIN !r:^# && r:PROMPT=no;' + - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' + ############################################### # 1.5 Additional Process Hardening ############################################### @@ -353,9 +381,10 @@ checks: compliance: - cis: "1.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'f:/etc/security/limits.conf -> NIN !r:^# && r:hard\.+core\.+0;' + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6025 title: "Ensure address space layout randomization (ASLR) is enabled" @@ -365,9 +394,10 @@ checks: compliance: - cis: "1.5.3" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> 0;' + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + ############################################### # 2 OS Services ############################################### @@ -376,7 +406,7 @@ checks: ############################################### # 2.1.8 Remove telnet-server (Scored) - id: 6026 - title: "Ensure telnet server is not enabled" + title: "Ensure telnet server is disabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" @@ -384,12 +414,13 @@ checks: - cis: "2.1.8" - cis_csc: "3.4, 9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/telnet -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + # 2.1.6 Remove rsh-server (Scored) - id: 6027 - title: "Ensure rsh server is not enabled" + title: "Ensure rsh server is disabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Disable rsh, rlogin, and rexec." @@ -397,11 +428,12 @@ checks: - cis: "2.1.6" - cis_csc: "3.4" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/rsh -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/shell -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + # 2.3.1 Remove NIS Client (Scored) - id: 6028 title: "Ensure NIS Client is not installed" @@ -412,12 +444,13 @@ checks: - cis: "2.3.1" - cis_csc: "2" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$;' + - 'd:$rc_dirs -> ^S\d\dypbind$' + # 2.2.16 Remove NIS Server (Scored) - id: 6029 - title: "Ensure NIS Server is not enabled" + title: "Ensure NIS Server is disabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to disable ypserv: # chkconfig ypserv off" @@ -425,12 +458,13 @@ checks: - cis: "2.2.16" - cis_csc: "9.4" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$;' + - 'd:$rc_dirs -> ^S\d\dypserv$' + # 2.1.9 Remove tftp-server (Scored) - id: 6030 - title: "Ensure tftp server is not enabled" + title: "Ensure tftp server is disabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" @@ -438,12 +472,13 @@ checks: - cis: "2.1.9" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + # 2.1.7 Remove talk-server (Scored) - id: 6031 - title: "Ensure talk server is not enabled" + title: "Ensure talk server is disabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" @@ -451,9 +486,10 @@ checks: - cis: "2.1.7" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/talk -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + ############################################### # 2 Special Purpose Services ############################################### @@ -468,7 +504,8 @@ checks: - pci_dss: "2.2.2" condition: all rules: - - 'f:/etc/init.d/functions -> IN !r:^# && r:^umask && <:umask 027;' + - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' + # 2.2.2 Remove X Windows (Scored) - id: 6033 title: "Ensure X Window System is not installed" @@ -479,12 +516,13 @@ checks: - cis: "2.2.2" - cis_csc: "2" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/inittab -> IN !r:^# && r:id:5;' + - 'f:/etc/inittab -> !r:^# && r:id:5' + # 2.2.3 Disable Avahi Server (Scored) - id: 6034 - title: "Ensure Avahi Server is not enabled" + title: "Ensure Avahi Server is disabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" @@ -492,12 +530,13 @@ checks: - cis: "2.2.3" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'p:avahi-daemon;' + - 'p:avahi-daemon' + # 2.2.7 Disable NFS and RPC (Not Scored) - id: 6035 - title: "Ensure NFS and RPC are not enabled" + title: "Ensure NFS and RPC are disabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # chkconfig nfs off # chkconfig rpcbind off" @@ -505,13 +544,14 @@ checks: - cis: "2.2.7" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$;' - - 'd:$rc_dirs -> ^S\d\dnfslock$;' + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' + # 2.2.9 Remove FTP Server (Not Scored) - id: 6036 - title: "Ensure FTP Server is not enabled" + title: "Ensure FTP Server is disabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off" @@ -519,24 +559,26 @@ checks: - cis: "2.2.9" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + # 2.2.10 Remove HTTP Server (Not Scored) - id: 6037 - title: "Ensure HTTP server is not enabled" + title: "Ensure HTTP server is disabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # chkconfig httpd off" compliance: - cis: "2.2.10" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$;' + - 'd:$rc_dirs -> ^S\d\dhttpd$' + # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) - id: 6038 - title: "Ensure IMAP and POP3 server is not enabled" + title: "Ensure IMAP and POP3 server is disabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" @@ -544,11 +586,12 @@ checks: - cis: "2.2.11" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + - id: 6039 - title: "Ensure IMAP and POP3 server is not enabled" + title: "Ensure IMAP and POP3 server is disabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" @@ -556,12 +599,13 @@ checks: - cis: "2.2.11" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/dovecot -> NIN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + # 2.2.12 Remove Samba (Not Scored) - id: 6040 - title: "Ensure Samba is not enabled" + title: "Ensure Samba is disabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # chkconfig smb off" @@ -569,13 +613,14 @@ checks: - cis: "2.2.12" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$;' - - 'd:$rc_dirs -> ^S\d\dsmb$;' + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' + # 2.2.13 Remove HTTP Proxy Server (Not Scored) - id: 6041 - title: "Ensure HTTP Proxy Server is not enabled" + title: "Ensure HTTP Proxy Server is disabled" description: "Squid is a standard proxy server used in many environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" @@ -583,12 +628,13 @@ checks: - cis: "2.2.13" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$;' + - 'd:$rc_dirs -> ^S\d\dsquid$' + # 2.2.14 Remove SNMP Server (Not Scored) - id: 6042 - title: "Ensure SNMP Server is not enabled" + title: "Ensure SNMP Server is disabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off" @@ -596,9 +642,10 @@ checks: - cis: "2.2.14" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$;' + - 'd:$rc_dirs -> ^S\d\dsnmpd$' + ############################################### # 3 Network Configuration and Firewalls ############################################### @@ -615,9 +662,10 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - id: 6044 title: "Ensure IPv6 forwarding is disabled" description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." @@ -627,23 +675,25 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + # 3.1.2 Disable Send Packet Redirects (Scored) - id: 6045 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." compliance: - cis: "3.1.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + ############################################### # 3.2 Modify Network Parameters (Host and Router) ############################################### @@ -657,11 +707,27 @@ checks: - cis: "3.2.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;' -# 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + +# 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 6047 + title: "Ensure ICMP redirects are not accepted" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." + compliance: + - cis: "3.2.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + +# 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) + - id: 6048 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -670,12 +736,13 @@ checks: - cis: "3.2.3" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + # 3.2.4 Log Suspicious Packets (Scored) - - id: 6048 + - id: 6049 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -684,12 +751,13 @@ checks: - cis: "3.2.4" - cis_csc: "6" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6049 + - id: 6050 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -698,52 +766,59 @@ checks: - cis: "3.2.5" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6050 + - id: 6051 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." - rationale: "Some routers (andsome attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1" compliance: - cis: "3.2.6" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 6051 - title: "Ensure Reverse Path Filtering is enabled (Scored)" + - id: 6052 + title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." - remediation: "Set the net.ipv4.conf.all.rp_filterand net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" + remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" compliance: - cis: "3.2.7" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6052 + - id: 6053 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters" + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - cis: "3.2.8" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 0;' + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + +############################################### +# 5 System Access, Authentication and Authorization +############################################### ############################################### # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6053 + - id: 6054 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -752,11 +827,40 @@ checks: - cis: "5.2.2" - cis_csc: "3.4" - pci_dss: "4.1" + condition: all + rules: + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + +# 5.2.3 Set LogLevel to INFO (Scored) + - id: 6055 + title: "Ensure SSH LogLevel is set to INFO" + description: "The INFO parameter specifies that login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "5.2.3" + - cis_csc: "16" + - pci_dss: "4.1" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + +# 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) + - id: 6056 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.5" + - cis_csc: "16" + - pci_dss: "2.2.4" condition: any rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:Protocol\.+1;' + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6054 + - id: 6057 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -765,24 +869,26 @@ checks: - cis: "5.2.6" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:IgnoreRhosts\.+no;' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6055 + - id: 6058 title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection ." + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - cis: "5.2.7" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:HostbasedAuthentication\.+yes;' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + # 5.2.8 Disable SSH Root Login (Scored) - - id: 6056 + - id: 6059 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -791,11 +897,12 @@ checks: - cis: "5.2.8" - cis_csc: "5.8" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitRootLogin\.+yes;' + - 'f:$sshd_file -> r:^\s\t**PermitRootLogin\.+no' + # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6057 + - id: 6060 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -804,11 +911,18 @@ checks: - cis: "5.2.9" - cis_csc: "16" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:^PermitEmptyPasswords\.+yes;' + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + +############################################### +# 6 System Maintenance +############################################### +############################################### +# 6.2 Review User and Group Settings +############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6058 + - id: 6061 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -817,51 +931,60 @@ checks: - cis: "6.2.5" - cis_csc: "5.1" - pci_dss: "10.2.5" - condition: any + condition: none rules: - - 'f:/etc/passwd -> IN !r:^# && !r:^root: && r:^\w+:\w+:0:;' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + # Other/Legacy Tests - - id: 6059 + - id: 6062 title: "Account with empty password present" - condition: any + compliance: + - pci_dss: "10.2.5" + condition: none rules: - - 'f:/etc/shadow -> r:^\w+::;' - - id: 6060 + - 'f:/etc/shadow -> r:^\w+::' + + - id: 6063 title: "User-mounted removable partition allowed on the console" - condition: any + condition: none rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ;' - - 'f:/etc/security/console.perms -> r:^ \d+ ;' - - id: 6061 + - 'f:/etc/security/console.perms -> r:^ \d+ ' + - 'f:/etc/security/console.perms -> r:^ \d+ ' + + - id: 6064 title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$;' - - id: 6062 + - 'd:$rc_dirs -> ^S\d\dkudzu$' + + - id: 6065 title: "Disable standard boot services - PostgreSQL server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$;' - - id: 6063 + - 'd:$rc_dirs -> ^S\d\dpostgresql$' + + - id: 6066 title: "Disable standard boot services - MySQL server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$;' - - id: 6064 + - 'd:$rc_dirs -> ^S\d\dmysqld$' + + - id: 6067 title: "Disable standard boot services - DNS server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnamed$;' - - id: 6065 + - 'd:$rc_dirs -> ^S\d\dnamed$' + + - id: 6068 title: "Disable standard boot services - NetFS Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$;' + - 'd:$rc_dirs -> ^S\d\dnetfs$' From 8a60d1b847ff94239b977482fc2c3e30a3919894 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 12:32:10 +0200 Subject: [PATCH 014/247] Fix errors --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 6 +++--- sca/rhel/7/cis_rhel7_linux_rcl.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 1bbba64ea..685bee2f3 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -115,7 +115,7 @@ checks: - cis: "1.1.7" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp' + - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' # 1.1.11 /var/log: partition - id: 6006 @@ -351,7 +351,7 @@ checks: - cis: "1.4.3" - cis_csc: "5.1" - pci_dss: "2.2.4" - condition: any + condition: none rules: - 'f:/etc/inittab -> !r:^# && r:S:wait' @@ -899,7 +899,7 @@ checks: - pci_dss: "4.1" condition: all rules: - - 'f:$sshd_file -> r:^\s\t**PermitRootLogin\.+no' + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 6060 diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 61dbe57e2..9d967865f 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -116,7 +116,7 @@ checks: - cis: "1.1.7" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp' + - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' # 1.1.11 /var/log: partition - id: 6506 From f8a1c8232fdc32426f4f5c04fab0fa2738a97968 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 12:33:46 +0200 Subject: [PATCH 015/247] Adapt RHEL5 --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 514 +++++++++++++++++------------ 1 file changed, 305 insertions(+), 209 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 492f7d1ec..35090544f 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -23,14 +23,15 @@ requirements: description: "Requirements for running the SCA scan against RHEL 5." condition: "any required" rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux \S+ release 5;' - - 'f:/etc/redhat-release -> IN r:^CentOS && r:release 5;' - - 'f:/etc/redhat-release -> IN r:^Cloud && r:release 5;' - - 'f:/etc/redhat-release -> IN r:^Oracle && r:release 5;' - - 'f:/etc/redhat-release -> IN r:^Better && r:release 5;' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 5' + - 'f:/etc/redhat-release -> r:^CentOS && r:release 5' + - 'f:/etc/redhat-release -> r:^Cloud && r:release 5' + - 'f:/etc/redhat-release -> r:^Oracle && r:release 5' + - 'f:/etc/redhat-release -> r:^Better && r:release 5' variables: - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; + $sshd_file: /etc/ssh/sshd_config + $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # 1.1.1 /tmp: partition @@ -44,9 +45,11 @@ checks: references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14161-4 - condition: any + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + # 1.1.2 /tmp: nodev - id: 5501 title: "Set nodev option for /tmp Partition" @@ -58,9 +61,11 @@ checks: - pci_dss: "2.2.4" references: - CCE-14412-1 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nodev;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + # 1.1.3 /tmp: nosuid - id: 5502 title: "Set nosuid option for /tmp Partition" @@ -72,9 +77,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-14940-1 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + # 1.1.4 /tmp: noexec - id: 5503 title: "Set noexec option for /tmp Partition" @@ -86,13 +92,14 @@ checks: - pci_dss: "2.2.4" references: - CCE-14412-1 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + # 1.1.5 Build considerations - Partition scheme. - id: 5504 title: "Create Separate Partition for /var" - description: "The / var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: @@ -100,9 +107,11 @@ checks: references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14777-7 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r^# && r:/var;' + - 'd:/var' + - 'f:/etc/fstab -> !r^# && r:/var' + # 1.1.6 bind mount /var/tmp to /tmp - id: 5505 title: "Bind Mount the /var/tmp directory to /tmp" @@ -113,9 +122,10 @@ checks: - cis: "1.1.6" references: - CCE-14584-7 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN r:^# && !r:/var/tmp && r:bind;' + - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' + # 1.1.7 /var/log: partition - id: 5506 title: "Create Separate Partition for /var/log" @@ -127,9 +137,10 @@ checks: references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14011-1 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log;' + - 'f:/etc/fstab -> !r:^# && r:/var/log' + # 1.1.8 /var/log/audit: partition - id: 5507 title: "Create Separate Partition for /var/log/audit" @@ -141,9 +152,10 @@ checks: references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14171-3 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log/audit;' + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + # 1.1.9 /home: partition - id: 5508 title: "Create Separate Partition for /home" @@ -155,9 +167,10 @@ checks: references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14559-9 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home;' + - 'f:/etc/fstab -> !r:^# && r:/home' + # 1.1.10 /home: nodev - id: 5509 title: "Add nodev Option to /home" @@ -169,9 +182,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-4249-9 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + # 1.1.11 nodev on removable media partitions (not scored) - id: 5510 title: "Add nodev Option to Removable Media Partitions" @@ -181,25 +195,12 @@ checks: compliance: - cis: "1.1.11" - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nodev;' -# 1.1.12 noexec on removable media partitions (not scored) - - id: 5511 - title: "Add noexec Option to Removable Media Partitions" - description: "Set noexec on removable media to prevent programs from executing from the removable media." - rationale: "Setting this option on a file system prevents users from executing programs from the removable. This deters users from being to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.12" - - pci_dss: "2.2.4" - references: - - CCE-4275-4 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + # 1.1.13 nosuid on removable media partitions (not scored) - - id: 5512 + - id: 5511 title: "Add nosuid Option to Removable Media Partitions" description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -209,9 +210,25 @@ checks: - pci_dss: "2.2.4" references: - CCE-4042-8 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + +# 1.1.12 noexec on removable media partitions (not scored) + - id: 5512 + title: "Add noexec Option to Removable Media Partitions" + description: "Set noexec on removable media to prevent programs from executing from the removable media." + rationale: "Setting this option on a file system prevents users from executing programs from the removable. This deters users from being to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.12" + - pci_dss: "2.2.4" + references: + - CCE-4275-4 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + # 1.1.14 /dev/shm: nodev - id: 5513 title: "Add nodev Option to /dev/shm Partition" @@ -223,9 +240,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-15007-8 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + # 1.1.15 /dev/shm: nosuid - id: 5514 title: "Add nosuid Option to /dev/shm Partition" @@ -237,9 +255,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-14306-5 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + # 1.1.16 /dev/shm: noexec - id: 5515 title: "Add noexec Option to /dev/shm Partition" @@ -251,9 +270,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-14927-8 - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + ########################################## # 1.2 Software Updates ########################################## @@ -268,10 +288,10 @@ checks: - pci_dss: "6.2" references: - CCE-4218-4 - condition: any + condition: none rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:noexec;' - - 'p:yum-updatesd;' + - 'p:yum-updatesd' + ############################################### # 1.4 Configure SELinux ############################################### @@ -286,9 +306,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-3977-6 - condition: any + condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0;' + - 'f:/etc/grub.conf -> r:selinux=0' + # 1.4.2 Set selinux state - id: 5518 title: "Set the SELinux State" @@ -300,9 +321,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-3999-0 - condition: any + condition: all rules: - - 'f:/etc/selinux/config -> !r:SELINUX=enforcing;' + - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + # 1.4.3 Set seliux policy - id: 5519 title: "Set the SELinux Policy" @@ -314,9 +336,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-3624-4 - condition: any + condition: all rules: - - 'f:/etc/selinux/config -> !r:SELINUXTYPE=targeted;' + - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + # 1.4.4 Remove SETroubleshoot - id: 5520 title: "Remove SETroubleshoot" @@ -326,9 +349,10 @@ checks: compliance: - cis: "1.4.4" - pci_dss: "2.2.4" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$;' + - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + # 1.4.5 Disable MCS Translation service mcstrans - id: 5521 title: "Disable MCS Translation Service (mcstrans)" @@ -340,9 +364,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-3668-1 - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$;' + - 'd:$rc_dirs -> ^S\d\dmctrans$' + ############################################### # 1.5 Secure Boot Settings ############################################### @@ -357,9 +382,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-3818-2 - condition: any + condition: all rules: - - 'f:/boot/grub/menu.lst -> NIN !r:^# && r:password;' + - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + # 1.5.4 Require Authentication for Single-User Mode (Scored) - id: 5523 title: "Require Authentication for Single-User Mode" @@ -371,9 +397,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-4241-6 - condition: any + condition: none rules: - - 'f:/etc/inittab -> IN !r:^# && r:S:wait;' + - 'f:/etc/inittab -> !r:^# && r:S:wait' + # 1.5.5 Disable Interactive Boot (Scored) - id: 5524 title: "Disable Interactive Boot" @@ -385,9 +412,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-4245-7 - condition: any + condition: all rules: - - 'f:/etc/sysconfig/init -> NIN !r:^# && r:PROMPT=no;' + - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' + ############################################### # 1.6 Additional Process Hardening ############################################### @@ -396,29 +424,16 @@ checks: title: "Restrict Core Dumps" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" + remediation: "Add the following line to /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - cis: "1.6.1" - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/security/limits.conf -> NIN !r:^# && r:hard\.+core\.+0;' -# 1.6.2 Configure ExecShield (Scored) - - id: 5526 - title: "Configure ExecShield" - description: "Execshield is made up of a number of kernel features to provide protection against buffer overflow attacks. These features include prevention of execution in memory data space, and special handling of text buffers." - rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." - remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1" - compliance: - - cis: "1.6.2" - - pci_dss: "2.2.4" - references: - - CCE-4168-1 - condition: any + condition: all rules: - - 'f:/proc/sys/kernel/exec-shield -> 0;' + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + # 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 5527 + - id: 5526 title: "Enable Randomized Virtual Memory Region Placement" description: "Set the system flag to force randomized virtual memory region placement." rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." @@ -428,9 +443,25 @@ checks: - pci_dss: "2.2.4" references: - CCE-4146-7 - condition: any + condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> 0;' + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + +# 1.6.2 Configure ExecShield (Scored) + - id: 5527 + title: "Configure ExecShield" + description: "Execshield is made up of a number of kernel features to provide protection against buffer overflow attacks. These features include prevention of execution in memory data space, and special handling of text buffers." + rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." + remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1" + compliance: + - cis: "1.6.2" + - pci_dss: "2.2.4" + references: + - CCE-4168-1 + condition: all + rules: + - 'f:/proc/sys/kernel/exec-shield -> 1' + # 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored) # TODO # 1.6.5 Disable Prelink (Scored) @@ -441,9 +472,10 @@ checks: remediation: "Edit /etc/sysconfig/prelink and set PRELINKING=no" compliance: - cis: "1.6.5" - condition: any + condition: all rules: - - 'f:/etc/sysconfig/prelink -> !r:PRELINKING=no;' + - 'f:/etc/sysconfig/prelink -> r:PRELINKING=no' + ############################################### # 2 OS Services ############################################### @@ -462,9 +494,10 @@ checks: references: - CCE-3390-2 - CCE-4330-7 - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/telnet -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + # 2.1.2 Remove telnet Clients (Scored) - id: 5530 title: "Remove rsh-server" @@ -476,11 +509,12 @@ checks: - pci_dss: "2.2.3" references: - CCE-4308-3 - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/rsh -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/shell -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + # 2.1.4 Remove rsh (Scored) - id: 5531 title: "Remove NIS Client" @@ -493,9 +527,10 @@ checks: references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$;' + - 'd:$rc_dirs -> ^S\d\dypbind$' + # 2.1.6 Remove NIS Server (Scored) - id: 5532 title: "Remove NIS Server" @@ -508,9 +543,10 @@ checks: references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$;' + - 'd:$rc_dirs -> ^S\d\dypserv$' + # 2.1.7 Remove tftp (Scored) - id: 5533 title: "Remove tftp-server" @@ -523,9 +559,10 @@ checks: references: - CCE-4273-9 (disable) - CCE-3916-4 (uninstall) - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + # 2.1.9 Remove talk (Scored) - id: 5534 title: "Remove talk-server" @@ -535,29 +572,15 @@ checks: compliance: - cis: "2.1.10" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/talk -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + ############################################### # 3 Special Purpose Services ############################################### -############################################### -# 3.1 Disable Avahi Server -############################################### -# 3.1.1 Disable Avahi Server (Scored) - - id: 5535 - title: "Disable Avahi Server" - description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." - rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." - remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf." - compliance: - - cis: "3.1.1" - - pci_dss: "2.2.2" - condition: any - rules: - - 'p:avahi-daemon;' # 3.2 Set Daemon umask (Scored) - - id: 5536 + - id: 5535 title: "Set Daemon umask" description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." @@ -566,9 +589,10 @@ checks: - cis: "3.2" condition: all rules: - - 'f:/etc/init.d/functions -> IN !r:^# && r:^umask && <:umask 027;' + - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' + # 3.3 Remove X Windows (Scored) - - id: 5537 + - id: 5536 title: "Remove X Windows" description: "The X Windows system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -576,9 +600,23 @@ checks: compliance: - cis: "3.3" - pci_dss: "2.2.2" - condition: any + condition: none + rules: + - 'f:/etc/inittab -> !r:^# && r:id:5' + +# 3.1.1 Disable Avahi Server (Scored) + - id: 5537 + title: "Disable Avahi Server" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." + rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." + remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf." + compliance: + - cis: "3.1.1" + - pci_dss: "2.2.2" + condition: none rules: - - 'f:/etc/inittab -> IN !r:^# && r:id:5;' + - 'p:avahi-daemon' + # 3.8 Disable NFS and RPC (Not Scored) - id: 5538 title: "Disable NFS and RPC" @@ -588,10 +626,11 @@ checks: compliance: - cis: "3.8" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$;' - - 'd:$rc_dirs -> ^S\d\dnfslock$;' + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' + # 3.10 Remove FTP Server (Not Scored) - id: 5539 title: "Remove FTP Server" @@ -601,9 +640,10 @@ checks: compliance: - cis: "3.10" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + # 3.11 Remove HTTP Server (Not Scored) - id: 5540 title: "Remove HTTP Server" @@ -613,9 +653,10 @@ checks: compliance: - cis: "3.11" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$;' + - 'd:$rc_dirs -> ^S\d\dhttpd$' + # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) - id: 5541 title: "Remove Dovecot" @@ -625,9 +666,10 @@ checks: compliance: - cis: "3.12" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + - id: 5542 title: "Remove Dovecot" description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." @@ -636,9 +678,10 @@ checks: compliance: - cis: "3.12" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/dovecot -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + # 3.13 Remove Samba (Not Scored) - id: 5543 title: "Remove Samba" @@ -648,10 +691,11 @@ checks: compliance: - cis: "3.13" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$;' - - 'd:$rc_dirs -> ^S\d\dsmb$;' + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' + # 3.14 Remove HTTP Proxy Server (Not Scored) - id: 5544 title: "Remove HTTP Proxy Server" @@ -661,9 +705,10 @@ checks: compliance: - cis: "3.14" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$;' + - 'd:$rc_dirs -> ^S\d\dsquid$' + # 3.15 Remove SNMP Server (Not Scored) - id: 5545 title: "Remove SNMP Server" @@ -673,9 +718,10 @@ checks: compliance: - cis: "3.15" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$;' + - 'd:$rc_dirs -> ^S\d\dsnmpd$' + ############################################### # 4 Network Configuration and Firewalls ############################################### @@ -693,10 +739,11 @@ checks: - pci_dss: "2.2.4" references: - CCE-3561-8 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 1;' - - 'f:/proc/sys/net/ipv6/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + + # 4.1.2 Disable Send Packet Redirects (Scored) - id: 5547 title: "Disable Send Packet Redirects" @@ -709,10 +756,11 @@ checks: references: - CCE-4151-7 - CCE-4155-8 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + ############################################### # 4.2 Modify Network Parameters (Host and Router) ############################################### @@ -728,9 +776,10 @@ checks: references: - CCE-4236-6 - CCE-4091-5 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + # 4.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 5549 title: "Disable ICMP Redirect Acceptance" @@ -743,10 +792,11 @@ checks: references: - CCE-4217-6 - CCE-4186-3 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + # 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 5550 title: "Disable Secure ICMP Redirect Acceptance" @@ -759,10 +809,11 @@ checks: references: - CCE-3472-8 - CCE-3339-9 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + # 4.2.4 Log Suspicious Packets (Scored) - id: 5551 title: "Log Suspicious Packets" @@ -774,9 +825,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-4320-8 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + # 4.2.5 Enable Ignore Broadcast Requests (Scored) - id: 5552 title: "Enable Ignore Broadcast Requests" @@ -788,9 +840,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-3644-2 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + # 4.2.6 Enable Bad Error Message Protection (Scored) - id: 5553 title: "Enable Bad Error Message Protection" @@ -802,9 +855,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-4133-5 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + # 4.2.7 Enable RFC-recommended Source Route Validation (Scored) - id: 5554 title: "Enable RFC-recommended Source Route Validation" @@ -817,10 +871,11 @@ checks: references: - CCE-4080-8 - CCE-3840-6 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + # 4.2.8 Enable TCP SYN Cookies (Scored) - id: 5555 title: "Enable TCP SYN Cookies" @@ -832,9 +887,10 @@ checks: - pci_dss: "2.2.4" references: - CCE-4265-5 - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 0;' + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + ############################################### # 6 System Access, Authentication and Authorization ############################################### @@ -853,11 +909,40 @@ checks: references: - CCE-4245-7 - https://www.ssh.com/ssh/ + condition: all + rules: + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + +# 6.2.2 Set LogLevel to INFO (Scored) + - id: 5557 + title: "Ensure SSH LogLevel is set to INFO" + description: "The INFO parameter specifies that login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "5.2.3" + - cis_csc: "16" + - pci_dss: "4.1" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + +# 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) + - id: 5558 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.5" + - cis_csc: "16" + - pci_dss: "2.2.4" condition: any rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:Protocol\.+1;' + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + # 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 5557 + - id: 5559 title: "Set SSH IgnoreRhosts to Yes" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." @@ -867,11 +952,12 @@ checks: - pci_dss: "4.1" references: - CCE-4250-7 - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:IgnoreRhosts\.+no;' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + # 6.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 5558 + - id: 5560 title: "Set SSH HostbasedAuthentication to No" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -881,11 +967,12 @@ checks: - pci_dss: "4.1" references: - CCE-4251-5 - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:HostbasedAuthentication\.+yes;' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + # 6.2.8 Disable SSH Root Login (Scored) - - id: 5559 + - id: 5561 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1) . The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -895,11 +982,12 @@ checks: - pci_dss: "4.1" references: - CCE-4252-3 - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitRootLogin\.+yes;' + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + # 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 5560 + - id: 5562 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -909,9 +997,10 @@ checks: - pci_dss: "4.1" references: - CCE-4256-4 - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:^PermitEmptyPasswords\.+yes;' + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + ############################################### # 9 System Maintenance ############################################### @@ -919,63 +1008,70 @@ checks: # 9.2 Review User and Group Settings ############################################### # 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 5561 + - id: 5563 title: "Verify No UID 0 Accounts Exist Other Than root" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." - remediation: "Delete any other entries that are displayed." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - cis: "9.2.5" - pci_dss: "10.2.5" references: - CCE-4009-7 - condition: any + condition: none rules: - - 'f:/etc/passwd -> IN !r:^# && !r:^root: && r:^\w+:\w+:0:;' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + # Other/Legacy Tests - - id: 5562 + - id: 5564 title: "Account with empty password present" compliance: - pci_dss: "10.2.5" - condition: any + condition: none rules: - - 'f:/etc/shadow -> r:^\w+::;' - - id: 5563 + - 'f:/etc/shadow -> r:^\w+::' + + - id: 5565 title: "User-mounted removable partition allowed on the console" - condition: any + condition: none rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ;' - - 'f:/etc/security/console.perms -> r:^ \d+ ;' - - id: 5564 + - 'f:/etc/security/console.perms -> r:^ \d+ ' + - 'f:/etc/security/console.perms -> r:^ \d+ ' + + - id: 5566 title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$;' - - id: 5565 + - 'd:$rc_dirs -> ^S\d\dkudzu$' + + - id: 5567 title: "Disable standard boot services - PostgreSQL server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$;' - - id: 5566 + - 'd:$rc_dirs -> ^S\d\dpostgresql$' + + - id: 5568 title: "Disable standard boot services - MySQL server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$;' - - id: 5567 + - 'd:$rc_dirs -> ^S\d\dmysqld$' + + - id: 5569 title: "Disable standard boot services - DNS server Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnamed$;' - - id: 5568 + - 'd:$rc_dirs -> ^S\d\dnamed$' + + - id: 5570 title: "Disable standard boot services - NetFS Enabled" compliance: - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$;' + - 'd:$rc_dirs -> ^S\d\dnetfs$' From b502bbfe6eef3c5ccac2baeb6d6742c437d90bfe Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 12:38:10 +0200 Subject: [PATCH 016/247] Fix requirements --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 2 +- sca/rhel/6/cis_rhel6_linux_rcl.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 35090544f..3df3f8cb9 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -21,7 +21,7 @@ policy: requirements: title: "Check RHEL5 version" description: "Requirements for running the SCA scan against RHEL 5." - condition: "any required" + condition: any rules: - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 5' - 'f:/etc/redhat-release -> r:^CentOS && r:release 5' diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 685bee2f3..55d54c926 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -21,7 +21,7 @@ policy: requirements: title: "Check RHEL6 version" description: "Requirements for running the policy against RHEL 6 family." - condition: "any" + condition: any rules: - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' - 'f:/etc/redhat-release -> r:^CentOS && r:release 6' From 7eab83815a79ef42c2efd424bd12caa925b052f0 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 15:25:59 +0200 Subject: [PATCH 017/247] Add missing : --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 55d54c926..1264c24e6 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -103,7 +103,7 @@ checks: condition: all rules: - 'd:/var' - - 'f:/etc/fstab -> !r^# && r:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' # 1.1.7 bind mount /var/tmp to /tmp - id: 6005 From 2c6344d86123deaf5a28af832bdd5f4ba8d9cbec Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 15:57:38 +0200 Subject: [PATCH 018/247] Use a more sematically appropriate condition for some checks --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 2 +- sca/rhel/6/cis_rhel6_linux_rcl.yml | 2 +- sca/rhel/7/cis_rhel7_linux_rcl.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 3df3f8cb9..6a81b9c78 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -937,7 +937,7 @@ checks: - cis: "5.2.5" - cis_csc: "16" - pci_dss: "2.2.4" - condition: any + condition: all rules: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 1264c24e6..c83f5f4ef 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -855,7 +855,7 @@ checks: - cis: "5.2.5" - cis_csc: "16" - pci_dss: "2.2.4" - condition: any + condition: all rules: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 9d967865f..2c3852d5d 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -945,7 +945,7 @@ checks: - cis: "5.2.5" - cis_csc: "16" - pci_dss: "2.2.4" - condition: any + condition: all rules: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' From 685c117ef72fcd6a8bfa9832ea84e07bab34e0a1 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 15:58:09 +0200 Subject: [PATCH 019/247] Adapt SLES policies --- sca/sles/11/cis_sles11_linux_rcl.yml | 523 +++++++++++++++--------- sca/sles/12/cis_sles12_linux_rcl.yml | 582 ++++++++++++++++----------- 2 files changed, 679 insertions(+), 426 deletions(-) diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index 6c2358ae0..ed51f20f6 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -21,18 +21,14 @@ policy: requirements: title: "Check Suse 11 version" description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 11" - condition: "any required" + condition: all rules: - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP1";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP2";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP3";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 11 SP4";' + - 'f:/etc/os-release -> r:SUSE Linux Enterprise Server 11' variables: + $sshd_file: /etc/ssh/sshd_config $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - checks: # Section 1.1 - Filesystem Configuration - id: 7000 @@ -43,10 +39,12 @@ checks: compliance: - cis: "1.1.2" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + - id: 7001 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -55,9 +53,11 @@ checks: compliance: - cis: "1.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nodev;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - id: 7002 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." @@ -66,9 +66,11 @@ checks: compliance: - cis: "1.1.4" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + +# 1.1.5 /tmp: noexec - id: 7003 title: "Ensure noexec option set on /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." @@ -78,9 +80,11 @@ checks: - cis: "1.1.5" - cis_csc: "2" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + +# 1.1.6 Build considerations - Partition scheme. - id: 7004 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." @@ -89,10 +93,12 @@ checks: compliance: - cis: "1.1.6" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r^# && r:/var;' + - 'd:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' + - id: 7005 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." @@ -102,10 +108,12 @@ checks: - cis: "1.1.11" - cis_csc: "6.3" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log;' + - 'f:/etc/fstab -> !r:^# && r:/var/log' + +# 1.1.12 /var/log/audit: partition - id: 7006 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." @@ -115,10 +123,12 @@ checks: - cis: "1.1.12" - cis_csc: "6.3" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log/audit;' + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + +# 1.1.13 /home: partition - id: 7007 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." @@ -127,10 +137,11 @@ checks: compliance: - cis: "1.1.13" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home;' + - 'f:/etc/fstab -> !r:^# && r:/home' + - id: 7008 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -139,44 +150,12 @@ checks: compliance: - cis: "1.1.14" - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home && r:nodev;' - - id: 7009 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm" - compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nodev;' - - id: 7010 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm" - compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nosuid;' - - id: 7011 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" - compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:noexec;' - - id: 7012 + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + +# 1.1.18 nodev on removable media partitions (not scored) +- id: 7012 title: "Ensure nodev option set on removable media partitions" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." @@ -184,9 +163,11 @@ checks: compliance: - cis: "1.1.18" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + + # 1.1.19 nosuid on removable media partitions (not scored) - id: 7013 title: "Ensure nosuid option set on removable media partitions" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." @@ -195,9 +176,11 @@ checks: compliance: - cis: "1.1.19" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + +# 1.1.20 noexec on removable media partitions (not scored) - id: 7014 title: "Ensure noexec option set on removable media partitions" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." @@ -207,10 +190,54 @@ checks: - cis: "1.1.20" - cis_csc: "8" - pci_dss: "2.2.4" - condition: any + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + +# 1.1.15 /dev/shm: nodev + - id: 7009 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm" + compliance: + - cis: "1.1.15" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + +# 1.1.16 /dev/shm: nosuid + - id: 7010 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm" + compliance: + - cis: "1.1.16" + - pci_dss: "2.2.4" + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:noexec;' -# Section 1.4 - Secure Boot Settings + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + +# 1.1.17 /dev/shm: noexec + - id: 7011 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" + compliance: + - cis: "1.1.17" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + +############################################### +# 1.4 Secure Boot Settings +############################################### +# 1.4.2 Set Boot Loader Password (Scored) - id: 7015 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." @@ -220,10 +247,14 @@ checks: - cis: "1.4.2" - cis_csc: "5.1" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/boot/grub2/grub.cfg -> NIN !r:^# && r:password;' -# Section 1.5 - Additional Process Hardening + - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + +############################################### +# 1.5 Additional Process Hardening +############################################### +# 1.5.1 Restrict Core Dumps (Scored) - id: 7016 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." @@ -232,9 +263,11 @@ checks: compliance: - cis: "1.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'f:/etc/security/limits.conf -> NIN !r:^# && r:hard\.+core\.+0;' + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + +# 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7017 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." @@ -243,9 +276,16 @@ checks: compliance: - cis: "1.5.3" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> 2;' + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + +############################################### +# 2 OS Services +############################################### +############################################### +# 2.1 Remove Legacy Services +############################################### # Section 2.1 - inetd Services - id: 7018 title: "Ensure chargen services are not enabled" @@ -255,10 +295,11 @@ checks: compliance: - cis: "2.1.1" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/chargen -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/chargen-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' + - id: 7019 title: "Ensure daytime services are not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." @@ -267,22 +308,24 @@ checks: compliance: - cis: "2.1.2" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/daytime -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/daytime-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' + - id: 7020 title: "Ensure discard services are not enabled" - description: "discardis a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" compliance: - cis: "2.1.3" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/discard -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/discard-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' + - id: 7021 title: "Ensure echo services are not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." @@ -291,10 +334,11 @@ checks: compliance: - cis: "2.1.4" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/echo -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/echo-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' + - id: 7022 title: "Ensure time services are not enabled" description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." @@ -303,10 +347,11 @@ checks: compliance: - cis: "2.1.5" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/time -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/time-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' + - id: 7023 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." @@ -316,11 +361,12 @@ checks: - cis: "2.1.6" - cis_csc: "3.4, 9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/rsh -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/shell -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - id: 7024 title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." @@ -330,9 +376,10 @@ checks: - cis: "2.1.7" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/talk -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - id: 7025 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." @@ -342,9 +389,10 @@ checks: - cis: "2.1.8" - cis_csc: "3.4, 9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/telnet -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - id: 7026 title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." @@ -354,9 +402,10 @@ checks: - cis: "2.1.9" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - id: 7027 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." @@ -365,10 +414,13 @@ checks: compliance: - cis: "2.1.10, 2.2.17" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\drsyncd$;' -# Section 2.2 - Special Purpose Services + - 'd:$rc_dirs -> ^S\d\drsyncd$' + +############################################### +# 2 Special Purpose Services +############################################### - id: 7028 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." @@ -380,8 +432,12 @@ checks: - pci_dss: "2.2.2" condition: any rules: - - 'f:/etc/ntp.conf -> IN r:restrict default kod nomodify notrap nopeer noquery && r:^server;' - - 'f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";' + - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server|^pool + - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' + +# 2.2.2 Remove X Windows (Scored) - id: 7029 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." @@ -391,9 +447,11 @@ checks: - cis: "2.2.2" - cis_csc: "2" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/inittab -> IN !r:^# && r:id:5;' + - 'f:/etc/inittab -> IN !r:^# && r:id:5' + +# 2.2.3 Disable Avahi Server (Scored) - id: 7030 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." @@ -403,9 +461,10 @@ checks: - cis: "2.2.3" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'p:avahi-daemon;' + - 'p:avahi-daemon' + - id: 7031 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." @@ -414,10 +473,12 @@ checks: compliance: - cis: "2.2.5" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dhcpd$;' - - 'd:$rc_dirs -> ^S\d\dhcpd6$;' + - 'd:$rc_dirs -> ^S\d\dhcpd$' + - 'd:$rc_dirs -> ^S\d\dhcpd6$' + +# 2.2.7 Disable NFS and RPC (Not Scored) - id: 7032 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." @@ -427,10 +488,11 @@ checks: - cis: "2.2.7" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$;' - - 'd:$rc_dirs -> ^S\d\dnfslock$;' + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' + - id: 7033 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." @@ -440,9 +502,10 @@ checks: - cis: "2.2.8" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnamed$;' + - 'd:$rc_dirs -> ^S\d\dnamed$' + - id: 7034 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." @@ -452,9 +515,11 @@ checks: - cis: "2.2.9" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + +# 2.2.10 Remove HTTP Server (Not Scored) - id: 7035 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." @@ -463,9 +528,10 @@ checks: compliance: - cis: "2.2.10" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dapache2$;' + - 'd:$rc_dirs -> ^S\d\dapache2$' + - id: 7036 title: "Ensure IMAP and POP3 server is not enabled" description: "cyrus is an open source IMAP and POP3 server for Linux based systems." @@ -475,10 +541,12 @@ checks: - cis: "2.2.11" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/dovecot -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + +# 2.2.12 Remove Samba (Not Scored) - id: 7037 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." @@ -488,10 +556,11 @@ checks: - cis: "2.2.12" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$;' - - 'd:$rc_dirs -> ^S\d\dsmb$;' + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' + - id: 7038 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many environments." @@ -501,9 +570,10 @@ checks: - cis: "2.2.13" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$;' + - 'd:$rc_dirs -> ^S\d\dsquid$' + - id: 7039 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." @@ -513,9 +583,10 @@ checks: - cis: "2.2.14" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$;' + - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - id: 7040 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." @@ -525,9 +596,10 @@ checks: - cis: "2.2.16" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$;' + - 'd:$rc_dirs -> ^S\d\dypserv$' + # Section 2.3 - Service Clients - id: 7041 title: "Ensure NIS Client is not installed" @@ -538,10 +610,17 @@ checks: - cis: "2.3.1" - cis_csc: "2" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$;' -# Section 3.1 - Network Parameters (Host Only) + - 'd:$rc_dirs -> ^S\d\dypbind$' + +############################################### +# 3 Network Configuration and Firewalls +############################################### +############################################### +# 3.1 Modify Network Parameters (Host Only) +############################################### +# 3.1.1 Disable IP Forwarding (Scored) - id: 7042 title: "Ensure IPv4 forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." @@ -551,9 +630,10 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - id: 7043 title: "Ensure IPv6 forwarding is disabled" description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." @@ -563,9 +643,11 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + +# 3.1.2 Disable Send Packet Redirects (Scored) - id: 7044 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." @@ -575,11 +657,15 @@ checks: - cis: "3.1.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' -# Section 3.2 - Network Parameters (Host and Router) + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + +############################################### +# 3.2 Modify Network Parameters (Host and Router) +############################################### +# 3.2.1 Disable Source Routed Packet Acceptance (Scored) - id: 7045 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." @@ -589,9 +675,11 @@ checks: - cis: "3.2.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + +# 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 7046 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." @@ -601,10 +689,12 @@ checks: - cis: "3.2.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + +# 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 7047 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." @@ -614,10 +704,11 @@ checks: - cis: "3.2.3" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - id: 7048 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." @@ -627,9 +718,12 @@ checks: - cis: "3.2.4" - cis_csc: "6" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + +# 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 7049 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." @@ -639,9 +733,11 @@ checks: - cis: "3.2.5" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + +# 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7050 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." @@ -651,9 +747,11 @@ checks: - cis: "3.2.6" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + +# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 7051 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." @@ -663,10 +761,12 @@ checks: - cis: "3.2.7" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + +# 3.2.8 Enable TCP SYN Cookies (Scored) - id: 7052 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." @@ -676,10 +776,17 @@ checks: - cis: "3.2.8" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 0;' -# Section 5.2 - SSH Server Configuration + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + +############################################### +# 5 System Access, Authentication and Authorization +############################################### +############################################### +# 5.2 Configure SSH +############################################### +# 5.2.2 Set SSH Protocol to 2 (Scored) - id: 7053 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." @@ -689,9 +796,11 @@ checks: - cis: "5.2.2" - cis_csc: "3.4" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:Protocol\.+1;' + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + +# 5.2.3 Set LogLevel to INFO (Scored) - id: 7054 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." @@ -701,9 +810,11 @@ checks: - cis: "5.2.3" - cis_csc: "16" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> NIN !r:^# && r:LogLevel\.+INFO;' + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + +# 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 7055 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." @@ -713,9 +824,11 @@ checks: - cis: "5.2.5" - cis_csc: "16" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^\s*MaxAuthTries\s+4\s*$;' + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + +# 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 7056 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." @@ -725,9 +838,11 @@ checks: - cis: "5.2.6" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:IgnoreRhosts\.+no;' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + +# 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 7057 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." @@ -737,9 +852,11 @@ checks: - cis: "5.2.7" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:HostbasedAuthentication\.+yes;' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + +# 5.2.8 Disable SSH Root Login (Scored) - id: 7058 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." @@ -749,9 +866,11 @@ checks: - cis: "5.2.8" - cis_csc: "5.8" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^\s*PermitRootLogin\.+no;' + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + +# 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 7059 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." @@ -761,22 +880,17 @@ checks: - cis: "5.2.9" - cis_csc: "16" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> !r:^\s*PermitEmptyPasswords\.+no;' -# Section 6.2 - User and Group Settings - - id: 7060 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." - compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - condition: any - rules: - - 'f:/etc/shadow -> r:^\w+::;' + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + +############################################### +# 6 System Maintenance +############################################### +############################################### +# 6.2 Review User and Group Settings +############################################### +# 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - id: 7061 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." @@ -786,6 +900,19 @@ checks: - cis: "6.2.5" - cis_csc: "5.1" - pci_dss: "10.2.5" - condition: any + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + + - id: 7060 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + compliance: + - cis: "6.2.1" + - cis_csc: "16" + - pci_dss: "10.2.5" + condition: none rules: - - 'f:/etc/passwd -> IN !r:^# && !r:^root: && r:^\w+:\w+:0:;' + - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index a50985e9b..e35c6e360 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -21,18 +21,14 @@ policy: requirements: title: "Check Suse 12 version" description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 12" - condition: "any required" + condition: all rules: - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP1";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP2";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP3";' - - 'f:/etc/os-release -> r:^PRETTY_NAME="SUSE Linux Enterprise Server 12 SP4";' + - 'f:/etc/os-release -> r:SUSE Linux Enterprise Server 12' variables: + $sshd_file: /etc/ssh/sshd_config $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; - checks: # Section 1.1 - Filesystem Configuration - id: 7500 @@ -43,10 +39,12 @@ checks: compliance: - cis: "1.1.2" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> !r:/tmp;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + - id: 7501 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -55,9 +53,11 @@ checks: compliance: - cis: "1.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nodev;' + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - id: 7502 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." @@ -66,9 +66,11 @@ checks: compliance: - cis: "1.1.4" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + +# 1.1.5 /tmp: noexec - id: 7503 title: "Ensure noexec option set on /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." @@ -78,9 +80,11 @@ checks: - cis: "1.1.5" - cis_csc: "2" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/tmp && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + +# 1.1.6 Build considerations - Partition scheme. - id: 7504 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." @@ -89,10 +93,12 @@ checks: compliance: - cis: "1.1.6" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var;' + - 'd:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' + - id: 7505 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." @@ -102,10 +108,12 @@ checks: - cis: "1.1.11" - cis_csc: "6.3" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log;' + - 'f:/etc/fstab -> !r:^# && r:/var/log' + +# 1.1.12 /var/log/audit: partition - id: 7506 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." @@ -115,10 +123,12 @@ checks: - cis: "1.1.12" - cis_csc: "6.3" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/var/log/audit;' + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + +# 1.1.13 /home: partition - id: 7507 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." @@ -127,10 +137,12 @@ checks: compliance: - cis: "1.1.13" references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: any + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home;' + - 'f:/etc/fstab -> !r:^# && r:/home' + +# 1.1.14 /home: nodev - id: 7508 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -139,43 +151,11 @@ checks: compliance: - cis: "1.1.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/home && r:nodev;' - - id: 7509 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" - compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nodev;' - - id: 7510 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" - compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:nosuid;' - - id: 7511 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" - compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: any - rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/dev/shm && r:noexec;' + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + +# 1.1.18 nodev on removable media partitions (not scored) - id: 7512 title: "Ensure nodev option set on removable media partitions" description: "The nodev mount option specifies that the filesystem cannot contain special devices." @@ -184,9 +164,11 @@ checks: compliance: - cis: "1.1.18" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nodev;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + +# 1.1.19 nosuid on removable media partitions (not scored) - id: 7513 title: "Ensure nosuid option set on removable media partitions" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." @@ -195,9 +177,11 @@ checks: compliance: - cis: "1.1.19" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:nosuid;' + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + +# 1.1.20 noexec on removable media partitions (not scored) - id: 7514 title: "Ensure noexec option set on removable media partitions" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." @@ -207,10 +191,54 @@ checks: - cis: "1.1.20" - cis_csc: "8" - pci_dss: "2.2.4" - condition: any + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + +# 1.1.15 /dev/shm: nodev + - id: 7509 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + compliance: + - cis: "1.1.15" + - pci_dss: "2.2.4" + condition: all rules: - - 'f:/etc/fstab -> NIN !r:^# && r:/media && r:noexec;' -# Section 1.4 - Secure Boot Settings + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + +# 1.1.16 /dev/shm: nosuid + - id: 7510 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + compliance: + - cis: "1.1.16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + +# 1.1.17 /dev/shm: noexec + - id: 7511 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + compliance: + - cis: "1.1.17" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + +############################################### +# 1.4 Secure Boot Settings +############################################### +# 1.4.2 Set Boot Loader Password (Scored) - id: 7515 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" @@ -220,10 +248,14 @@ checks: - cis: "1.4.2" - cis_csc: "5.1" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/boot/grub2/grub.cfg -> NIN !r:^# && r:password;' -# Section 1.5 - Additional Process Hardening + - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + +############################################### +# 1.5 Additional Process Hardening +############################################### +# 1.5.1 Restrict Core Dumps (Scored) - id: 7516 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." @@ -232,9 +264,11 @@ checks: compliance: - cis: "1.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'f:/etc/security/limits.conf -> NIN !r:^# && r:hard\.+core\.+0;' + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + +# 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7517 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." @@ -243,9 +277,16 @@ checks: compliance: - cis: "1.5.3" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> 2;' + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + +############################################### +# 2 OS Services +############################################### +############################################### +# 2.1 Remove Legacy Services +############################################### # Section 2.1 - inetd Services - id: 7518 title: "Ensure chargen services are not enabled" @@ -255,10 +296,11 @@ checks: compliance: - cis: "2.1.1" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/chargen -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/chargen-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' + - id: 7519 title: "Ensure daytime services are not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." @@ -267,10 +309,11 @@ checks: compliance: - cis: "2.1.2" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/daytime -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/daytime-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' + - id: 7520 title: "Ensure discard services are not enabled" description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." @@ -279,10 +322,11 @@ checks: compliance: - cis: "2.1.3" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/discard -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/discard-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' + - id: 7521 title: "Ensure echo services are not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." @@ -291,10 +335,11 @@ checks: compliance: - cis: "2.1.4" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/echo -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/echo-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' + - id: 7522 title: "Ensure time services are not enabled" description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." @@ -303,12 +348,13 @@ checks: compliance: - cis: "2.1.5" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/time -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/time-udp -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' + - id: 7523 - title: "Ensure rsh server is not enabled" + title: "Ensure rsh server is disabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" @@ -316,16 +362,17 @@ checks: - cis: "2.1.6" - cis_csc: "3.4, 9.1" - pci_dss: "2.2.3" - condition: any - rules: - - 'f:/etc/xinetd.d/rlogin -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/rsh -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/shell -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart;' - - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart;' - - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart;' + condition: none + rules: + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' + - id: 7524 - title: "Ensure talk server is not enabled" + title: "Ensure talk server is disabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" @@ -333,12 +380,13 @@ checks: - cis: "2.1.7" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/talk -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec;' + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' + - id: 7525 - title: "Ensure telnet server is not enabled" + title: "Ensure telnet server is disabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" @@ -346,12 +394,13 @@ checks: - cis: "2.1.8" - cis_csc: "3.4, 9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/telnet -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd;' + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' + - id: 7526 - title: "Ensure tftp server is not enabled" + title: "Ensure tftp server is disabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable atftpd" @@ -359,33 +408,39 @@ checks: - cis: "2.1.9, 2.2.17" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> IN !r:^# && r:disable && r:no;' - - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec;' + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' + - id: 7527 - title: "Ensure rsync service is not enabled" + title: "Ensure rsync service is disabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" compliance: - cis: "2.1.10, 2.2.18" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\drsyncd$;' + - 'd:$rc_dirs -> ^S\d\drsyncd$' + - id: 7528 - title: "Ensure xinetd is not enabled" + title: "Ensure xinetd is disabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd : # systemctl disable xinetd" compliance: - cis: "2.1.11" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec;' -# Section 2.2 - Special Purpose Services + - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' + + +############################################### +# 2 Special Purpose Services +############################################### - id: 7529 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." @@ -397,8 +452,12 @@ checks: - pci_dss: "2.2.2" condition: any rules: - - 'f:/etc/ntp.conf -> IN r:restrict default kod nomodify notrap nopeer noquery && r:^server;' - - 'f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid";' + - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server|^pool + - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' + +# 2.2.2 Remove X Windows (Scored) - id: 7530 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." @@ -408,12 +467,14 @@ checks: - cis: "2.2.2" - cis_csc: "2" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/usr/lib/systemd/system/default.target -> r:Graphical;' - - 'p:gdm-x-session;' + - 'f:/usr/lib/systemd/system/default.target -> r:Graphical' + - 'p:gdm-x-session' + +# 2.2.3 Disable Avahi Server (Scored) - id: 7531 - title: "Ensure Avahi Server is not enabled" + title: "Ensure Avahi Server is disabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon" @@ -421,20 +482,23 @@ checks: - cis: "2.2.3" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'p:avahi-daemon;' + - 'p:avahi-daemon' + - id: 7532 - title: "Ensure DHCP Server is not enabled" + title: "Ensure DHCP Server is disabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd" compliance: - cis: "2.2.5" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec;' + - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' + +# 2.2.7 Disable NFS and RPC (Not Scored) - id: 7533 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." @@ -444,12 +508,13 @@ checks: - cis: "2.2.7" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$;' - - 'd:$rc_dirs -> ^S\d\dnfslock$;' + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' + - id: 7534 - title: "Ensure DNS Server is not enabled" + title: "Ensure DNS Server is disabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # systemctl disable named" @@ -457,11 +522,12 @@ checks: - cis: "2.2.8" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnamed$;' + - 'd:$rc_dirs -> ^S\d\dnamed$' + - id: 7535 - title: "Ensure FTP Server is not enabled" + title: "Ensure FTP Server is disabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd Notes: Additional FTP servers also exist and should be audited." @@ -469,22 +535,25 @@ checks: - cis: "2.2.9" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + +# 2.2.10 Remove HTTP Server (Not Scored) - id: 7536 - title: "Ensure HTTP server is not enabled" + title: "Ensure HTTP server is disabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable apache2 : # systemctl disable apache2 Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." compliance: - cis: "2.2.10" - cis_csc: "9.1" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dapache2$;' + - 'd:$rc_dirs -> ^S\d\dapache2$' + - id: 7537 - title: "Ensure IMAP and POP3 server is not enabled" + title: "Ensure IMAP and POP3 server is disabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot : # systemctl disable dovecot Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited." @@ -492,12 +561,14 @@ checks: - cis: "2.2.11" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> IN !r:^# && r:disable && r:no;' - - 'f:/etc/xinetd.d/dovecot -> IN !r:^# && r:disable && r:no;' + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + +# 2.2.12 Remove Samba (Not Scored) - id: 7538 - title: "Ensure Samba is not enabled" + title: "Ensure Samba is disabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # systemctl disable smb" @@ -505,12 +576,13 @@ checks: - cis: "2.2.12" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$;' - - 'd:$rc_dirs -> ^S\d\dsmb$;' + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' + - id: 7539 - title: "Ensure HTTP Proxy Server is not enabled" + title: "Ensure HTTP Proxy Server is disabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # systemctl disable squid Notes: Several HTTP proxy servers exist. These and other services should be checked." @@ -518,11 +590,12 @@ checks: - cis: "2.2.13" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$;' + - 'd:$rc_dirs -> ^S\d\dsquid$' + - id: 7540 - title: "Ensure SNMP Server is not enabled" + title: "Ensure SNMP Server is disabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." @@ -530,11 +603,12 @@ checks: - cis: "2.2.14" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$;' + - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - id: 7541 - title: "Ensure NIS Server is not enabled" + title: "Ensure NIS Server is disabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv : # systemctl disable ypserv" @@ -542,10 +616,11 @@ checks: - cis: "2.2.16" - cis_csc: "9.1" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$;' - - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec;' + - 'd:$rc_dirs -> ^S\d\dypserv$' + - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' + # Section 2.3 - Service Clients - id: 7542 title: "Ensure NIS Client is not installed" @@ -556,11 +631,18 @@ checks: - cis: "2.3.1" - cis_csc: "2" - pci_dss: "2.2.3" - condition: any + condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$;' - - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec;' -# Section 3.1 - Network Parameters (Host Only) + - 'd:$rc_dirs -> ^S\d\dypbind$' + - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' + +############################################### +# 3 Network Configuration and Firewalls +############################################### +############################################### +# 3.1 Modify Network Parameters (Host Only) +############################################### +# 3.1.1 Disable IP Forwarding (Scored) - id: 7543 title: "Ensure IPv4 forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." @@ -570,9 +652,10 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - id: 7544 title: "Ensure IPv6 forwarding is disabled" description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." @@ -582,9 +665,11 @@ checks: - cis: "3.1.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 1;' + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + +# 3.1.2 Disable Send Packet Redirects (Scored) - id: 7545 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." @@ -594,11 +679,15 @@ checks: - cis: "3.1.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 1;' -# Section 3.2 - Network Parameters (Host and Router) + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + +############################################### +# 3.2 Modify Network Parameters (Host and Router) +############################################### +# 3.2.1 Disable Source Routed Packet Acceptance (Scored) - id: 7546 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." @@ -608,9 +697,11 @@ checks: - cis: "3.2.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + +# 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 7547 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." @@ -620,10 +711,12 @@ checks: - cis: "3.2.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + +# 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 7548 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." @@ -633,12 +726,13 @@ checks: - cis: "3.2.3" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 1;' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 1;' + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - id: 7549 - title: "nsure suspicious packets are logged" + title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." @@ -646,9 +740,12 @@ checks: - cis: "3.2.4" - cis_csc: "6" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + +# 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 7550 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." @@ -658,9 +755,11 @@ checks: - cis: "3.2.5" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + +# 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7551 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." @@ -670,9 +769,11 @@ checks: - cis: "3.2.6" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 0;' + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + +# 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 7552 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." @@ -682,10 +783,12 @@ checks: - cis: "3.2.7" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 0;' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 0;' + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + +# 3.2.8 Enable TCP SYN Cookies (Scored) - id: 7553 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." @@ -695,10 +798,17 @@ checks: - cis: "3.2.8" - cis_csc: "3, 11" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 0;' -# Section 5.2 - SSH Server Configuration + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + +############################################### +# 5 System Access, Authentication and Authorization +############################################### +############################################### +# 5.2 Configure SSH +############################################### +# 5.2.2 Set SSH Protocol to 2 (Scored) - id: 7554 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." @@ -708,9 +818,11 @@ checks: - cis: "5.2.2" - cis_csc: "3.4" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:Protocol\.+1;' + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + +# 5.2.3 Set LogLevel to INFO (Scored) - id: 7555 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." @@ -720,9 +832,11 @@ checks: - cis: "5.2.3" - cis_csc: "16" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && !r:LogLevel\.+INFO;' + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + +# 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 7556 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." @@ -732,11 +846,11 @@ checks: - cis: "5.2.5" - cis_csc: "16" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:MaxAuthTries && !r:3\s*$;' - - 'f:/etc/ssh/sshd_config -> r:^#\s*MaxAuthTries;' - - 'f:/etc/ssh/sshd_config -> !r:MaxAuthTries;' + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + +# 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 7557 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." @@ -746,9 +860,11 @@ checks: - cis: "5.2.6" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:IgnoreRhosts\.+no;' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + +# 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 7558 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." @@ -758,9 +874,11 @@ checks: - cis: "5.2.7" - cis_csc: "9" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:HostbasedAuthentication\.+yes;' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + +# 5.2.8 Disable SSH Root Login (Scored) - id: 7559 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." @@ -770,10 +888,11 @@ checks: - cis: "5.2.8" - cis_csc: "5.8" - pci_dss: "4.1" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitRootLogin\.+yes;' - - 'f:/etc/ssh/sshd_config -> r:^#\s*PermitRootLogin;' + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + +# 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 7560 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." @@ -783,23 +902,17 @@ checks: - cis: "5.2.9" - cis_csc: "16" - pci_dss: "4.1" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:^PermitEmptyPasswords\.+yes;' - - 'f:/etc/ssh/sshd_config -> r:^#\s*PermitEmptyPasswords;' -# Section 6.2 - User and Group Settings - - id: 7561 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." - compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - condition: any - rules: - - 'f:/etc/shadow -> r:^\w+::;' + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + +############################################### +# 6 System Maintenance +############################################### +############################################### +# 6.2 Review User and Group Settings +############################################### +# 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - id: 7562 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." @@ -809,6 +922,19 @@ checks: - cis: "6.2.5" - cis_csc: "5.1" - pci_dss: "10.2.5" - condition: any + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + + - id: 7561 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + compliance: + - cis: "6.2.1" + - cis_csc: "16" + - pci_dss: "10.2.5" + condition: none rules: - - 'f:/etc/passwd -> IN !r:^# && !r:^root: && r:^\w+:\w+:0:;' + - 'f:/etc/shadow -> r:^\w+::' From d9920e77b26b624144f8ab37d650717c45b5267e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 17:47:26 +0200 Subject: [PATCH 020/247] Adapt Solaris 11 --- sca/sunos/cis_solaris11_rcl.yml | 602 ++++++++++++++++---------------- 1 file changed, 310 insertions(+), 292 deletions(-) diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml index 144d0fb58..a7ecdd130 100644 --- a/sca/sunos/cis_solaris11_rcl.yml +++ b/sca/sunos/cis_solaris11_rcl.yml @@ -21,12 +21,12 @@ policy: requirements: title: "Check Solaris version" description: "Requirements for running the CIS benchmark against Solaris 11" - condition: "all required" + condition: all rules: - - 'f:/etc/release -> r:^\s*Oracle\s+Solaris\s+11\p;' + - 'f:/etc/release -> r:^\s*Oracle\s+Solaris\s+11\p' variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; + $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ checks: # 2 Disable Unnecessary Services @@ -37,10 +37,11 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" compliance: - cis: "2.1" - condition: any + condition: none rules: - - 'p:gdm;' - - 'p:cde;' + - 'p:gdm' + - 'p:cde' + - id: 11501 title: "Configure sendmail Service for Local-Only Mode" description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it." @@ -48,9 +49,10 @@ checks: remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" compliance: - cis: "2.2" - condition: any + condition: all rules: - - 'f:!/etc/mail/local.cf;' + - 'f:/etc/mail/local.cf' + - id: 11502 title: "Disable RPC Encryption Key" description: "The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is \"secure NFS\", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. (\"Secure NFS\" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. \"Kerberized\" NFS does not require the keyserv service to be running.)" @@ -58,9 +60,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" compliance: - cis: "2.3" - condition: any + condition: none rules: - - 'p:keyserv;' + - 'p:keyserv' + - id: 11503 title: "Disable NIS Server Services" description: "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server." @@ -68,14 +71,15 @@ checks: remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain" compliance: - cis: "2.4" - condition: any - rules: - - 'p:ypserv;' - - 'p:ypbind;' - - 'p:ypxfr;' - - 'p:rpc.yppasswdd;' - - 'p:rpc.ypupdated;' - - 'f:/etc/init.d/nis;' + condition: none + rules: + - 'p:ypserv' + - 'p:ypbind' + - 'p:ypxfr' + - 'p:rpc.yppasswdd' + - 'p:rpc.ypupdated' + - 'f:/etc/init.d/nis' + - id: 11504 title: "Disable NIS Client Services" description: "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system." @@ -83,14 +87,15 @@ checks: remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client # svcadm disable svc:/network/nis/domain" compliance: - cis: "2.5" - condition: any - rules: - - 'p:ypserv;' - - 'p:ypbind;' - - 'p:ypxfr;' - - 'p:rpc.yppasswdd;' - - 'p:rpc.ypupdated;' - - 'f:/etc/init.d/nis;' + condition: none + rules: + - 'p:ypserv' + - 'p:ypbind' + - 'p:ypxfr' + - 'p:rpc.yppasswdd' + - 'p:rpc.ypupdated' + - 'f:/etc/init.d/nis' + - id: 11505 title: "Disable Kerberos TGT Expiration Warning" description: "The Kerberos TGT warning service is used to warn users when their Kerberos tickets are about expire or to renew those tickets before they expire. This service is not used if Kerberos has not been configured. This service is configured to be \"local only\" by default." @@ -98,9 +103,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" compliance: - cis: "2.6" - condition: any + condition: none rules: - - 'p:ktkt_warnd;' + - 'p:ktkt_warnd' + - id: 11506 title: "Disable Generic Security Services (GSS)" description: "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes." @@ -108,9 +114,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" compliance: - cis: "2.7" - condition: any + condition: none rules: - - 'p:gssd;' + - 'p:gssd' + - id: 11507 title: "Disable Removable Volume Manager" description: "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details." @@ -118,9 +125,10 @@ checks: remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver" compliance: - cis: "2.8" - condition: any + condition: none rules: - - 'p:smserverd;' + - 'p:smserverd' + - id: 11508 title: "Disable automount Service" description: "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration." @@ -128,9 +136,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" compliance: - cis: "2.9" - condition: any + condition: none rules: - - 'p:automountd;' + - 'p:automountd' + - id: 11509 title: "Disable Apache Service" description: "The Apache service provides an instance of the Apache web server." @@ -140,10 +149,11 @@ checks: - cis: "2.10" references: - http://httpd.apache.org/docs/2.0/misc/security_tips.html - condition: any + condition: none rules: - - 'p:apache;' - - 'p:httpd;' + - 'p:apache' + - 'p:httpd' + - id: 11510 title: "Disable Local-only RPC Port Mapping Service" description: "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS). By default, the Solaris 11 OS configures this service to be local only." @@ -151,9 +161,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." compliance: - cis: "2.11" - condition: any + condition: none rules: - - 'p:rpcbind;' + - 'p:rpcbind' + - id: 11511 title: "Configure TCP Wrappers" description: "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections." @@ -163,10 +174,11 @@ checks: - cis: "2.12" references: - ipfilter(5) man page - condition: any + condition: all rules: - - 'f:!/etc/hosts.allow;' - - 'f:!/etc/hosts.deny;' + - 'f:/etc/hosts.allow' + - 'f:/etc/hosts.deny' + - id: 11512 title: "Disable Telnet Service" description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access." @@ -174,9 +186,10 @@ checks: remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" compliance: - cis: "2.13" - condition: any + condition: all rules: - - 'p:telnetd;' + - 'p:telnetd' + # 3 Kernel Tuning - id: 11513 title: "Restrict Core Dumps to Protected Directory" @@ -185,17 +198,18 @@ checks: remediation: "To implement the recommendation, run the commands: # chmod 700 /var/cores # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid" compliance: - cis: "3.1" - condition: any - rules: - - 'f:/etc/coreadm.conf -> !r:^COREADM_GLOB_PATTERN\p\.+;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_GLOB_CONTENT\pdefault;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_INIT_PATTERN\pcore;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_INIT_CONTENT\pdefault;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_PROC_ENABLED\pno;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_PROC_SETID_ENABLED\pno;' - - 'f:/etc/coreadm.conf -> !r:^COREADM_GLOB_LOG_ENABLED\pyes;' + condition: all + rules: + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_PATTERN\p\.+' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_CONTENT\pdefault' + - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_PATTERN\pcore' + - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_CONTENT\pdefault' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_SETID_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_LOG_ENABLED\pyes' + - id: 11514 title: "Enable Stack Protection" description: "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor- supplied and third party software." @@ -203,13 +217,12 @@ checks: remediation: "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file: # if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then cat <>/etc/system set noexec_user_stack=1 set noexec_user_stack_log=1 END_CFG fi" compliance: - cis: "3.2" - condition: any + condition: all rules: - - 'f:!/etc/system;' - - 'f:/etc/system -> !r:^\s*\t*noexec_user_stack\p1;' - - 'f:/etc/system -> IN !r:^# && r:\s*\t*noexec_user_stack\p0;' - - 'f:/etc/system -> !r:^\s*\t*noexec_user_stack_log\p1;' - - 'f:/etc/system -> IN !r:^# && r:\s*\t*noexec_user_stack_log\p0;' + - 'f:/etc/system' + - 'f:/etc/system -> r:^\s*\t*noexec_user_stack\p1' + - 'f:/etc/system -> r:^\s*\t*noexec_user_stack_log\p1' + - id: 11515 title: "Enable Strong TCP Sequence Number Generation" description: "The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session." @@ -217,10 +230,10 @@ checks: remediation: "Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file: # cd /etc/default # awk '/TCP_STRONG_ISS=/ { $1 = \"TCP_STRONG_ISS=2\" }; { print }' inetinit > inetinit.CIS # mv inetinit.CIS inetinit To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp" compliance: - cis: "3.3" - condition: any + condition: all rules: - - 'f:/etc/default/inetinit -> !r:^TCP_STRONG_ISS\p2;' - - 'f:/etc/default/inetinit -> IN !r:^# && r:TCP_STRONG_ISS\p1;' + - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' + # 4 Auditing and Logging - id: 11516 title: "Create CIS Audit Class" @@ -229,9 +242,10 @@ checks: remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark" compliance: - cis: "4.1" - condition: any + condition: all rules: - - 'f:/etc/security/audit_class -> !r:0x\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d:cis:\.+;' + - 'f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark' + - id: 11517 title: "Enable Auditing of Incoming Network Connections" description: "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system." @@ -239,13 +253,14 @@ checks: remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_ACCEPT AUE_CONNECT AUE_SOCKACCEPT AUE_SOCKCONNECT AUE_inetd_connect" compliance: - cis: "4.2" - condition: any + condition: all rules: - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_ACCEPT:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_CONNECT:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKACCEPT:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SOCKCONNECT:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_inetd_connect:\.+cis\.*;' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACCEPT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CONNECT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKACCEPT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKCONNECT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_inetd_connect:\.+cis\.*' + - id: 11518 title: "Enable Auditing of File Metadata Modification Events" description: "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed." @@ -253,15 +268,16 @@ checks: remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHMOD AUE_CHOWN AUE_FCHOWN AUE_FCHMOD AUE_LCHOWN AUE_ACLSET AUE_FACLSET" compliance: - cis: "4.3" - condition: any - rules: - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_CHMOD:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_CHOWN:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_FCHOWN:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_FCHMOD:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_LCHOWN:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_ACLSET:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_FACLSET:\.+cis\.*;' + condition: all + rules: + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHMOD:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHOWN:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHOWN:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHMOD:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_LCHOWN:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACLSET:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FACLSET:\.+cis\.*' + - id: 11519 title: "Enable Auditing of Process and Privilege Events" description: "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2)." @@ -269,22 +285,23 @@ checks: remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHROOT AUE_SETREUID AUE_SETREGID AUE_FCHROOT AUE_PFEXEC AUE_SETUID AUE_NICE AUE_SETGID AUE_PRIOCNTLSYS AUE_SETEGID AUE_SETEUID AUE_SETPPRIV AUE_SETSID AUE_SETPGID" compliance: - cis: "4.4" - condition: any - rules: - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_CHROOT:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETREUID:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETREGID:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_FCHROOT:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_PFEXEC:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETUID:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_NICE:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETGID:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETEGID:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETEUID:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETPRIV:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETSID:\.+cis\.*;' - - 'f:/etc/security/audit_event -> !r:^\d+:AUE_SETPGID:\.+cis\.*;' + condition: all + rules: + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHROOT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREUID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREGID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHROOT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_PFEXEC:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETUID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_NICE:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETGID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEGID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEUID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPRIV:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETSID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPGID:\.+cis\.*' + - id: 11520 title: "Configure Solaris Auditing" description: "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis)." @@ -292,9 +309,10 @@ checks: remediation: "To enforce this setting, use the command: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis # auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n . w q END_CRON # chown root:root /var/audit # chmod 750 /var/audit" compliance: - cis: "4.5" - condition: any + condition: all rules: - - 'd:/var/spool/cron/crontabs -> !r:/usr/sbin/audit -n;' + - 'd:/var/spool/cron/crontabs -> r:/usr/sbin/audit -n' + # 5 File/Directory Permissions/Access - id: 11521 title: "Default Service File Creation Mask" @@ -303,9 +321,10 @@ checks: remediation: "Perform the following to implement the recommended state: # svccfg -s svc:/system/environment:init setprop umask/umask = astring: \"022\"" compliance: - cis: "5.1" - condition: any + condition: all rules: - - 'f:/etc/profile -> !r:^umask\s*\d\d\d;' + - 'f:/etc/profile -> r:^umask\s*022' + # 6 System Access, Authentication, and Authorization - id: 11522 title: "Disable \"nobody\" Access for RPC Encryption Key Storage Service" @@ -314,11 +333,11 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/ENABLE_NOBODY_KEYS=/ { $1 = \"ENABLE_NOBODY_KEYS=NO\" } { print }' keyserv > keyserv.CIS # mv keyserv.CIS keyserv" compliance: - cis: "6.2" - condition: any + condition: all rules: - - 'f!:/etc/default/keyserv;' - - 'f:/etc/default/keyserv -> !r:^ENABLE\.NOBODY\.KEYS\pNO;' - - 'f:/etc/default/keyserv -> IN !r:^# && r:ENABLE\.NOBODY\.KEYS\pYES;' + - 'f:/etc/default/keyserv' + - 'f:/etc/default/keyserv -> r:^ENABLE\.NOBODY\.KEYS\pNO' + - id: 11523 title: "Disable X11 Forwarding for SSH" description: "The 'X11 Forwarding' parameter defined within the /etc/ssh/sshd_config file specifies whether or not X11 Forwarding via SSH is enabled on the server: The Secure Shell service provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can be used to forward an 'X Window' session through the encrypted tunnel, allowing the remote user to have a GUI interface." @@ -326,10 +345,10 @@ checks: remediation: "Perform the following to implement the recommended state: # awk '/^X11Forwarding / { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - cis: "6.3" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> !r:^X11Forwarding\s*no;' - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:X11Forwarding\s*yes;' + - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' + - id: 11524 title: "Limit Consecutive Login Attempts for SSH" description: "The 'MaxAuthTries' parameter in the /etc/ssh/sshd_config file specifies the maximum number of authentication attempts permitted per connection. By restricting the number of failed authentication attempts before the server terminates the connection, malicious users are blocked from gaining access to the host by using repetitive brute-force login exploits." @@ -337,10 +356,10 @@ checks: remediation: "Perform the following to implement the recommended state: # awk '/^MaxAuthTries/ { $2 = \"3\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - cis: "6.4" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^MaxAuthTries\s*3;' - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:MaxAuthTries\s*3\d+;' + - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - id: 11525 title: "Disable Rhost-based Authentication for SSH" description: "The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication." @@ -348,10 +367,10 @@ checks: remediation: "Perform the following to implement the recommended state: # awk '/^IgnoreRhosts/ { $2 = \"yes\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed." compliance: - cis: "6.5" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^IgnoreRhosts\s*yes;' - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:IgnoreRhosts\s*no;' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' + - id: 11526 title: "Disable root login for SSH" description: "The PermitRootLogin value (in /etc/ssh/sshd_config) allows for direct root login by a remote user/application to resources on the local host." @@ -359,10 +378,10 @@ checks: remediation: "Perform the following to implement the recommended state: # awk '/^PermitRootLogin/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - cis: "6.6" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^PermitRootLogin\s*no;' - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitRootLogin\s*yes;' + - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' + - id: 11527 title: "Blocking Authentication Using Empty/Null Passwords for SSH" description: "The PermitEmptyPasswords value allows for direct login through SSH without a password by a remote user/application to resources on the local host in the same way a standard remote login would." @@ -370,10 +389,10 @@ checks: remediation: "Perform the following to implement the recommended state: # awk '/^PermitEmptyPasswords/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - cis: "6.7" - condition: any + condition: none rules: - - 'f:/etc/ssh/sshd_config -> !r:^PermitEmptyPasswords\s*no;' - - 'f:/etc/ssh/sshd_config -> IN !r:^# && r:PermitEmptyPasswords\s*yes;' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - id: 11528 title: "Disable Host-based Authentication for Login-based Services" description: "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world- readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user." @@ -381,10 +400,11 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # cp pam.conf pam.conf.pre-CIS # sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - cis: "6.8" - condition: any + condition: all rules: - - 'f:/etc/pam.conf -> !r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1;' - - 'f:/etc/pam.conf -> !r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1;' + - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' + - 'f:/etc/pam.conf -> r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' + - id: 11529 title: "Restrict FTP Use" description: "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP." @@ -392,28 +412,29 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." compliance: - cis: "6.9" - condition: any - rules: - - 'f:/etc/ftpd/ftpusers -> !r:^root;' - - 'f:/etc/ftpd/ftpusers -> !r:^daemon;' - - 'f:/etc/ftpd/ftpusers -> !r:^bin;' - - 'f:/etc/ftpd/ftpusers -> !r:^sys;' - - 'f:/etc/ftpd/ftpusers -> !r:^adm;' - - 'f:/etc/ftpd/ftpusers -> !r:^uucp;' - - 'f:/etc/ftpd/ftpusers -> !r:^nuucp;' - - 'f:/etc/ftpd/ftpusers -> !r:^smmsp;' - - 'f:/etc/ftpd/ftpusers -> !r:^listen;' - - 'f:/etc/ftpd/ftpusers -> !r:^gdm;' - - 'f:/etc/ftpd/ftpusers -> !r:^lp;' - - 'f:/etc/ftpd/ftpusers -> !r:^webservd;' - - 'f:/etc/ftpd/ftpusers -> !r:^postgres;' - - 'f:/etc/ftpd/ftpusers -> !r:^svctag;' - - 'f:/etc/ftpd/ftpusers -> !r:^openldap;' - - 'f:/etc/ftpd/ftpusers -> !r:^unknown;' - - 'f:/etc/ftpd/ftpusers -> !r:^aiuser;' - - 'f:/etc/ftpd/ftpusers -> !r:^nobody;' - - 'f:/etc/ftpd/ftpusers -> !r:^nobody4;' - - 'f:/etc/ftpd/ftpusers -> !r:^noaccess;' + condition: none + rules: + - 'f:/etc/ftpd/ftpusers -> r:^root' + - 'f:/etc/ftpd/ftpusers -> r:^daemon' + - 'f:/etc/ftpd/ftpusers -> r:^bin' + - 'f:/etc/ftpd/ftpusers -> r:^sys' + - 'f:/etc/ftpd/ftpusers -> r:^adm' + - 'f:/etc/ftpd/ftpusers -> r:^uucp' + - 'f:/etc/ftpd/ftpusers -> r:^nuucp' + - 'f:/etc/ftpd/ftpusers -> r:^smmsp' + - 'f:/etc/ftpd/ftpusers -> r:^listen' + - 'f:/etc/ftpd/ftpusers -> r:^gdm' + - 'f:/etc/ftpd/ftpusers -> r:^lp' + - 'f:/etc/ftpd/ftpusers -> r:^webservd' + - 'f:/etc/ftpd/ftpusers -> r:^postgres' + - 'f:/etc/ftpd/ftpusers -> r:^svctag' + - 'f:/etc/ftpd/ftpusers -> r:^openldap' + - 'f:/etc/ftpd/ftpusers -> r:^unknown' + - 'f:/etc/ftpd/ftpusers -> r:^aiuser' + - 'f:/etc/ftpd/ftpusers -> r:^nobody' + - 'f:/etc/ftpd/ftpusers -> r:^nobody4' + - 'f:/etc/ftpd/ftpusers -> r:^noaccess' + - id: 11530 title: "Set Delay between Failed Login Attempts to 4" description: "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the \"login incorrect\" message when a bad password is provided." @@ -421,10 +442,10 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/SLEEPTIME=/ { $1 = \"SLEEPTIME=4\" } { print }' login > login.CIS # mv login.CIS login" compliance: - cis: "6.10" - condition: any + condition: all rules: - - 'f:/etc/default/login -> !r:^SLEEPTIME\p4;' - - 'f:/etc/default/login -> NIN !r:^# && r:SLEEPTIME\p4\d;' + - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' + - id: 11531 title: "Remove Autologin Capabilities from the GNOME desktop" description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password." @@ -432,9 +453,10 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - cis: "6.11" - condition: any + condition: none rules: - - 'f:/etc/pam.conf -> IN !r:^# && r:gdm-autologin;' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' + - id: 11532 title: "Set Default Screen Lock for GNOME Users" description: "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment." @@ -442,11 +464,12 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults # cp XScreenSaver XScreenSaver.orig # awk '/^\\*timeout:/ { $2 = \"0:10:00\" } /^\\*lockTimeout:/ { $2 = \"0:00:00\" } /^\\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS # mv xScreenSaver.CIS xScreenSaver" compliance: - cis: "6.12" - condition: any + condition: all rules: - - 'f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*timeout:\s*\t*0:10:00;' - - 'f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*locktimeout:\s*\t*0:00:00;' - - 'f:/usr/share/X11/app-defaults/XScreensaver -> !r:^*lock:\s*\t*true;' + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*timeout:\s*\t*0:10:00' + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*0:00:00' + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true' + - id: 11533 title: "Restrict at/cron to Authorized Users" description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals." @@ -454,14 +477,15 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d # mv cron.deny cron.deny.cis # mv at.deny at.deny.cis # echo root > cron.allow # cp /dev/null at.allow # chown root:root cron.allow at.allow # chmod 400 cron.allow at.allow" compliance: - cis: "6.13" - condition: any - rules: - - 'f:/etc/cron.d/cron.deny;' - - 'f:/etc/cron.d/at.deny;' - - 'f:!/etc/cron.d/cron.allow;' - - 'f:/etc/cron.d/cron.allow -> !r:^root$;' - - 'f:!/etc/cron.d/at.allow;' - - 'f:/etc/cron.d/at.allow -> IN !r:^# && r:\w;' + condition: all + rules: + - 'not f:/etc/cron.d/cron.deny' + - 'not f:/etc/cron.d/at.deny' + - 'f:/etc/cron.d/cron.allow' + - 'f:/etc/cron.d/cron.allow -> !r:^root$' + - 'f:/etc/cron.d/at.allow' + - 'not f:/etc/cron.d/at.allow -> !r:^# && r:\w' + - id: 11534 title: "Restrict root Login to System Console" description: "Privileged access to the system via root must be accountable to a particular user." @@ -469,9 +493,10 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS # mv login.CIS login" compliance: - cis: "6.14" - condition: any + condition: none rules: - - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console;' + - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' + - id: 11535 title: "Set Retry Limit for Account Lockout" description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name." @@ -479,12 +504,11 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS # mv login.CIS login # cd /etc/security # awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS # mv policy.conf.CIS policy.conf # svcadm restart svc:/system/name-service/cache Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle" compliance: - cis: "6.15" - condition: any + condition: all rules: - - 'f:/etc/default/login -> !r:^RETRIES\p3;' - - 'f:/etc/default/login -> NIN !r:^# && r:RETRIES\p3\d;' - - 'f:/etc/security/policy.conf -> !r:^LOCK_AFTER_RETRIES\pyes;' - - 'f:/etc/security/policy.conf -> NIN !r:^# && r:LOCK_AFTER_RETRIES\pno;' + - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' + - 'f:/etc/security/policy.conf -> r:^LOCK_AFTER_RETRIES\pyes' + - id: 11536 title: "Secure the GRUB Menu (Intel)" description: "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console." @@ -492,9 +516,10 @@ checks: remediation: "Perform the following to implement the recommended state: # /boot/grub/bin/grub grub> md5crypt Password: [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)] The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user: # chmod 600 /rpool/boot/grub/menu.lst Next, add the following line to the menu.lst file above the entries added by bootadm: password --md5 [enter md5 password string generated above] Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect): title Solaris failsafe lock" compliance: - cis: "6.17" - condition: any + condition: all rules: - - 'f:/rpool/boot/grub/menu.lst -> !r:^password\s*--md5;' + - 'f:/rpool/boot/grub/menu.lst -> r:^password\s*--md5' + # 7 User Accounts and Environment - id: 11537 title: "Set Password Expiration Parameters on Active Accounts" @@ -503,14 +528,12 @@ checks: remediation: "Perform the following to implement the recommended state: # logins -ox | awk -F: '($1 == \"root\" || $8 == \"LK\" || $8 == \"NL\") { next } ; { $cmd = \"passwd\" } ; ($11 91) { $cmd = $cmd \" -x 91\" } ($10 < 7) { $cmd = $cmd \" -n 7\" } ($12 < 28) { $cmd = $cmd \" -w 28\" } ($cmd != \"passwd\") { print $cmd \" \" $1 }' > /etc/CISupd_accounts # /sbin/sh /etc/CISupd_accounts # rm -f /etc/CISupd_accounts # cd /etc/default # grep -v WEEKS passwd > passwd.CIS # cat <> passwd.CIS MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 EODefaults # mv passwd.CIS passwd" compliance: - cis: "7.1" - condition: any - rules: - - 'f:/etc/default/passwd -> !r:^maxweeks\p13;' - - 'f:/etc/default/passwd -> IN !r:^# && r:maxweeks\p13\d;' - - 'f:/etc/default/passwd -> !r:^minweeks\p1;' - - 'f:/etc/default/passwd -> IN !r:^# && r:minweeks\p1\d;' - - 'f:/etc/default/passwd -> !r:^warnweeks\p4;' - - 'f:/etc/default/passwd -> IN !r:^# && r:warnweeks\p4\d;' + condition: all + rules: + - 'f:/etc/default/passwd -> n:^maxweeks\(\d+) compare <= 13' + - 'f:/etc/default/passwd -> r:^minweeks\p1' + - 'f:/etc/default/passwd -> !r:^warnweeks\p4' + - id: 11538 title: "Set Strong Password Creation Policies" description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user." @@ -518,30 +541,21 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=8\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=10\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS # mv passwd.CIS passwd" compliance: - cis: "7.2" - condition: any - rules: - - 'f:/etc/default/passwd -> !r:^passlength\p8;' - - 'f:/etc/default/passwd -> IN !r:^# && r:passlength\p8\d;' - - 'f:/etc/default/passwd -> !r:^namecheck\pyes;' - - 'f:/etc/default/passwd -> IN !r:^# && r:namecheck\pno;' - - 'f:/etc/default/passwd -> !r:^history\p10;' - - 'f:/etc/default/passwd -> IN !r:^# && r:history\p10\d;' - - 'f:/etc/default/passwd -> !r:^mindiff\p3;' - - 'f:/etc/default/passwd -> IN !r:^# && r:mindiff\p3\d;' - - 'f:/etc/default/passwd -> !r:^minalpha\p2;' - - 'f:/etc/default/passwd -> IN !r:^# && r:minalpha\p2\d;' - - 'f:/etc/default/passwd -> !r:^minupper\p1;' - - 'f:/etc/default/passwd -> IN !r:^# && r:minupper\p1\d;' - - 'f:/etc/default/passwd -> !r:^minlower\p1;' - - 'f:/etc/default/passwd -> IN !r:^# && r:minlower\p1\d;' - - 'f:/etc/default/passwd -> !r:^minnonalpha\p1;' - - 'f:/etc/default/passwd -> IN !r:^# && r:minnonalpha\p1\d;' - - 'f:/etc/default/passwd -> !r:^maxrepeats\p0;' - - 'f:/etc/default/passwd -> IN !r:^# && r:maxrepeats\p0\d;' - - 'f:/etc/default/passwd -> !r:^whitespace\pyes;' - - 'f:/etc/default/passwd -> IN !r:^# && r:whitespace\pno;' - - 'f:/etc/default/passwd -> !r:^dictiondbdir\p/var/passwd;' - - 'f:/etc/default/passwd -> !r:^dictionlist\p/usr/share/lib/dict/words;' + condition: all + rules: + - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' + - 'f:/etc/default/passwd -> r:^namecheck\pyes' + - 'f:/etc/default/passwd -> n:^history\p(\d+) compare >= 10' + - 'f:/etc/default/passwd -> n:^mindiff\p(\d+) >= 3' + - 'f:/etc/default/passwd -> n:^minalpha\p(\d+) >= 2' + - 'f:/etc/default/passwd -> n:^minupper\p(\d+) compare >= 1' + - 'f:/etc/default/passwd -> n:^minlower\p(\d+) compare >= 1' + - 'f:/etc/default/passwd -> n:^minnonalpha\p(\d+) compare >= 1' + - 'f:/etc/default/passwd -> r:^maxrepeats\p0' + - 'f:/etc/default/passwd -> r:^whitespace\pyes' + - 'f:/etc/default/passwd -> r:^dictiondbdir\p/var/passwd' + - 'f:/etc/default/passwd -> r:^dictionlist\p/usr/share/lib/dict/words' + - id: 11539 title: "Set Default umask for users" description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories." @@ -549,11 +563,10 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS # mv login.CIS login" compliance: - cis: "7.3" - condition: any + condition: none rules: - - 'f:/etc/default/login -> !r:^umask\p027|^umask\p077;' - - 'f:/etc/default/login -> IN !r:^# && r:umask\p026;' - - 'f:/etc/default/login -> IN !r:^# && r:umask\p022;' + - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' + - id: 11540 title: "Set Default File Creation Mask for FTP Users" description: "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server." @@ -561,11 +574,10 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # if [ \"`grep '^Umask' proftpd.conf`\" ]; then awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo \"Umask 027\" >> proftpd.conf fi" compliance: - cis: "7.4" - condition: any + condition: none rules: - - 'f:/etc/proftpd.conf -> !r:^umask\s*027;' - - 'f:/etc/proftpd.conf -> IN !r:^# && r:umask\s*026;' - - 'f:/etc/proftpd.conf -> IN !r:^# && r:umask\s*022;' + - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' + - id: 11541 title: "Set \"mesg n\" as Default for All Users" description: "The \"mesg n\" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device." @@ -573,10 +585,11 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done" compliance: - cis: "7.5" - condition: any + condition: none rules: - - 'f:/etc/.login -> !r:^mesg\s*n;' - - 'f:/etc/profile -> !r:^mesg\s*n;' + - 'f:/etc/.login -> !r:^mesg\s*n' + - 'f:/etc/profile -> !r:^mesg\s*n' + # 8 Warning Banners - id: 11542 title: "Create Warnings for Standard Login Services" @@ -585,25 +598,21 @@ checks: remediation: "Perform the following to implement the recommended state: # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/motd # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/issue # chown root:root /etc/issue # chmod 644 /etc/issue" compliance: - cis: "8.1" - condition: any - rules: - - 'f:/etc/issue -> r:SunOS;' - - 'f:/etc/issue -> r:Oracle;' - - 'f:/etc/issue -> r:solaris;' - - 'f:/etc/issue -> !r:Authorized users only. All activity may be monitored and reported;' - - 'f:/etc/motd -> r:SunOS;' - - 'f:/etc/motd -> r:Oracle;' - - 'f:/etc/motd -> r:solaris;' - - 'f:/etc/motd -> !r:Authorized users only. All activity may be monitored and reported;' + condition: all + rules: + - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' + - 'f:/etc/motd -> r:Authorized users only. All activity may be monitored and reported' + - id: 11543 title: "Enable a Warning Banner for the SSH Service" description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - cis: "8.2" - condition: any + condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^Banner\s*/etc/issue;' + - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' + - id: 11544 title: "Enable a Warning Banner for the GNOME Service" description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user- or group specific." @@ -611,9 +620,10 @@ checks: remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=\"Security Message\" --filename=/etc/issue" compliance: - cis: "8.3" - condition: any + condition: all rules: - - 'f:/etc/gdm/Init/Default -> !r:^/usr/bin/zenity\s\.;' + - 'f:/etc/gdm/Init/Default -> r:^/usr/bin/zenity\s\.' + - id: 11545 title: "Enable a Warning Banner for the FTP service" description: "The action for this item sets a warning message for FTP users before they log in." @@ -621,9 +631,10 @@ checks: remediation: "Perform the following to implement the recommended state: # echo \"DisplayConnect /etc/issue\" >> /etc/proftpd.conf # svcadm restart ftp" compliance: - cis: "8.4" - condition: any + condition: all rules: - - 'f:/etc/proftpd.conf -> !r:^DisplayConnect\s+/etc/issue;' + - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' + - id: 11546 title: "Check that the Banner Setting for telnet is Null" description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system." @@ -631,10 +642,10 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS # mv telnetd.CIS telnetd" compliance: - cis: "8.5" - condition: any + condition: all rules: - - 'f:/etc/default/telnetd -> IN !r:^# && r:BANNER=\.;' - - 'f:/etc/default/telnetd -> !r:BANNER=$;' + - 'f:/etc/default/telnetd -> r:BANNER=$' + # 9 System Maintenance - id: 11547 title: "Verify System Account Default Passwords" @@ -643,36 +654,37 @@ checks: remediation: "To lock a single account, use the command: # passwd -d [username] # passwd -l [username] To configure a single account to be non-login, use the command: # passwd -d [username] # passwd -N [username]" compliance: - cis: "9.3" - condition: any - rules: - - 'f:/etc/shadow -> IN r:daemon && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:lp && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:adm && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:bin && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:gdm && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:noaccess && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:nobody && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:nobody4 && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:openldap && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:unknown && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:webservd && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:mysql && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:nuuc && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:postgres && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:smmsp && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:sys && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:uucp && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:aiuser && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:dhcpserv && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:dladm && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:ftp && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:netadm && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:netcfg && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:pkg5srv && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:svctag && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:xvm && !r::\p*LK\p*:;' - - 'f:/etc/shadow -> IN r:upnp && !r::NL:|:NP:;' - - 'f:/etc/shadow -> IN r:zfssnap && !r::NL:|:NP:;' + condition: none + rules: + - 'f:/etc/shadow -> r:daemon && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:lp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:adm && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:bin && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:gdm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:noaccess && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:nobody && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:nobody4 && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:openldap && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:unknown && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:webservd && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:mysql && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:nuuc && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:postgres && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:smmsp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:sys && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:uucp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:aiuser && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:dhcpserv && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:dladm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:ftp && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:netadm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:netcfg && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:pkg5srv && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:svctag && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:xvm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:upnp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:' + - id: 11548 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)." @@ -680,9 +692,10 @@ checks: remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-logini." compliance: - cis: "9.4" - condition: any + condition: none rules: - - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$;' + - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' + - id: 11549 title: "Verify No UID 0 Accounts Exist Other than root" description: "Any account with UID 0 has superuser rights on the system." @@ -690,9 +703,10 @@ checks: remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately." compliance: - cis: "9.5" - condition: any + condition: none rules: - - 'f:/etc/passwd -> IN !r:^root && r::\.:0:\.*;' + - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' + - id: 11550 title: "Ensure root PATH Integrity" description: "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly." @@ -700,23 +714,24 @@ checks: remediation: "Correct or justify any items discovered in the Audit step." compliance: - cis: "9.6" - condition: any - rules: - - 'f:/etc/profile -> r:.;' - - 'f:/etc/environment -> r:.;' - - 'f:/.profile -> r:.;' - - 'f:/.bash_profile -> r:.;' - - 'f:/.bashrc -> r:.;' - - 'f:/etc/profile -> r:::;' - - 'f:/etc/environment -> r:::;' - - 'f:/.profile -> r:::;' - - 'f:/.bash_profile -> r:::;' - - 'f:/.bashrc -> r:::;' - - 'f:/etc/profile -> r::$;' - - 'f:/etc/environment -> r::$;' - - 'f:/.profile -> r::$;' - - 'f:/.bash_profile -> r::$;' - - 'f:/.bashrc -> r::$;' + condition: none + rules: + - 'f:/etc/profile -> r:.' + - 'f:/etc/environment -> r:.' + - 'f:/.profile -> r:.' + - 'f:/.bash_profile -> r:.' + - 'f:/.bashrc -> r:.' + - 'f:/etc/profile -> r:::' + - 'f:/etc/environment -> r:::' + - 'f:/.profile -> r:::' + - 'f:/.bash_profile -> r:::' + - 'f:/.bashrc -> r:::' + - 'f:/etc/profile -> r::$' + - 'f:/etc/environment -> r::$' + - 'f:/.profile -> r::$' + - 'f:/.bash_profile -> r::$' + - 'f:/.bashrc -> r::$' + - id: 11551 title: "Check for Presence of User .rhosts Files" description: "While no .rhosts files are shipped with Solaris, users can easily create them." @@ -724,9 +739,10 @@ checks: remediation: "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy." compliance: - cis: "9.10" - condition: any + condition: none rules: - - 'd:$home_dirs -> ^.rhosts$;' + - 'd:$home_dirs -> ^.rhosts$' + - id: 11552 title: "Check That Users Are Assigned Home Directories" description: "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set." @@ -734,9 +750,10 @@ checks: remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy." compliance: - cis: "9.12" - condition: any + condition: none rules: - - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*;' + - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' + - id: 11553 title: "Check for Presence of User .netrc Files" description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." @@ -744,9 +761,10 @@ checks: remediation: "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - cis: "9.20" - condition: any + condition: none rules: - - 'd:$home_dirs -> ^.netrc$;' + - 'd:$home_dirs -> ^.netrc$' + - id: 11554 title: "Check for Presence of User .forward Files" description: "The .forward file specifies an email address to which a user's mail is forwarded." @@ -754,6 +772,6 @@ checks: remediation: "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - cis: "9.21" - condition: any + condition: none rules: - - 'd:$home_dirs -> ^.forward$;' + - 'd:$home_dirs -> ^.forward$' From f44be09aec2066e4ebdb90ba8505b2936df5c68b Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 27 May 2019 18:56:23 +0200 Subject: [PATCH 021/247] Adapt mysql EE --- .../cis_mysql5-6_enterprise_rcl.yml | 190 ++++++++---------- 1 file changed, 89 insertions(+), 101 deletions(-) diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 904acd998..3ed148aa1 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -21,14 +21,14 @@ policy: requirements: title: "Check that MySQL is installed on the system" description: "Requirements for running the SCA scan against the MySQL policy." - condition: "all required" + condition: all rules: - - 'd:/etc/mysql;' + - 'd:/etc/mysql' variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; - $enviroment_files: /*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile; - $mysql-cnfs: /etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf; + $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ + $enviroment_files: /*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile + $mysql-cnfs: /etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf checks: #1 Operating System Level Configuration @@ -42,9 +42,10 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 - condition: any + condition: none rules: - - 'd:$home_dirs -> ^.mysql_history$;' + - 'd:$home_dirs -> ^.mysql_history$' + - id: 4501 title: "Disable Interactive Login" description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." @@ -52,9 +53,10 @@ checks: remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - cis: "1.5" - condition: any + condition: all rules: - - 'f:/etc/passwd -> NIN r:^mysql && r:\.*/bin/false$|/sbin/nologin$;' + - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' + - id: 4502 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." @@ -64,9 +66,10 @@ checks: - cis: "1.6" references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html - condition: any + condition: none rules: - - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*;' + - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' + #4 General - id: 4503 title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" @@ -78,10 +81,10 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:allow-suspicious-udfs\.+true;' - - 'f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;' + - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' + - id: 4504 title: "Ensure 'local_infile is Disabled" description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." @@ -92,10 +95,10 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:local-infile\s*=\s*1;' - - 'f:$mysql-cnfs -> r:local-infile\s*$;' + - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$;' + - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" description: "This option causes mysqld to start without using the privilege system." @@ -105,11 +108,10 @@ checks: - cis: "4.5" references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:skip-grant-tables\s*=\s*true;' - - 'f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;' - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*$;' + - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false;' + - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " @@ -120,11 +122,10 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:skip_symbolic_links\s*=\s*no;' - - 'f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;' - - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*$;' + - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' + - id: 4507 title: "Ensure 'secure_file_priv' is not empty" description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." @@ -134,11 +135,10 @@ checks: - cis: "4.8" references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN r:^# && r:secure_file_priv=\s*\S+\s*;' - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;' - - 'f:$mysql-cnfs -> r:secure_file_priv\s*$;' + - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." @@ -146,9 +146,10 @@ checks: remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - cis: "4.9" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> !r:strict_all_tables\s*$;' + - 'f:$mysql-cnfs -> r:strict_all_tables' + #6 Auditing and Logging - id: 4509 title: "Ensure 'log_error' is not empty" @@ -159,11 +160,10 @@ checks: - cis: "6.1" references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN r:^# && r:log_error\s*=\s*\S+\s*;' - - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;' - - 'f:$mysql-cnfs -> r:log_error\s*$;' + - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' + - id: 4510 title: "Ensure Log Files are not Stored on a non-system partition" description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." @@ -174,12 +174,12 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> NIN !r:^# && r:log_bin= && r:\s*/\S*\s*;' - - 'f:$mysql-cnfs -> NIN !r:^# && r:log_bin= && r:\s*/var/\S*\s*;' - - 'f:$mysql-cnfs -> NIN !r:^# && r:log_bin= && r:\s*/usr/\S*\s*;' - - 'f:$mysql-cnfs -> r:log_bin\s*$;' + - 'f:$mysql-cnfs -> r:log_bin\s*$' + - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/var/\S*\s*' + - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/usr/\S*\s*' + - id: 4511 title: "Ensure 'log_warning' is set to 2" description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." @@ -190,12 +190,10 @@ connections." - cis: "6.3" references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:log_warnings\s*=\s*0;' - - 'f:$mysql-cnfs -> IN !r:^# && r:log_warnings\s*=\s*1;' - - 'f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;' - - 'f:$mysql-cnfs -> r:log_warnings\s*$;' + - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' + - id: 4512 title: "Ensure 'log_raw' is set to 'OFF'" description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " @@ -206,10 +204,10 @@ connections." references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:log-raw\s*=\s*on;' - - 'f:$mysql-cnfs -> r:log-raw\s*$;' + - 'f:$mysql-cnfs -> !r^# && r:log-raw\s*off$' + - id: 4513 title: "Ensure audit_log_connection_policy is not set to 'NONE'" description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. " @@ -217,10 +215,10 @@ connections." remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." compliance: - cis: "6.5" - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> IN !r^# && r::audit_log_connection_policy\s*=\s*none;' - - 'f:$mysql-cnfs -> r:audit_log_connection_policy\s*$;' + - 'f:$mysql-cnfs -> !r^# && r::audit_log_connection_policy\s*=\s*none' + - id: 4514 title: "Ensure audit_log_exclude_account is set to NULL" description: "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log." @@ -228,10 +226,10 @@ connections." remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." compliance: - cis: "6.6" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> NIN !r:^# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$;' - - 'f:$mysql-cnfs -> r:audit_log_exclude_accounts\s*$;' + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$' + - id: 4515 title: "Ensure audit_log_include_accounts is set to NULL" description: "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log." @@ -239,10 +237,10 @@ connections." remediation: "Set audit_log_include_accounts=NULL in my.cnf." compliance: - cis: "6.7" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> NIN !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$;' - - 'f:$mysql-cnfs -> r:audit_log_include_accounts\s*$;' + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$;' + - id: 4516 title: "Ensure audit_log_policy is set to log logins and connections" description: "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled. It must be set to log logins and connections." @@ -252,10 +250,8 @@ connections." - cis: "6.9" condition: any rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:audit_log_policy\s*=\s*queries;' - - 'f:$mysql-cnfs -> IN !r:^# && r:audit_log_policy\s*=\s*none;' - - 'f:$mysql-cnfs -> IN !r:^# && r:audit_log_policy\s*=\s*logins;' - - 'f:$mysql-cnfs -> r:audit_log_policy\s*$;' + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_policy=ALL' + - id: 4517 title: "Ensure audit_log_statement_policy is set to ALL" description: "This setting controls whether statements are written to the audit log." @@ -263,11 +259,10 @@ connections." remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." compliance: - cis: "6.10" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:audit_log_statement_policy\.+errors;' - - 'f:$mysql-cnfs -> IN !r:^# && r:audit_log_statement_policy\.+none;' - - 'f:$mysql-cnfs -> r:audit_log_statement_policy\s*$;' + - 'f:$mysql-cnfs -> r:audit_log_statement_policy\s*all$' + - id: 4518 title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" description: "The audit_log_strategy must be set to SYNCHRONOUS or SEMISYNCHRONOUS." @@ -275,12 +270,10 @@ connections." remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." compliance: - cis: "6.11" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:audit_log_strategy\.+asynchronous;' - - 'f:$mysql-cnfs -> IN !r:^# && r:audit_log_strategy\.+performance;' - - 'f:$mysql-cnfs -> IN !r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous;' - - 'f:$mysql-cnfs -> r:audit_log_strategy\s*$;' + - 'f:$mysql-cnfs -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous' + - id: 4519 title: "Make sure the audit plugin can't be unloaded" description: "Set audit_log to FORCE_PLUS_PERMANENT." @@ -288,13 +281,10 @@ connections." remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - cis: "6.12" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:^audit_log\s*=\s*on\s*;' - - 'f:$mysql-cnfs -> IN !r:^# && r:^audit_log\s*=\s*off\s*;' - - 'f:$mysql-cnfs -> IN !r:^# && r:^audit_log\s*=\s*force\s*;' - - 'f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent\s*;' - - 'f:$mysql-cnfs -> r:^audit_log\s$;' + - 'f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent' + #7 Authentication - id: 4520 title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" @@ -308,12 +298,11 @@ connections." - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords - https://www.cvedetails.com/cve/CVE-2003-1480/ - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:old_passwords\s*=\s*1;' - - 'f:$mysql-cnfs -> IN !r:^# && r:old_passwords\s*=\s*on;' - - 'f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;' - - 'f:$mysql-cnfs -> r:old_passwords\s*$;' + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' + - id: 4521 title: "Ensure 'secure_auth' is set to 'ON'" description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." @@ -323,11 +312,10 @@ connections." - cis: "7.2" references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:secure_auth\s*=\s*off;' - - 'f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;' - - 'f:$mysql-cnfs -> r:secure_auth\s*$;' + - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' + - id: 4522 title: "Ensure Passwords Are Not Stored in the Global Configuration" description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." @@ -337,9 +325,10 @@ connections." - cis: "7.3" references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:^\s*password\.*;' + - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' + - id: 4523 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." @@ -347,10 +336,10 @@ connections." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - cis: "7.4" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> !r:no_auto_create_user\s*$;' - - 'f:$mysql-cnfs -> IN r:^# && r:\s*no_auto_create_user\s*$;' + - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' + - id: 4524 title: "Ensure Password Policy is in Place" description: "Password complexity includes password characteristics such as length, case, length, and character sets." @@ -360,15 +349,16 @@ connections." - cis: "7.6" references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;' - - 'f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;' - - 'f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;' - - 'f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;' - - 'f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;' + - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$;' + - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$;' + - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$;' + - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$;' + - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$;' + - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1;' + - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*;' + #9 Replication - id: 4525 title: "Ensure 'master_info_repositrory' is set to 'TABLE'" @@ -379,8 +369,6 @@ connections." - cis: "9.2" references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:master_info_repository\s*=\s*file;' - - 'f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;' - - 'f:$mysql-cnfs -> r:master_info_repository\s*$;' + - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' From d70e58861af19c9acf9d1c90e794baadd9d08687 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 28 May 2019 12:37:05 +0200 Subject: [PATCH 022/247] Fix debian rule --- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index 611df2c64..a9620e967 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -148,7 +148,7 @@ checks: - cis: "8.1.1.2" condition: all rules: - - 'd:!/etc/audit' + - 'd:/etc/audit' - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' From 3e1510a2ff345155b9bf7cd0a86662b6fddc04ac Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 28 May 2019 15:12:20 +0200 Subject: [PATCH 023/247] Adapt mysql policies --- .../cis_mysql5-6_community_rcl.yml | 182 +++++++++--------- .../cis_mysql5-6_enterprise_rcl.yml | 172 ++++++++--------- 2 files changed, 175 insertions(+), 179 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index ac0f2ae1d..e4c6aaca9 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -21,18 +21,18 @@ policy: requirements: title: "Check that MySQL is installed on the system" description: "Requirements for running the SCA scan against the MySQL policy." - condition: "all required" + condition: all rules: - - 'd:/etc/mysql;' + - 'd:/etc/mysql' variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/; - $enviroment_files: /*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile; - $mysql-cnfs: /etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf; + $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ + $enviroment_files: /*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile + $mysql-cnfs: /etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf checks: #1 Operating System Level Configuration - - id: 4000 + - id: 4500 title: "Disable MySQL Command History" description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." @@ -42,20 +42,22 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 - condition: any + condition: none rules: - - 'd:$home_dirs -> ^.mysql_history$;' - - id: 4001 + - 'd:$home_dirs -> ^.mysql_history$' + + - id: 4501 title: "Disable Interactive Login" description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - cis: "1.5" - condition: any + condition: all rules: - - 'f:/etc/passwd -> NIN r:^mysql && r:\.*/bin/false$|/sbin/nologin$;' - - id: 4002 + - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' + + - id: 4502 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." @@ -64,11 +66,12 @@ checks: - cis: "1.6" references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html - condition: any + condition: none rules: - - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*;' + - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' + #4 General - - id: 4003 + - id: 4503 title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add." rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." @@ -78,11 +81,11 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:allow-suspicious-udfs\.+true;' - - 'f:$mysql-cnfs -> r:allow-suspicious-udfs\s*$;' - - id: 4004 + - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' + + - id: 4504 title: "Ensure 'local_infile is Disabled" description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." @@ -92,11 +95,11 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:local-infile\s*=\s*1;' - - 'f:$mysql-cnfs -> r:local-infile\s*$;' - - id: 4005 + - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$;' + + - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" description: "This option causes mysqld to start without using the privilege system." rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." @@ -105,12 +108,11 @@ checks: - cis: "4.5" references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:skip-grant-tables\s*=\s*true;' - - 'f:$mysql-cnfs -> !r:skip-grant-tables\s*=\s*false;' - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*$;' - - id: 4006 + - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false;' + + - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." @@ -120,12 +122,11 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:skip_symbolic_links\s*=\s*no;' - - 'f:$mysql-cnfs -> !r:skip_symbolic_links\s*=\s*yes;' - - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*$;' - - id: 4007 + - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' + + - id: 4507 title: "Ensure 'secure_file_priv' is not empty" description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " @@ -134,23 +135,23 @@ checks: - cis: "4.8" references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN r:^# && r:secure_file_priv=\s*\S+\s*;' - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;' - - 'f:$mysql-cnfs -> r:secure_file_priv\s*$;' - - id: 4008 + + - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - cis: "4.9" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> !r:strict_all_tables\s*$;' + - 'f:$mysql-cnfs -> r:strict_all_tables' + #6 Auditing and Logging - - id: 4009 + - id: 4509 title: "Ensure 'log_error' is not empty" description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails" rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." @@ -159,12 +160,11 @@ checks: - cis: "6.1" references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN r:^# && r:log_error\s*=\s*\S+\s*;' - - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*;' - - 'f:$mysql-cnfs -> r:log_error\s*$;' - - id: 4010 + - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' + + - id: 4510 title: "Ensure Log Files are not Stored on a non-system partition" description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." @@ -174,13 +174,13 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> NIN r:^# && r:log_bin= && !r:\s*/\S*\s*;' - - 'f:$mysql-cnfs -> NIN r:^# && r:log_bin= && !r:\s*/var/\S*\s*;' - - 'f:$mysql-cnfs -> NIN r:^# && r:log_bin= && !r:\s*/usr/\S*\s*;' - - 'f:$mysql-cnfs -> r:log_bin\s*$;' - - id: 4011 + - 'f:$mysql-cnfs -> r:log_bin\s*$' + - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/var/\S*\s*' + - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/usr/\S*\s*' + + - id: 4511 title: "Ensure 'log_warning' is set to 2" description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." @@ -189,28 +189,26 @@ checks: - cis: "6.3" references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:log_warnings\s*=\s*0;' - - 'f:$mysql-cnfs -> IN !r:^# && r:log_warnings\s*=\s*1;' - - 'f:$mysql-cnfs -> !r:log_warnings\s*=\s*\d+;' - - 'f:$mysql-cnfs -> r:log_warnings\s*$;' - - id: 4012 + - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' + + - id: 4512 title: "Ensure 'log_raw' is set to 'OFF'" description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" compliance: - - cis: "6.5" + - cis: "6.4" references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:log-raw\s*=\s*on;' - - 'f:$mysql-cnfs -> r:log-raw\s*$;' + - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' + #7 Authentication - - id: 4013 + - id: 4513 title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." @@ -222,13 +220,12 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords - https://www.cvedetails.com/cve/CVE-2003-1480/ - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:old_passwords\s*=\s*1;' - - 'f:$mysql-cnfs -> IN !r:^# && r:old_passwords\s*=\s*on;' - - 'f:$mysql-cnfs -> !r:old_passwords\s*=\s*2;' - - 'f:$mysql-cnfs -> r:old_passwords\s*$;' - - id: 4014 + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' + + - id: 4514 title: "Ensure 'secure_auth' is set to 'ON'" description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." @@ -237,12 +234,11 @@ checks: - cis: "7.2" references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:secure_auth\s*=\s*off;' - - 'f:$mysql-cnfs -> !r:secure_auth\s*=\s*on;' - - 'f:$mysql-cnfs -> r:secure_auth\s*$;' - - id: 4015 + - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' + + - id: 4515 title: "Ensure Passwords Are Not Stored in the Global Configuration" description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." @@ -251,21 +247,22 @@ checks: - cis: "7.3" references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:^\s*password\.*;' - - id: 4016 + - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' + + - id: 4516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - cis: "7.4" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> !r:no_auto_create_user\s*$;' - - 'f:$mysql-cnfs -> IN r:^# && r:\s*no_auto_create_user\s*$;' - - id: 4017 + - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' + + - id: 4517 title: "Ensure Password Policy is in Place" description: "Password complexity includes password characteristics such as length, case, length, and character sets." rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." @@ -274,17 +271,18 @@ checks: - cis: "7.6" references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html - condition: any + condition: none rules: - - 'f:$mysql-cnfs -> !r:plugin-load\s*=\s*validate_password.so\s*$;' - - 'f:$mysql-cnfs -> !r:validate-password\s*=\s*force_plus_permanent\s*$;' - - 'f:$mysql-cnfs -> !r:validate_password_length\s*=\s*14\s$;' - - 'f:$mysql-cnfs -> !r:validate_password_mixed_case_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> !r:validate_password_number_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> !r:validate_password_special_char_count\s*=\s*1;' - - 'f:$mysql-cnfs -> !r:validate_password_policy\s*=\s*medium\s*;' + - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$;' + - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$;' + - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$;' + - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$;' + - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$;' + - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1;' + - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*;' + #9 Replication - - id: 4018 + - id: 4518 title: "Ensure 'master_info_repositrory' is set to 'TABLE'" description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." @@ -293,8 +291,6 @@ checks: - cis: "9.2" references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> IN !r:^# && r:master_info_repository\s*=\s*file;' - - 'f:$mysql-cnfs -> !r:master_info_repository\s*=\s*table;' - - 'f:$mysql-cnfs -> r:master_info_repository\s*$;' + - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 3ed148aa1..1f31131ac 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -183,8 +183,7 @@ checks: - id: 4511 title: "Ensure 'log_warning' is set to 2" description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." - rationale: "This might help to detect malicious behavior by logging communication errors and aborted -connections." + rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - cis: "6.3" @@ -206,87 +205,10 @@ connections." - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw condition: all rules: - - 'f:$mysql-cnfs -> !r^# && r:log-raw\s*off$' - - - id: 4513 - title: "Ensure audit_log_connection_policy is not set to 'NONE'" - description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. " - rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." - remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." - compliance: - - cis: "6.5" - condition: none - rules: - - 'f:$mysql-cnfs -> !r^# && r::audit_log_connection_policy\s*=\s*none' - - - id: 4514 - title: "Ensure audit_log_exclude_account is set to NULL" - description: "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log." - rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." - remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." - compliance: - - cis: "6.6" - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$' - - - id: 4515 - title: "Ensure audit_log_include_accounts is set to NULL" - description: "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log." - rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." - remediation: "Set audit_log_include_accounts=NULL in my.cnf." - compliance: - - cis: "6.7" - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$;' - - - id: 4516 - title: "Ensure audit_log_policy is set to log logins and connections" - description: "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled. It must be set to log logins and connections." - rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." - remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" - compliance: - - cis: "6.9" - condition: any - rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_policy=ALL' - - - id: 4517 - title: "Ensure audit_log_statement_policy is set to ALL" - description: "This setting controls whether statements are written to the audit log." - rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." - remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." - compliance: - - cis: "6.10" - condition: all - rules: - - 'f:$mysql-cnfs -> r:audit_log_statement_policy\s*all$' - - - id: 4518 - title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" - description: "The audit_log_strategy must be set to SYNCHRONOUS or SEMISYNCHRONOUS." - rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." - remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." - compliance: - - cis: "6.11" - condition: all - rules: - - 'f:$mysql-cnfs -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous' - - - id: 4519 - title: "Make sure the audit plugin can't be unloaded" - description: "Set audit_log to FORCE_PLUS_PERMANENT." - rationale: "This makes disables unloading on the plugin." - remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." - compliance: - - cis: "6.12" - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent' + - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' #7 Authentication - - id: 4520 + - id: 4513 title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." @@ -303,7 +225,7 @@ connections." - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' - - id: 4521 + - id: 4514 title: "Ensure 'secure_auth' is set to 'ON'" description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." @@ -316,7 +238,7 @@ connections." rules: - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' - - id: 4522 + - id: 4515 title: "Ensure Passwords Are Not Stored in the Global Configuration" description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." @@ -329,7 +251,7 @@ connections." rules: - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' - - id: 4523 + - id: 4516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." @@ -340,7 +262,7 @@ connections." rules: - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' - - id: 4524 + - id: 4517 title: "Ensure Password Policy is in Place" description: "Password complexity includes password characteristics such as length, case, length, and character sets." rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." @@ -360,7 +282,7 @@ connections." - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*;' #9 Replication - - id: 4525 + - id: 4518 title: "Ensure 'master_info_repositrory' is set to 'TABLE'" description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." @@ -372,3 +294,81 @@ connections." condition: all rules: - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' + +#10 Enterprise rules +- id: 4519 + title: "Ensure audit_log_connection_policy is not set to 'NONE'" + description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. " + rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." + remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." + compliance: + - cis: "6.5" + condition: none + rules: + - 'f:$mysql-cnfs -> !r:^# && r::audit_log_connection_policy\s*=\s*none' + + - id: 4520 + title: "Ensure audit_log_exclude_account is set to NULL" + description: "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log." + rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." + remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." + compliance: + - cis: "6.6" + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$' + + - id: 4521 + title: "Ensure audit_log_include_accounts is set to NULL" + description: "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log." + rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." + remediation: "Set audit_log_include_accounts=NULL in my.cnf." + compliance: + - cis: "6.7" + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$;' + + - id: 4522 + title: "Ensure audit_log_policy is set to log logins and connections" + description: "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled. It must be set to log logins and connections." + rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." + remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" + compliance: + - cis: "6.9" + condition: any + rules: + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_policy=ALL' + + - id: 4523 + title: "Ensure audit_log_statement_policy is set to ALL" + description: "This setting controls whether statements are written to the audit log." + rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." + remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." + compliance: + - cis: "6.10" + condition: all + rules: + - 'f:$mysql-cnfs -> r:audit_log_statement_policy\s*all$' + + - id: 4524 + title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" + description: "The audit_log_strategy must be set to SYNCHRONOUS or SEMISYNCHRONOUS." + rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." + remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." + compliance: + - cis: "6.11" + condition: all + rules: + - 'f:$mysql-cnfs -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous' + + - id: 4525 + title: "Make sure the audit plugin can't be unloaded" + description: "Set audit_log to FORCE_PLUS_PERMANENT." + rationale: "This makes disables unloading on the plugin." + remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." + compliance: + - cis: "6.12" + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent' From 5380fde166264dcd11a7cd4eb91356e59a8a390f Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 28 May 2019 15:12:39 +0200 Subject: [PATCH 024/247] Adapt Apache policies --- sca/applications/cis_apache2224_rcl.yml | 617 +++++++----------------- 1 file changed, 178 insertions(+), 439 deletions(-) diff --git a/sca/applications/cis_apache2224_rcl.yml b/sca/applications/cis_apache2224_rcl.yml index 0d77d86af..86cbf49d0 100644 --- a/sca/applications/cis_apache2224_rcl.yml +++ b/sca/applications/cis_apache2224_rcl.yml @@ -22,17 +22,17 @@ policy: requirements: title: "Check that Apache is installed on the system" description: "Requirements for running the SCA scan against the Apache policy." - condition: "all required" + condition: all rules: - - 'f:/etc/apache2/apache2.conf;' + - 'f:/etc/apache2/apache2.conf' variables: - $main-conf: /etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf; - $conf-dirs: /etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled,/etc/httpd/conf.d,/etc/httpd/modsecurity.d; - $ssl-confs: /etc/apache2/mods-enabled/ssl.conf,/etc/httpd/conf.d/ssl.conf; - $mods-en: /etc/apache2/mods-enabled; - $request-confs: /etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf; - $traceen: /etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf,/etc/apache2/conf-enabled/security.conf; + $main-conf: /etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf + $conf-dirs: /etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled,/etc/httpd/conf.d,/etc/httpd/modsecurity.d + $ssl-confs: /etc/apache2/mods-enabled/ssl.conf,/etc/httpd/conf.d/ssl.conf + $mods-en: /etc/apache2/mods-enabled + $request-confs: /etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf + $traceen: /etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf,/etc/apache2/conf-enabled/security.conf #2.3 Disable WebDAV Modules checks: @@ -47,12 +47,13 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mod_dav.html - https://httpd.apache.org/docs/2.4/mod/mod_dav.html - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:loadmodule\sdav;' - - 'd:$conf-dirs -> load -> IN !r:^# && r:loadmodule\sdav;' - - 'f:/etc/httpd/conf.d -> IN !r:^# && r:loadmodule\sdav;' - - 'd:$mods-en -> dav.load;' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sdav' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sdav' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sdav' + - 'd:$mods-en -> dav.load' + #2.4 Disable Status Module - id: 3501 title: "Ensure the Status Module Is Disabled" @@ -65,12 +66,13 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mod_status.html - https://httpd.apache.org/docs/2.4/mod/mod_status.html - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:loadmodule\sstatus;' - - 'd:$conf-dirs -> load -> IN !r:^# && r:loadmodule\sstatus;' - - 'f:/etc/httpd/conf.d -> IN !r:^# && r:loadmodule\sstatus;' - - 'd:$mods-en -> status.load;' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sstatus' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sstatus' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sstatus' + - 'd:$mods-en -> status.load' + #2.5 Disable Autoindex Module - id: 3502 title: "Ensure the Autoindex Module Is Disabled" @@ -83,12 +85,13 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:loadmodule\sautoindex;' - - 'd:$conf-dirs -> load -> IN !r:^# && r:loadmodule\sautoindex;' - - 'f:/etc/httpd/conf.d -> IN !r:^# && r:loadmodule\sautoindex;' - - 'd:$mods-en -> autoindex.load;' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sautoindex' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sautoindex' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sautoindex' + - 'd:$mods-en -> autoindex.load' + #2.6 Disable Proxy Modules - id: 3503 title: "Ensure the Proxy Modules Are Disabled" @@ -101,12 +104,13 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:loadmodule\sproxy;' - - 'd:$conf-dirs -> load -> IN !r:^# && r:loadmodule\sproxy;' - - 'f:/etc/httpd/conf.d -> IN !r:^# && r:loadmodule\sproxy;' - - 'd:$mods-en -> proxy.load;' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sproxy' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sproxy' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sproxy' + - 'd:$mods-en -> proxy.load' + #2.7 Disable User Directories Modules - id: 3504 title: "Ensure the User Directories Module Is Disabled" @@ -119,12 +123,13 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:loadmodule\suserdir;' - - 'd:$conf-dirs -> load -> IN !r:^# && r:loadmodule\suserdir;' - - 'f:/etc/httpd/conf.d -> IN !r:^# && r:loadmodule\suserdir;' - - 'd:$mods-en -> userdir.load;' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\suserdir' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\suserdir' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\suserdir' + - 'd:$mods-en -> userdir.load' + #2.8 Disable Info Module - id: 3505 title: "Ensure the Info Module Is Disabled" @@ -137,12 +142,13 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mod_info.html - https://httpd.apache.org/docs/2.4/mod/mod_info.html - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:loadmodule\sinfo;' - - 'd:$conf-dirs -> load -> IN !r:^# && r:loadmodule\sinfo;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:loadmodule\sinfo;' - - 'd:$mods-en -> info.load;' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sinfo' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' + - 'd:$mods-en -> info.load' + #3.2 Give the Apache User Account an Invalid Shell - id: 3506 title: "Ensure the Apache User Account Has an Invalid Shell" @@ -152,9 +158,10 @@ checks: compliance: - cis: "3.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'f:/etc/passwd -> NIN r:/var/www && r:\.*/bin/false$|/sbin/nologin$;' + - 'f:/etc/passwd -> r:/var/www && r:\.*/bin/false$|/sbin/nologin$' + #3.3 Lock the Apache User Account - id: 3507 title: "Ensure the Apache User Account Is Locked" @@ -164,15 +171,16 @@ checks: compliance: - cis: "3.3" - cis_csc: "16" - condition: any + condition: all rules: - - 'f:/etc/shadow -> NIN r:^daemon|^wwwrun|^www-data|^apache && r:\p!\.*$;' + - 'f:/etc/shadow -> r:^daemon|^wwwrun|^www-data|^apache && r:\p!\.*$' + #4.4 Restrict Override for All Directories - id: 3508 title: "Ensure OverRide Is Disabled for All Directories" description: "When the server finds an .htaccess file (as specified by AccessFileName), it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, .htaccess files are completely ignored. When this directive is set to All, any directive which has the .htaccess Context is allowed in .htaccess files." rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." - remediation: "Search the Apache configuration files ( httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." + remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." compliance: - cis: "4.4" - cis_csc: "14.4" @@ -180,12 +188,13 @@ checks: - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> NIN !r:^# && r:\w+ && r:allowoverride && r:none$;' - - 'd:$conf-dirs -> conf -> NIN !r:^# && r:\w+ && r:allowoverridelist;' - - 'f:$main-conf -> NIN !r:^# && r:\w+ && r:allowoverride && r:none$;' - - 'f:$main-conf -> NIN !r:^# && r:\w+ && r:allowoverridelist;' + - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverride && !r:none$' + - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' + - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverride && r:none$' + - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' + #5.3 Minimize Options for Other Directories - id: 3509 title: "Ensure Options for Other Directories Are Minimized" @@ -200,10 +209,11 @@ checks: - https://httpd.apache.org/docs/2.2/mod/core.html#options - https://httpd.apache.org/docs/2.4/mod/core.html#options - https://httpd.apache.org/docs/2.4/mod/mod_include.html - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:options\sincludes;' - - 'f:$main-conf -> IN !r:^# && r:options\sincludes;' + - 'd:$conf-dirs -> conf -> !r:^# && r:options\sincludes' + - 'f:$main-conf -> !r:^# && r:options\sincludes' + #5.4.1 Remove default index.html sites - id: 3510 title: "Ensure Default HTML Content Is Removed (index.html)" @@ -213,10 +223,11 @@ checks: compliance: - cis: "5.4" - cis_csc: "18.9" - condition: any + condition: none rules: - - 'd:/var/www -> index.html;' - - 'd:/var/www/html -> index.html;' + - 'd:/var/www -> index.html' + - 'd:/var/www/html -> index.html' + #5.4.2 Remove the Apache user manual - id: 3511 title: "Ensure Default HTML Content Is Removed (Apache user manual)" @@ -226,10 +237,11 @@ checks: compliance: - cis: "5.4" - cis_csc: "18.9" - condition: any + condition: none rules: - - 'd:/etc/httpd/conf.d -> manual.conf;' - - 'd:/etc/apache2/conf-enabled -> apache2-doc.conf;' + - 'd:/etc/httpd/conf.d -> manual.conf' + - 'd:/etc/apache2/conf-enabled -> apache2-doc.conf' + #5.4.5 Verify that no Handler is enabled - id: 3512 title: "Ensure Default HTML Content Is Removed (Handler)" @@ -239,10 +251,11 @@ checks: compliance: - cis: "5.4" - cis_csc: "18.9" - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:/wsethandler;' - - 'f:$main-conf -> IN !r:^# && r:/wsethandler;' + - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' + - 'f:$main-conf -> !r:^# && r:/wsethandler' + #5.5 Remove default CGI content printenv - id: 3513 title: "Ensure the Default CGI Content printenv Script Is Removed" @@ -252,10 +265,11 @@ checks: compliance: - cis: "5.5" - cis_csc: "18" - condition: any + condition: none rules: - - 'd:/var/www/cgi-bin -> printenv;' - - 'd:/usr/lib/cgi-bin -> printenv;' + - 'd:/var/www/cgi-bin -> printenv' + - 'd:/usr/lib/cgi-bin -> printenv' + #5.6 Remove default CGI content test-cgi - id: 3514 title: "Ensure the Default CGI Content test-cgi Script Is Removed" @@ -265,10 +279,11 @@ checks: compliance: - cis: "5.6" - cis_csc: "18.9" - condition: any + condition: none rules: - - 'd:/var/www/cgi-bin -> test-cgi;' - - 'd:/usr/lib/cgi-bin -> test-cgi;' + - 'd:/var/www/cgi-bin -> test-cgi' + - 'd:/usr/lib/cgi-bin -> test-cgi' + #5.7 Limit HTTP Request Method - id: 3515 title: "Ensure HTTP Request Methods Are Restricted" @@ -282,9 +297,10 @@ checks: - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept - https://www.ietf.org/rfc/rfc2616.txt - https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept - condition: any + condition: all rules: - - 'f:$main-conf -> !r:;' + - 'f:$main-conf -> r:limitexcept && r:get && r:head && r:post && r:options' + #5.8 Disable HTTP Trace Method - id: 3516 title: "Ensure the HTTP TRACE Method Is Disabled" @@ -298,48 +314,10 @@ checks: - https://www.ietf.org/rfc/rfc2616.txt - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable - condition: any + condition: none rules: - - 'f:$traceen -> IN !r:^# && r:traceenable\s+on\s*$;' -#5.9 Restrict HTTP Protocol Versions - - id: 3517 - title: "Ensure Old HTTP Versions Are Disallowed" - description: "The Apache modules mod_rewrite and mod_security can be used to disallow old and invalid HTTP versions. The HTTP version 1.1 RFC is dated June 1999 and has been supported by Apache since version 1.2, so it should no longer be necessary to allow ancient versions of HTTP prior to 1.1." - rationale: "Many malicious automated programs, vulnerability scanners, and fingerprinting tools send requests using old HTTP versions to see how the web server responds. These requests are usually part of the attacker's enumeration process." - remediation: "Load the mod_rewrite module, add the RewriteEngine directive to the configuration within the global server context with the value of on so the rewrite engine is enabled. Locate the main Apache configuration file such as httpd.conf and add a condition to match HTTP/1.1 and the rewrite rule to the top server level configuration to disallow other protocol versions." - compliance: - - cis: "5.9" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html - - https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html - condition: any - rules: - - 'f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite;' - - 'd:$mods-en -> !f:rewrite.load;' - - 'f:$main-conf -> !r:rewriteengine\son;' - - 'f:$main-conf -> NIN r:rewritecond && r:%{THE_REQUEST} && r:!HTTP/1\\.1\$;' - - 'f:$main-conf -> NIN r:rewriterule && r:.* - [F];' -#5.12 Deny IP Address Based Requests - - id: 3518 - title: "Ensure IP Address Based Requests Are Disallowed" - description: "The Apache module mod_rewrite should disallow access for requests that use an IP address instead of a host name for the URL. Most normal access to the website from browsers and automated software will use a hostname, and will therefore include the hostname in the HTTP HOST header." - rationale: "A common malware propagation and automated network scanning technique is to use IP addresses rather than hostnames for web requests, since it's simpler to automate. By denying IP-based web requests, these automated techniques will be denied access to the website." - remediation: "Load the mod_rewrite module for Apache. Add the RewriteEngine directive to the configuration within the global server context with the value of on. Locate the Apache configuration file such as httdp.conf and add a condition to match the expected host name of the top server level configuration." - compliance: - - cis: "5.12" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html - - https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html - condition: any - rules: - - 'f:/etc/httpd/conf/httpd.conf -> !r:loadmodule\srewrite;' - - 'd:$mods-en -> !f:rewrite.load;' - - 'f:$main-conf -> !r:rewriteengine\son;' - - 'f:$main-conf -> NIN r:rewritecond && r:%{HTTP_HOST} && r:www\\.\w+\\.\w+ [NC]$;' - - 'f:$main-conf -> NIN r:rewritecond && r:%{REQUEST_URI} && r:/error [NC]$;' - - 'f:$main-conf -> NIN r:rewriterule && r:.\(.*\) - [L,F]$;' + - 'f:$traceen -> !r:^# && r:traceenable\s+on\s*$' + #5.13 Restrict Listen Directive - id: 3519 title: "Ensure the IP Addresses for Listening for Requests Are Specified" @@ -352,20 +330,21 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen - condition: any - rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:listen\s80$;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:listen\s0.0.0.0\p80;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p80;' - - 'f:$main-conf -> IN !r:^# && r:listen\s80$;' - - 'f:$main-conf -> IN !r:^# && r:listen\s0.0.0.0\p\d*;' - - 'f:$main-conf -> IN !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> IN !r:^# && r:listen\s80$;' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> IN !r:^# && r:listen\s0.0.0.0\p\d*;' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> IN !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;' - - 'f:/etc/apache2/ports.conf -> IN !r:^# && r:listen\s80$;' - - 'f:/etc/apache2/ports.conf -> IN !r:^# && r:listen\s0.0.0.0\p\d*;' - - 'f:/etc/apache2/ports.conf -> IN !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p\d*;' + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s(\d+)$' + - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - 'f:$main-conf -> !r:^# && r:listen\s(\d+)$' + - 'f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s(\d+)$' + - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s(\d+)$' + - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + #5.14 Restrict Browser Frame Options - id: 3520 title: "Ensure Browser Framing Is Restricted" @@ -380,15 +359,16 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header - https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header - https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx - condition: any + condition: all rules: - - 'f:$main-conf -> NIN r:header\salways\sappend\sx-frame-options && r:sameorigin|deny;' + - 'f:$main-conf -> r:header\salways\sappend\sx-frame-options && r:sameorigin|deny' + #6.1 Configure the Error Log to notice at least - id: 3521 title: "Ensure the Error Log Filename and Severity Level Are Configured Correctly" description: "The LogLevel directive is used to configure the severity level for the error logs, while the ErrorLog directive configures the error log filename. The log level values are the standard syslog levels of emerg , alert , crit , error , warn , notice , info and debug . The recommended level is notice , so that all errors from the emerg level through the notice level will be logged." rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." - remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configuredif the virtual host will have different people responsible for the web site." + remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." compliance: - cis: "6.1" - cis_csc: "6.2" @@ -399,10 +379,11 @@ checks: - https://httpd.apache.org/docs/2.4/logs.html - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog - condition: any + condition: all rules: - - 'f:$main-conf -> IN !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice;' - - 'f:$main-conf -> NIN r:loglevel\snotice\score\p && r:info|debug;' + - 'f:$main-conf -> !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice' + - 'not f:$main-conf -> r:loglevel\snotice\score\p && r:info|debug' + #6.2 Configure a Syslog facility for Error Log - id: 3522 title: "Ensure a Syslog Facility Is Configured for Error Logging" @@ -419,9 +400,10 @@ checks: - https://httpd.apache.org/docs/2.4/logs.html - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog - condition: any + condition: all rules: - - 'f:$main-conf -> !r:errorlog\s+\p*syslog\p\.*\p*;' + - 'f:$main-conf -> r:errorlog\s+\p*syslog\p\.*\p*' + #7.6 Disable SSL Insecure Renegotiation - id: 3523 title: "Ensure Insecure SSL Renegotiation Is Not Enabled" @@ -436,10 +418,10 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 - https://azure.microsoft.com/en-us/services/multi-factor-authentication/ - condition: any + condition: none rules: - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on\s*;' - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslinsecurerenegotiation\s*$;' + - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on' + #7.7 Ensure SSL Compression is not enabled - id: 3524 title: "Ensure SSL Compression is Not Enabled" @@ -454,77 +436,10 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression - https://en.wikipedia.org/wiki/CRIME_(security_exploit) - condition: any + condition: none rules: - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslcompression\s+on\s*;' - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslcompression\s*$;' -#7.8 Disable SSL TLS v1.0 Protocol - - id: 3525 - title: "Ensure Medium Strength SSL/TLS Ciphers Are Disabled" - description: "The SSLCipherSuite directive specifies which ciphers are allowed in the negotiation with the client. Disable the medium strength ciphers such as Triple DES (3DES) and IDEA by adding !3DES and !IDEA in the SSLCipherSuite directive." - rationale: "Although Triple DES was a trusted standard in the past, several vulnerabilities for it have been published over the years and it is no longer considered secure." - remediation: "Add or modify the following line in the Apache server level configuration and every virtual host that is SSL/TLS enabled: SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!MD5:!RC4:!aNULL:!3DES:!IDEA" - compliance: - - cis: "7.8" - - cis_csc: "14.2" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite - - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder - - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite - - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslhonorcipherorder - - https://sweet32.info/ - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183 - - https://github.com/rbsec/sslscan - - https://www.openssl.org/ - condition: any - rules: - - 'f:$ssl-confs -> !r:^\t*\s*sslprotocol;' - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslprotocol\s+all;' - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslprotocol\s+\.*tlsv1\P\s*;' - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslprotocol\s+\.*sslv2\P\s*;' - - 'f:$ssl-confs -> IN !r:^\t*\s*# && r:sslprotocol\s+\.*sslv3\P\s*;' -#7.9 Enable OCSP Stapling - - id: 3526 - title: "Enable OCSP Stapling" - description: "The OCSP (Online Certificate Status Protocol) provides the current revocation status of an X.509 certificate and allows for a certificate authority to revoke the validity of a signed certificate before its expiration date." - rationale: "The OCSP protocol is a big improvement over CRLs (certificate revocation lists) for checking if a certificate has been revoked. The OCSP stapling improves the situation by having the SSL server 'staple' an OCSP response, signed by the OCSP server, to the certificate it presents to the client. This obviates the need for the client to ask the OCSP server for status information on the server certificate." - remediation: "Add or modify the SSLUseStapling directive to have a value of on in the Apache server level configuration and every virtual host that is SSL enabled." - compliance: - - cis: "7.10" - - cis_csc: "14.2" - references: - - https://en.wikipedia.org/wiki/OCSP_stapling - - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html- - condition: any - rules: - - 'f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+ssl;' - - 'd:$mods-en -> !f:ssl.load;' - - 'f:$ssl-confs -> IN !r:\t*\s*# && r:sslusestapling\s+off;' - - 'f:$ssl-confs -> !r:\t*\s*sslusestapling\s+on;' - - 'f:$ssl-confs -> !r:\t*\s*sslstaplingcache\s+\.+;' -#7.10 Enable HTTP Strict Transport Security - - id: 3527 - title: "Ensure HTTP Strict Transport Security Is Enabled" - description: "HTTP Strict Transport Security (HSTS) is an optional web server security policy mechanism specified by an HTTP Server header." - rationale: "Usage of HTTP Strict Transport Security (HSTS) helps protect HSTS-compliant browsers and other agents from HTTP downgrade attacks. Downgrade attacks include a variety of man-in-the-middle attacks which leave the web communication vulnerable to disclosure and modification by forcing the usage of HTTP rather than HTTPS communication." - remediation: "Add a Header directive as shown below in the Apache server level configuration and every virtual host that is SSL enabled. The includeSubDomains and preload flags may be included in the header, but are not required." - compliance: - - cis: "7.10" - - cis_csc: "14.2" - references: - - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security - - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security - - https://moxie.org/software/sslstrip/ - - https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security - - https://hstspreload.appspot.com/ - condition: any - rules: - - 'f:/etc/apache2/apache2.conf -> !r:Header\salways\sset\sStrict-Transport-Security\s"max-age=\d\d\d\d*";' - - 'f:/etc/apache2/apache2.conf -> IN !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=1\d\d";' - - 'f:/etc/apache2/apache2.conf -> IN !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=2\d\d";' - - 'f:/etc/apache2/apache2.conf -> IN !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=3\d\d";' - - 'f:/etc/apache2/apache2.conf -> IN !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=4\d\d";' - - 'f:/etc/apache2/apache2.conf -> IN !r:^# && r:Header\salways\sset\sStrict-Transport-Security\s"max-age=5\d\d";' + - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+on' + #8.1 Set ServerToken to Prod or ProductOnly - id: 3528 title: "Ensure ServerTokens Provides Minimal Information" @@ -536,14 +451,15 @@ checks: - cis_csc: "18.9" references: - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens - condition: any - rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:servertokens\s+major;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:servertokens\s+minor;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:servertokens\s+min;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:servertokens\s+minimal;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:servertokens\s+os;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:servertokens\s+full;' + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+major' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minor' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+min' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minimal' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+os' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+full' + #8.2: Set ServerSignature to Off - id: 3529 title: "Ensure ServerSignature Is Not Enabled" @@ -556,10 +472,11 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^# && r:serversignature\s+email;' - - 'd:$conf-dirs -> conf -> IN !r:^# && r:serversignature\s+on;' + - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+email' + - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on' + #8.3: Prevent Information Leakage via Default Apache Content - id: 3530 title: "Ensure All Default Apache Content Is Removed" @@ -569,10 +486,11 @@ checks: compliance: - cis: "8.4" - cis_csc: "18.9" - condition: any + condition: none rules: - - 'd:$conf-dirs -> conf -> IN !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf;' - - 'd:$conf-dirs -> conf -> IN !r:^\t*\s*# && r:alias\s*/icons/\s*\.*;' + - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' + - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*' + #9.1:Set TimeOut to 10 or less - id: 3531 title: "Ensure the TimeOut Is Set Properly" @@ -585,27 +503,10 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#timeout - https://httpd.apache.org/docs/2.4/mod/core.html#timeout - condition: any - rules: - - 'f:$main-conf -> IN !r:^# && r:timeout\s+9\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+8\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+7\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+6\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+5\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+4\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+3\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+2\d;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+11;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+12;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+13;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+14;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+15;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+16;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+17;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+18;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+19;' - - 'f:$main-conf -> !r:^timeout\s+\d\d*;' - - 'f:$main-conf -> IN !r:^# && r:timeout\s+\d\d\d+;' + condition: all + rules: + - 'f:$main-conf -> !r:^# && n:timeout\s+(\d+) compare <= 10' + #9.2:Set the KeepAlive directive to On - id: 3532 title: "Ensure KeepAlive Is Enabled" @@ -618,10 +519,10 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive - condition: any + condition: none rules: - - 'f:$main-conf -> IN !r:^# && r:keepalive\s+off;' - - 'f:$main-conf -> !r:keepalive\s+on;' + - 'f:$main-conf -> !r:^# && r:keepalive\s+off' + #9.3:Set MaxKeepAliveRequests to 100 or greater - id: 3533 title: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed. It is recommended that the MaxKeepAliveRequests directive be set to 100 or greater." @@ -634,9 +535,10 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests - condition: any + condition: all rules: - - 'f:$main-conf -> !r:^maxkeepaliverequests\s+\d\d\d+;' + - 'f:$main-conf -> n:^maxkeepaliverequests\s+(\d+) compare >= 100' + #9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service - id: 3534 title: "Ensure the KeepAliveTimeout Is Set Properly" @@ -649,22 +551,10 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout - condition: any - rules: - - 'f:$main-conf -> !r:keepalivetimeout\s+\d\d*;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+16;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+17;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+18;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+19;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+2\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+3\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+4\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+5\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+6\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+7\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+8\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+9\d;' - - 'f:$main-conf -> IN !r:^# && r:keepalivetimeout\s+\d\d\d+;' + condition: all + rules: + - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare <= 15' + #9.5 Set Timeout Limits for Request Headers - id: 3535 title: "Ensure Timeout Limits for Request Headers Are Set Properly" @@ -679,26 +569,12 @@ checks: - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - condition: any - rules: - - 'f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout;' - - 'd:$mods-en -> !f:reqtimeout.load;' - - 'f:$request-confs -> !r:^\t*\s*requestreadtimeout\.+header\p\d\d*\D\d\d*;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D41;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D42;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D43;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D44;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D45;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D46;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D47;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D48;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D49;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D5\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D6\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D7\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D8\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D9\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+header\p\d\d\D\d\d\d+;' + condition: all + rules: + - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' + - 'd:$mods-en -> f:reqtimeout.load' + - 'f:$request-confs -> n:^\t*\s*requestreadtimeout\.+header\p(\d+) compare <= 40' + #9.6 Set Timeout Limits for Request Body - id: 3536 title: "Ensure Timeout Limits for the Request Body Are Set Properly" @@ -711,27 +587,12 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - condition: any - rules: - - 'f:/etc/httpd/conf/httpd.conf -> !r:^loadmodule\s+reqtimeout;' - - 'd:$mods-en -> !f:reqtimeout.load;' - - 'f:$request-confs -> !r:\t*\s*requestreadtimeout\.+body\p\d\d*;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p21;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p22;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p23;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p24;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p25;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p26;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p27;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p28;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p29;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p4\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p5\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p6\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p7\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p8\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p9\d;' - - 'f:$request-confs -> IN !r:^\t*\s*# && r:\t*\s*requestreadtimeout\.+body\p\d\d\d+;' + condition: all + rules: + - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' + - 'd:$mods-en -> f:reqtimeout.load' + - 'f:$request-confs -> n:\t*\s*requestreadtimeout\.+body\p(\d+) compare <= 20' + #10.1 Set the LimitRequestLine directive to 512 or less - id: 3537 title: "Ensure the Maximum Request Line Length Is Set Properly" @@ -744,29 +605,10 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline - condition: any - rules: - - 'f:$main-conf -> !r:^limitrequestline\s+\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\13;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\14;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\15;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\16;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\17;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\18;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\19;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\2\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\3\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\4\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\5\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\6\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\7\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\8\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+5\9\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+6\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+7\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+8\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+9\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestline\s+\d\d\d\d+;' + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestline\s+(\d+) compare <= 512' + #10.2 Set the LimitRequestFields directive to 100 or less - id: 3538 title: "Ensure the Maximum Request Headers Per Request Is Set Properly" @@ -779,36 +621,10 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields - condition: any - rules: - - 'f:$main-conf -> !r:^limitrequestfields\s\d\d*;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d1;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d2;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d3;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d4;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d5;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d6;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d7;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d8;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+1\d9;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+11\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+12\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+13\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+14\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+15\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+16\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+17\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+18\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+19\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+2\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+3\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+4\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+5\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+6\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+7\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+8\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+9\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfields\s+\d\d\d\d+;' + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestfields\s(\d+) compare <= 100' + #10.3 Set the LimitRequestFieldsize directive to 1024 or less - id: 3539 title: "Ensure the Maximum Request Header Field Size Is Set Properly" @@ -821,39 +637,10 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize - condition: any - rules: - - 'f:$main-conf -> !r:^limitrequestfieldsize\s+\d\d*;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d25;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d26;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d27;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d28;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d29;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d3\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d4\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d5\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d6\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d7\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d8\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+1\d9\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+11\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+12\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+13\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+14\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+15\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+16\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+17\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+18\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+19\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+2\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+3\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+4\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+5\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+6\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+7\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+8\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+9\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestfieldsize\s+\d\d\d\d\d+;' + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestfieldsize\s+(\d+) compare <= 1024' + #10.4 Set the LimitRequestBody directive to 102400 or less - id: 3540 title: "Ensure the Maximum Request Body Size Is Set Properly" @@ -866,55 +653,7 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody - condition: any - rules: - - 'f:$main-conf -> !r:^limitrequestbody\s+\d\d*;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+0\s*$;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d1;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d2;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d3;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d4;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d5;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d6;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d7;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d8;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d24\d9;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d241\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d242\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d243\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d244\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d245\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d246\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d247\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d248\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d249\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d25\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d26\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d27\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d28\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d29\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d3\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d4\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d5\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d6\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d7\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d8\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+1\d9\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+11\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+12\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+13\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+14\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+15\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+16\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+17\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+18\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+19\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+2\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+3\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+4\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+5\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+6\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+7\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+8\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+9\d\d\d\d\d;' - - 'f:$main-conf -> IN !r:^# && r:limitrequestbody\s+\d\d\d\d\d\d\d+;' + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestbody\s+(\n) compare <= 102400' + From c6f8dee6a0246d8d02e9870cfa9894f89984151e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 28 May 2019 19:10:00 +0200 Subject: [PATCH 025/247] Fix apache rule --- sca/applications/cis_apache2224_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/applications/cis_apache2224_rcl.yml b/sca/applications/cis_apache2224_rcl.yml index 86cbf49d0..41241faf7 100644 --- a/sca/applications/cis_apache2224_rcl.yml +++ b/sca/applications/cis_apache2224_rcl.yml @@ -655,5 +655,5 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody condition: all rules: - - 'f:$main-conf -> n:^limitrequestbody\s+(\n) compare <= 102400' + - 'f:$main-conf -> n:^limitrequestbody\s+(\d+) compare <= 102400' From b9084b0dd41b755eb077a601da9e1f2642e80bcb Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 29 May 2019 17:12:50 +0200 Subject: [PATCH 026/247] Adapt Darwin 10.11 El Capitan --- sca/darwin/15/cis_apple_macOS_10.11.yml | 197 ++++++++++++++---------- 1 file changed, 112 insertions(+), 85 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index fda798ca0..e2f613788 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -21,11 +21,11 @@ policy: requirements: title: "Check MacOS version" description: "Requirements for running the SCA scan against MacOS 10.11 (El Capitan)." - condition: "any required" + condition: any rules: - - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p11;' - - 'c:sw_vers -> r:^ProductVersion:\t*10\p11;' - - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:.*10\p11;' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p11' + - 'c:sw_vers -> r:^ProductVersion:\t*10\p11' + - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:.*10\p11' checks: # 1.1 Verify all Apple provided software is current (Scored) @@ -36,9 +36,10 @@ checks: remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - cis: "1.1" - condition: any + condition: all rules: - - 'c:softwareupdate -l -> !r:^\s*No new software available;' + - 'c:softwareupdate -l -> r:No new software available' + # 1.2 Enable Auto Update (Scored) - id: 3001 title: "Enable Auto Update (Scored)" @@ -50,9 +51,10 @@ checks: references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + # 1.3 Enable app update installs (Scored) - id: 3002 title: "Enable app update installs (Scored)" @@ -61,9 +63,10 @@ checks: remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - cis: "1.3" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + # 1.4 Enable system data files and security update installs (Scored) - id: 3003 title: "Enable system data files and security update installs (Scored)" @@ -75,10 +78,11 @@ checks: references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> IN r:^\s*ConfigDataInstall\s*= && !r:\s*1;' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> IN r:^\s*CriticalUpdateInstall\s*= && !r:\s*1;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + # 1.5 Enable OS X update installs (Scored) - id: 3004 title: "Enable OS X update installs (Scored)" @@ -87,9 +91,10 @@ checks: remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - cis: "1.5" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' + # 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) - id: 3005 title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" @@ -98,9 +103,10 @@ checks: remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." compliance: - cis: "2.1.2" - condition: any + condition: all rules: - - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> !r:^\s*[Dd]iscoverable:\s*Off;' + - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' + # 2.2.1 Enable "Set time and date automatically" (Not Scored) - id: 3006 title: "Enable \"Set time and date automatically\" (Not Scored)" @@ -109,9 +115,10 @@ checks: remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - cis: "2.2.1" - condition: any + condition: all rules: - - 'c:systemsetup -getusingnetworktime -> !r:^\s*Network Time:\s*On;' + - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' + # 2.2.3 Restrict NTP server to loopback interface (Scored) - id: 3007 title: "Restrict NTP server to loopback interface (Scored)" @@ -120,9 +127,10 @@ checks: remediation: "1. Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo" compliance: - cis: "2.2.3" - condition: any + condition: all rules: - - 'f:/etc/ntp-restrict.conf -> !r:restrict lo;' + - 'f:/etc/ntp-restrict.conf -> r:restrict lo' + # 2.4.1 Disable Remote Apple Events (Scored) - id: 3008 title: "Disable Remote Apple Events (Scored)" @@ -131,9 +139,10 @@ checks: remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - cis: "2.4.1" - condition: any + condition: all rules: - - 'c:systemsetup -getremoteappleevents -> !r:^Remote Apple Events:\s*Off;' + - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' + # 2.4.4 Disable Printer Sharing (Scored) - id: 3009 title: "Disable Printer Sharing (Scored)" @@ -142,9 +151,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - cis: "2.4.4" - condition: any + condition: none rules: - - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*Yes;' + - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' + # 2.4.5 Disable Remote Login (Scored) - id: 3010 title: "Disable Remote Login (Scored)" @@ -153,9 +163,10 @@ checks: remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - cis: "2.4.5" - condition: any + condition: all rules: - - 'c:systemsetup -getremotelogin -> r:^Remote Login:\s*On;' + - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' + # 2.4.8 Disable File Sharing (Scored) - id: 3011 title: "Disable File Sharing (Scored)" @@ -164,9 +175,10 @@ checks: remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - cis: "2.4.8" - condition: any + condition: none rules: - - 'c:launchctl list -> r:AppleFileServer;' + - 'c:launchctl list -> r:AppleFileServer' + # 2.5.1 Disable "Wake for network access" (Scored) - id: 3012 title: "Disable \"Wake for network access\" (Scored)" @@ -175,10 +187,11 @@ checks: remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - cis: "2.5.1" - condition: any + condition: none rules: - - 'c:pmset -g -> r:^\s*womp\s+1$;' - - 'c:pmset -b -g -> r:^\s*womp\s+1$;' + - 'c:pmset -c -g -> r:womp && !r:0' + - 'c:pmset -b -g -> r:womp && !r:0' + # 2.6.1 Enable FileVault (Scored) - id: 3013 title: "Enable FileVault (Scored)" @@ -187,10 +200,11 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - cis: "2.6.1" - condition: any + condition: all rules: - - 'c:diskutil cs list -> r:[Ee]ncryption [Ss]tatus: -> !r:[Uu]nlocked;' - - 'c:diskutil cs list -> !r:[Ee]ncryption [Tt]ype:;' + - 'c:diskutil cs list -> r:Encryption Status && r:Unlocked' + - 'c:diskutil cs list -> r:Encryption Type && r:AES-XTS' + # 2.6.2 Enable Gatekeeper (Scored) - id: 3014 title: "Enable Gatekeeper (Scored)" @@ -199,9 +213,10 @@ checks: remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - cis: "2.6.2" - condition: any + condition: all rules: - - 'c:spctl --status -> !r:^assessments enabled;' + - 'c:spctl --status -> r:assessments enabled' + # 2.6.3 Enable Firewall (Scored) - id: 3015 title: "Enable Firewall (Scored)" @@ -212,10 +227,10 @@ checks: - cis: "2.6.3" references: - https://support.apple.com/en-us/HT201642 - condition: all + condition: any rules: - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*1$;' - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*2$;' + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' + # 2.6.4 Enable Firewall Stealth Mode (Scored) - id: 3016 title: "Enable Firewall Stealth Mode (Scored)" @@ -226,9 +241,10 @@ checks: - cis: "2.6.4" references: - https://support.apple.com/en-us/HT201642 - condition: any + condition: all rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - id: 3017 title: "Enable Secure Keyboard Entry in terminal.app (Scored)" @@ -237,9 +253,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - cis: "2.10" - condition: any + condition: all rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^\s*0$;' + - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + # 2.11 Java 6 is not the default Java runtime (Scored) - id: 3018 title: "Java 6 is not the default Java runtime (Scored)" @@ -248,10 +265,10 @@ checks: remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used." compliance: - cis: "2.11" - condition: any + condition: none rules: - - 'c:java -version -> r:version.*1.6.0;' - - 'c:java -version -> r:Runtime Environment.*build.*1.6.0;' + - 'c:java -version -> r:1.6.0' + # 3.2 Enable security auditing (Scored) - id: 3019 title: "Enable security auditing (Scored)" @@ -260,9 +277,10 @@ checks: remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - cis: "3.2" - condition: any + condition: all rules: - - 'c:launchctl list -> !r:com.apple.auditd;' + - 'c:launchctl list -> r:com.apple.auditd' + # 3.3 Configure Security Auditing Flags (Scored) - id: 3020 title: "Configure Security Auditing Flags (Scored)" @@ -271,13 +289,10 @@ checks: remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - cis: "3.3" - condition: any + condition: all rules: - - 'f:/etc/security/audit_control -> NIN r:^flags && r:lo;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:ad;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:fd;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:fm;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:-all;' + - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' + # 4.1 Disable Bonjour advertising service (Scored) - id: 3021 title: "Disable Bonjour advertising service (Scored)" @@ -286,9 +301,10 @@ checks: remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - cis: "4.1" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + # 4.4 Ensure http server is not running (Scored) - id: 3022 title: "Ensure http server is not running (Scored)" @@ -297,11 +313,13 @@ checks: remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" compliance: - cis: "4.4" - condition: any + condition: none rules: - - 'p:httpd;' - - 'p:/usr/sbin/httpd;' - - 'p:/usr/sbin/httpd -D FOREGROUND;' + - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' + - 'p:httpd' + - 'p:/usr/sbin/httpd' + - 'p:/usr/sbin/httpd -D FOREGROUND' + # 4.5 Ensure ftp server is not running (Scored) - id: 3023 title: "Ensure ftp server is not running (Scored)" @@ -310,9 +328,10 @@ checks: remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - cis: "4.5" - condition: any + condition: none rules: - - 'c:launchctl list -> r:ftp;' + - 'c:launchctl list -> r:ftp' + # 4.6 Ensure nfs server is not running (Scored) - id: 3024 title: "Ensure nfs server is not running (Scored)" @@ -321,10 +340,11 @@ checks: remediation: "Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - cis: "4.6" - condition: any + condition: none rules: - - 'p:nfsd;' - - 'f:/etc/exports;' + - 'p:nfsd' + - 'f:/etc/exports' + # 5.7 Do not enable the "root" account (Scored) - id: 3025 title: "Do not enable the \"root\" account (Scored)" @@ -333,9 +353,10 @@ checks: remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - cis: "5.7" - condition: any + condition: all rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + # 5.8 Disable automatic login (Scored) - id: 3026 title: "Disable automatic login (Scored)" @@ -344,9 +365,10 @@ checks: remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - cis: "5.8" - condition: any + condition: none rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' + # 5.9 Require a password to wake the computer from sleep or screen saver (Scored) - id: 3027 title: "Require a password to wake the computer from sleep or screen saver (Scored)" @@ -355,9 +377,10 @@ checks: remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." compliance: - cis: "5.9" - condition: any + condition: rules: - - 'c:defaults read com.apple.screensaver askForPassword -> r:^\s*0$;' + - 'c:defaults read com.apple.screensaver askForPassword -> r:^1$' + # 5.11 Disable ability to login to another user's active and locked session (Scored) - id: 3028 title: "Disable ability to login to another user's active and locked session (Scored)" @@ -366,9 +389,10 @@ checks: remediation: "1. Run the following command in Terminal: sudo vi /etc/pam.d/screensaver 2. Locate \"account required pam_group.so no_warn group=admin,wheel fail_safe\" 3. Remove \"admin,\" 4. Save" compliance: - cis: "5.11" - condition: any + condition: none rules: - - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel fail_safe;' + - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel fail_safe' + # 5.18 System Integrity Protection status (Scored) - id: 3029 title: "System Integrity Protection status (Scored)" @@ -377,9 +401,10 @@ checks: remediation: "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - cis: "5.18" - condition: any + condition: all rules: - - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' + - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + # 6.1.3 Disable guest account login (Scored) - id: 3030 title: "Disable guest account login (Scored)" @@ -388,9 +413,10 @@ checks: remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - cis: "6.1.3" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + # 6.1.5 Remove Guest home folder (Scored) - id: 3031 title: "Remove Guest home folder (Scored)" @@ -399,9 +425,10 @@ checks: remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - cis: "6.1.5" - condition: any + condition: none rules: - - 'd:/Users/Guest;' + - 'd:/Users/Guest' + # 6.2 Turn on filename extensions (Scored) - id: 3032 title: "Turn on filename extensions (Scored)" @@ -410,9 +437,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - cis: "6.2" - condition: any + condition: all rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^\s*0$;' + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + # 6.3 Disable the automatic run of safe files in Safari (Scored) - id: 3033 title: "Disable the automatic run of safe files in Safari (Scored)" @@ -421,7 +449,6 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: "6.3" - condition: any + condition: all rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^1$;' - + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' From 4e7099b045ab75130fc87bce13fdc79dcbf65eb6 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 29 May 2019 17:43:42 +0200 Subject: [PATCH 027/247] Change one any to an all --- sca/darwin/15/cis_apple_macOS_10.11.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index e2f613788..3b2382c73 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -222,12 +222,12 @@ checks: title: "Enable Firewall (Scored)" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." - remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: 1 = on for specific services 2 = on for essential services" + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" compliance: - cis: "2.6.3" references: - https://support.apple.com/en-us/HT201642 - condition: any + condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' From e6facc33c459c93db9c0c1b258f86139f3db6ad6 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 29 May 2019 17:44:03 +0200 Subject: [PATCH 028/247] Adapt Darwin 10.12 Sierra --- sca/darwin/16/cis_apple_macOS_10.12.yml | 189 ++++++++++++++---------- 1 file changed, 107 insertions(+), 82 deletions(-) diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index af0f1b3e1..0856029f5 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -21,11 +21,11 @@ policy: requirements: title: "Check MacOS version" description: "Requirements for running the SCA scan against MacOS 10.12 (Sierra)." - condition: "any required" + condition: any rules: - - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p12;' - - 'c:sw_vers -> r:^ProductVersion:\t*10\p12;' - - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p12;' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p12' + - 'c:sw_vers -> r:^ProductVersion:\t*10\p12' + - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p12' checks: # 1.1 Verify all Apple provided software is current (Scored) @@ -33,12 +33,13 @@ checks: title: "Verify all Apple provided software is current (Scored)" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." - remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i " + remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - cis: "1.1" - condition: any + condition: all rules: - - 'c:softwareupdate -l -> !r:^\s*No new software available;' + - 'c:softwareupdate -l -> r:No new software available' + # 1.2 Enable Auto Update (Scored) - id: 13501 title: "Enable Auto Update (Scored)" @@ -50,9 +51,10 @@ checks: references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> !r:^\s*1;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + # 1.3 Enable app update installs (Scored) - id: 13502 title: "Enable app update installs (Scored)" @@ -61,9 +63,10 @@ checks: remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - cis: "1.3" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + # 1.4 Enable system data files and security update installs (Scored) - id: 13503 title: "Enable system data files and security update installs (Scored)" @@ -75,10 +78,11 @@ checks: references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> NIN r:^\s*ConfigDataInstall\s*= && r:\s*1;' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> NIN r:^\s*CriticalUpdateInstall\s*= && r:\s*1;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + # 1.5 Enable macOS update installs (Scored) - id: 13504 title: "Enable macOS update installs (Scored)" @@ -87,20 +91,22 @@ checks: remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - cis: "1.5" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' + # 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) - id: 13505 title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" - description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable" + description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." compliance: - cis: "2.1.2" - condition: any + condition: all rules: - - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> !r:^\s*[Dd]iscoverable:\s*Off;' + - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' + # 2.2.1 Enable "Set time and date automatically" (Scored) - id: 13506 title: "Enable \"Set time and date automatically\" (Scored)" @@ -109,9 +115,10 @@ checks: remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - cis: "2.2.1" - condition: any + condition: all rules: - - 'c:systemsetup -getusingnetworktime -> !r:^\s*Network Time:\s*On;' + - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' + # 2.4.1 Disable Remote Apple Events (Scored) - id: 13507 title: "Disable Remote Apple Events (Scored)" @@ -120,9 +127,10 @@ checks: remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - cis: "2.4.1" - condition: any + condition: all rules: - - 'c:systemsetup -getremoteappleevents -> !r:^Remote Apple Events:\s*Off;' + - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' + # 2.4.4 Disable Printer Sharing (Scored) - id: 13508 title: "Disable Printer Sharing (Scored)" @@ -131,9 +139,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - cis: "2.4.4" - condition: any + condition: none rules: - - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*Yes;' + - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' + # 2.4.5 Disable Remote Login (Scored) - id: 13509 title: "Disable Remote Login (Scored)" @@ -142,31 +151,34 @@ checks: remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - cis: "2.4.5" - condition: any + condition: all rules: - - 'c:systemsetup -getremotelogin -> r:^Remote Login:\s*On;' + - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' + # 2.4.8 Disable File Sharing (Scored) - id: 13510 title: "Disable File Sharing (Scored)" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." - remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" + remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - cis: "2.4.8" - condition: any + condition: none rules: - - 'c:launchctl list -> r:AppleFileServer;' + - 'c:launchctl list -> r:AppleFileServer' + # 2.5.1 Disable "Wake for network access" (Scored) - id: 13511 title: "Disable \"Wake for network access\" (Scored)" description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." - remediation: "Run the following command in Terminal: sudo pmset -a womp 0" + remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - cis: "2.5.1" - condition: any + condition: none rules: - - 'c:pmset -g -> r:^\s*womp\s+1$;' + - 'c:pmset -g -> :womp && !r:0' + # 2.6.1.1 Enable FileVault (Scored) - id: 13512 title: "Enable FileVault (Scored)" @@ -175,9 +187,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - cis: "2.6.1.1" - condition: any + condition: all rules: - - 'c:fdesetup status -> r:^FileVault is\s*Off\p;' + - 'c:fdesetup status -> r:FileVault is\s*\t*On' + # 2.6.2 Enable Gatekeeper (Scored) - id: 13513 title: "Enable Gatekeeper (Scored)" @@ -186,9 +199,10 @@ checks: remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - cis: "2.6.2" - condition: any + condition: all rules: - - 'c:spctl --status -> !r:^assessments enabled;' + - 'c:spctl --status -> r:assessments enabled' + # 2.6.3 Enable Firewall (Scored) - id: 13514 title: "Enable Firewall (Scored)" @@ -201,8 +215,8 @@ checks: - https://support.apple.com/en-us/HT201642 condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*1$;' - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*2$;' + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' + # 2.6.4 Enable Firewall Stealth Mode (Scored) - id: 13515 title: "Enable Firewall Stealth Mode (Scored)" @@ -213,9 +227,10 @@ checks: - cis: "2.6.4" references: - https://support.apple.com/en-us/HT201642 - condition: any + condition: all rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - id: 13516 title: "Enable Secure Keyboard Entry in terminal.app (Scored)" @@ -224,9 +239,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - cis: "2.10" - condition: any + condition: all rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^\s*0$;' + - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + # 2.11 Java 6 is not the default Java runtime (Scored) - id: 13517 title: "Java 6 is not the default Java runtime (Scored)" @@ -235,10 +251,10 @@ checks: remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - cis: "2.11" - condition: any + condition: none rules: - - 'c:java -version -> r:version.*1.6.0;' - - 'c:java -version -> r:Runtime Environment.*build.*1.6.0;' + - 'c:java -version -> r:1.6.0' + # 3.1 Enable security auditing (Scored) - id: 13518 title: "Enable security auditing (Scored)" @@ -247,9 +263,10 @@ checks: remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - cis: "3.1" - condition: any + condition: all rules: - - 'c:launchctl list -> !r:com.apple.auditd;' + - 'c:launchctl list -> r:com.apple.auditd' + # 3.2 Configure Security Auditing Flags (Scored) - id: 13519 title: "Configure Security Auditing Flags (Scored)" @@ -258,13 +275,10 @@ checks: remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - cis: "3.2" - condition: any + condition: all rules: - - 'f:/etc/security/audit_control -> NIN r:^flags && r:lo;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:ad;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:fd;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:fm;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:-all;' + - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' + # 4.1 Disable Bonjour advertising service (Scored) - id: 13520 title: "Disable Bonjour advertising service (Scored)" @@ -273,9 +287,10 @@ checks: remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - cis: "4.1" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + # 4.4 Ensure http server is not running (Scored) - id: 13521 title: "Ensure http server is not running (Scored)" @@ -284,11 +299,13 @@ checks: remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - cis: "4.4" - condition: any + condition: none rules: - - 'p:httpd;' - - 'p:/usr/sbin/httpd;' - - 'p:/usr/sbin/httpd -D FOREGROUND;' + - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' + - 'p:httpd' + - 'p:/usr/sbin/httpd' + - 'p:/usr/sbin/httpd -D FOREGROUND' + # 4.5 Ensure FTP server is not running (Scored) - id: 13522 title: "Ensure FTP server is not running (Scored)" @@ -297,9 +314,10 @@ checks: remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - cis: "4.5" - condition: any + condition: none rules: - - 'c:launchctl list -> r:ftp;' + - 'c:launchctl list -> r:ftp' + # 4.6 Ensure nfs server is not running (Scored) - id: 13523 title: "Ensure nfs server is not running (Scored)" @@ -308,10 +326,11 @@ checks: remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" compliance: - cis: "4.6" - condition: any + condition: none rules: - - 'p:nfsd;' - - 'f:/etc/exports;' + - 'p:nfsd' + - 'f:/etc/exports' + # 5.8 Do not enable the "root" account (Scored) - id: 13524 title: "Do not enable the \"root\" account (Scored)" @@ -320,9 +339,10 @@ checks: remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - cis: "5.8" - condition: any + condition: all rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + # 5.9 Disable automatic login (Scored) - id: 13525 title: "Disable automatic login (Scored)" @@ -331,9 +351,11 @@ checks: remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - cis: "5.9" - condition: any + condition: none rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' + + # 5.20 System Integrity Protection status (Scored) - id: 13526 title: "System Integrity Protection status (Scored)" @@ -342,9 +364,10 @@ checks: remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - cis: "5.20" - condition: any + condition: all rules: - - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' + - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + # 6.1.3 Disable guest account login (Scored) - id: 13527 title: "Disable guest account login (Scored)" @@ -353,9 +376,10 @@ checks: remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - cis: "6.1.3" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + # 6.1.5 Remove Guest home folder (Scored) - id: 13528 title: "Remove Guest home folder (Scored)" @@ -364,29 +388,30 @@ checks: remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - cis: "6.1.5" - condition: any + condition: none rules: - - 'd:/Users/Guest;' + - 'd:/Users/Guest' + # 6.2 Turn on filename extensions (Scored) - id: 13529 title: "Turn on filename extensions (Scored)" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." - remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" + remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - cis: "6.2" - condition: any + condition: all rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^\s*0$;' + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + # 6.3 Disable the automatic run of safe files in Safari (Scored) - id: 13530 title: "Disable the automatic run of safe files in Safari (Scored)" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." - remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" + remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: "6.3" - condition: any + condition: all rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^1$;' - + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' From 6ddde54bb8fbaddb00c9b670dfb99774d40c17e7 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 29 May 2019 18:05:06 +0200 Subject: [PATCH 029/247] Adapt Darwin 10.13 High Sierra --- sca/darwin/17/cis_apple_macOS_10.13.yml | 177 ++++++++++++++---------- 1 file changed, 101 insertions(+), 76 deletions(-) diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 6fb13cd9d..67f1a425c 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -21,11 +21,11 @@ policy: requirements: title: "Check MacOS version" description: "Requirements for running the SCA scan against MacOS 10.13 (High Sierra)." - condition: "any required" + condition: any rules: - - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p13;' - - 'c:sw_vers -> r:^ProductVersion:\t*10\p13;' - - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p13;' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p13' + - 'c:sw_vers -> r:^ProductVersion:\t*10\p13' + - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p13' checks: # 1.1 Verify all Apple provided software is current (Scored) @@ -36,9 +36,10 @@ checks: remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - cis: "1.1" - condition: any + condition: all rules: - - 'c:softwareupdate -l -> !r:^\s*No new software available;' + - 'c:softwareupdate -l -> r:No new software available' + # 1.2 Enable Auto Update (Scored) - id: 14001 title: "Enable Auto Update (Scored)" @@ -50,9 +51,10 @@ checks: references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + # 1.3 Enable app update installs (Scored) - id: 14002 title: "Enable app update installs (Scored)" @@ -61,9 +63,10 @@ checks: remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - cis: "1.3" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + # 1.4 Enable system data files and security update installs (Scored) - id: 14003 title: "Enable system data files and security update installs (Scored)" @@ -75,10 +78,11 @@ checks: references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> NIN r:^\s*ConfigDataInstall\s*= && r:\s*1;' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> NIN r:^\s*CriticalUpdateInstall\s*= && r:\s*1;' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + # 1.5 Enable macOS update installs (Scored) - id: 14004 title: "Enable macOS update installs (Scored)" @@ -87,9 +91,11 @@ checks: remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - cis: "1.5" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' + + # 2.2.1 Enable "Set time and date automatically" (Scored) - id: 14005 title: "Enable \"Set time and date automatically\" (Scored)" @@ -98,9 +104,10 @@ checks: remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - cis: "2.2.1" - condition: any + condition: all rules: - - 'c:systemsetup -getusingnetworktime -> !r:^\s*Network Time:\s*On;' + - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' + # 2.4.1 Disable Remote Apple Events (Scored) - id: 14006 title: "Disable Remote Apple Events (Scored)" @@ -109,20 +116,22 @@ checks: remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - cis: "2.4.1" - condition: any + condition: all rules: - - 'c:systemsetup -getremoteappleevents -> !r:^Remote Apple Events:\s*Off;' + - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' + # 2.4.4 Disable Printer Sharing (Scored) - id: 14007 title: "Disable Printer Sharing (Scored)" - description: "y enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." + description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - cis: "2.4.4" - condition: any + condition: none rules: - - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*Yes;' + - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' + # 2.4.5 Disable Remote Login (Scored) - id: 14008 title: "Disable Remote Login (Scored)" @@ -131,20 +140,22 @@ checks: remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - cis: "2.4.5" - condition: any + condition: all rules: - - 'c:systemsetup -getremotelogin -> r:^Remote Login:\s*On;' + - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' + # 2.4.8 Disable File Sharing (Scored) - id: 14009 title: "Disable File Sharing (Scored)" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." - remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" + remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - cis: "2.4.8" - condition: any + condition: none rules: - - 'c:launchctl list -> r:AppleFileServer;' + - 'c:launchctl list -> r:AppleFileServer' + # 2.5.1 Disable "Wake for network access" (Scored) - id: 14010 title: "Disable \"Wake for network access\" (Scored)" @@ -153,9 +164,10 @@ checks: remediation: "Run the following command in Terminal: sudo pmset -a womp 0" compliance: - cis: "2.5.1" - condition: any + condition: none rules: - - 'c:pmset -g -> r:^\s*womp\s+1$;' + - 'c:pmset -g -> r:womp && !r:0' + # 2.6.1.1 Enable FileVault (Scored) - id: 14011 title: "Enable FileVault (Scored)" @@ -164,9 +176,10 @@ checks: remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - cis: "2.6.1.1" - condition: any + condition: all rules: - - 'c:fdesetup status -> r:^FileVault is\s*Off\p;' + - 'c:fdesetup status -> r:FileVault is\s*\t*On' + # 2.6.2 Enable Gatekeeper (Scored) - id: 14012 title: "Enable Gatekeeper (Scored)" @@ -175,9 +188,10 @@ checks: remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - cis: "2.6.2" - condition: any + condition: all rules: - - 'c:spctl --status -> !r:^assessments enabled;' + - 'c:spctl --status -> r:assessments enabled' + # 2.6.3 Enable Firewall (Scored) - id: 14013 title: "Enable Firewall (Scored)" @@ -190,8 +204,8 @@ checks: - https://support.apple.com/en-us/HT201642 condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*1$;' - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> !r:^\s*2$;' + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' + # 2.6.4 Enable Firewall Stealth Mode (Scored) - id: 14014 title: "Enable Firewall Stealth Mode (Scored)" @@ -202,9 +216,10 @@ checks: - cis: "2.6.4" references: - https://support.apple.com/en-us/HT201642 - condition: any + condition: all rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> !r:^\s*Stealth mode enabled;' + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - id: 14015 title: "Enable Secure Keyboard Entry in terminal.app (Scored)" @@ -213,9 +228,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - cis: "2.10" - condition: any + condition: all rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^\s*0$;' + - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + # 2.11 Java 6 is not the default Java runtime (Scored) - id: 14016 title: "Java 6 is not the default Java runtime (Scored)" @@ -224,10 +240,10 @@ checks: remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming MacOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - cis: "2.11" - condition: any + condition: none rules: - - 'c:java -version -> r:version.*1.6.0;' - - 'c:java -version -> r:Runtime Environment.*build.*1.6.0;' + - 'c:java -version -> r:1.6.0' + # 2.13 Ensure EFI version is valid and being regularly checked (Scored) - id: 14017 title: "Ensure EFI version is valid and being regularly checked (Scored)" @@ -236,10 +252,11 @@ checks: remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." compliance: - cis: "2.13" - condition: any + condition: all rules: - - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> !r:Primary allowlist version match found\. No changes detected in primary hashes\.;' - - 'c:launchctl list -> !r:-\t*0\t*com.apple.driver.eficheck;' + - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> Primary allowlist version match found. No changes detected in primary hashes' + - 'c:launchctl list -> r:-\s*\t*0\s*\t*com.apple.driver.eficheck' + # 3.1 Enable security auditing (Scored) - id: 14018 title: "Enable security auditing (Scored)" @@ -248,9 +265,10 @@ checks: remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - cis: "3.1" - condition: any + condition: all rules: - - 'c:launchctl list -> !r:com.apple.auditd;' + - 'c:launchctl list -> r:com.apple.auditd' + # 3.2 Configure Security Auditing Flags (Scored) - id: 14019 title: "Configure Security Auditing Flags (Scored)" @@ -259,13 +277,10 @@ checks: remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - cis: "3.2" - condition: any + condition: all rules: - - 'f:/etc/security/audit_control -> NIN r:^flags && r:lo;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:ad;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:fd;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:fm;' - - 'f:/etc/security/audit_control -> NIN r:^flags && r:-all;' + - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' + # 4.1 Disable Bonjour advertising service (Scored) - id: 14020 title: "Disable Bonjour advertising service (Scored)" @@ -274,9 +289,10 @@ checks: remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - cis: "4.1" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + # 4.4 Ensure http server is not running (Scored) - id: 14021 title: "Ensure http server is not running (Scored)" @@ -285,11 +301,13 @@ checks: remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - cis: "4.4" - condition: any + condition: none rules: - - 'p:httpd;' - - 'p:/usr/sbin/httpd;' - - 'p:/usr/sbin/httpd -D FOREGROUND;' + - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' + - 'p:httpd' + - 'p:/usr/sbin/httpd' + - 'p:/usr/sbin/httpd -D FOREGROUND' + # 4.5 Ensure nfs server is not running (Scored) - id: 14022 title: "Ensure nfs server is not running (Scored)" @@ -298,10 +316,11 @@ checks: remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - cis: "4.5" - condition: any + condition: none rules: - - 'p:nfsd;' - - 'f:/etc/exports;' + - 'p:nfsd' + - 'f:/etc/exports' + # 5.11 Do not enable the "root" account (Scored) - id: 14023 title: "Do not enable the \"root\" account (Scored)" @@ -310,9 +329,10 @@ checks: remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - cis: "5.11" - condition: any + condition: all rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> !r:^No such key: AuthenticationAuthority;' + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + # 5.12 Disable automatic login (Scored) - id: 14024 title: "Disable automatic login (Scored)" @@ -321,9 +341,10 @@ checks: remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - cis: "5.12" - condition: any + condition: none rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser;' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' + # 5.23 System Integrity Protection status (Scored) - id: 14025 title: "System Integrity Protection status (Scored)" @@ -332,9 +353,10 @@ checks: remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - cis: "5.23" - condition: any + condition: all rules: - - 'c:/usr/bin/csrutil status -> !r:^\s*System Integrity Protection status: enabled;' + - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + # 6.1.3 Disable guest account login (Scored) - id: 14026 title: "Disable guest account login (Scored)" @@ -343,9 +365,10 @@ checks: remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - cis: "6.1.3" - condition: any + condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> !r:^\s*0$;' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + # 6.1.5 Remove Guest home folder (Scored) - id: 14027 title: "Remove Guest home folder (Scored)" @@ -354,9 +377,10 @@ checks: remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - cis: "6.1.5" - condition: any + condition: none rules: - - 'd:/Users/Guest;' + - 'd:/Users/Guest' + # 6.2 Turn on filename extensions (Scored) - id: 14028 title: "Turn on filename extensions (Scored)" @@ -365,9 +389,10 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - cis: "6.2" - condition: any + condition: all rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> !r:^\s*1$;' + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + # 6.3 Disable the automatic run of safe files in Safari (Scored) - id: 14029 title: "Disable the automatic run of safe files in Safari (Scored)" @@ -376,6 +401,6 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: "6.3" - condition: any + condition: all rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^1$;' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' From b35bc7e231d2898c9e06d3ad92519fc190770c23 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Thu, 30 May 2019 10:57:50 +0200 Subject: [PATCH 030/247] Rewrite check --- sca/applications/cis_mysql5-6_community_rcl.yml | 4 +--- sca/applications/cis_mysql5-6_enterprise_rcl.yml | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index e4c6aaca9..adc2accf8 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -176,9 +176,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html condition: all rules: - - 'f:$mysql-cnfs -> r:log_bin\s*$' - - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/var/\S*\s*' - - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/usr/\S*\s*' + - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - id: 4511 title: "Ensure 'log_warning' is set to 2" diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 1f31131ac..9648d028d 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -176,9 +176,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html condition: all rules: - - 'f:$mysql-cnfs -> r:log_bin\s*$' - - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/var/\S*\s*' - - 'not f:$mysql-cnfs -> !r:^# && r:log_bin= && r:\s*/usr/\S*\s*' + - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - id: 4511 title: "Ensure 'log_warning' is set to 2" From 72ee58e70c100e1bee3aa9c37ad392b42e18634e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Thu, 30 May 2019 11:02:12 +0200 Subject: [PATCH 031/247] Simplify some checks --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 16 +++++----------- sca/generic/system_audit_pw.yml | 8 ++++---- sca/generic/system_audit_ssh.yml | 4 ++-- sca/rhel/7/cis_rhel7_linux_rcl.yml | 14 +++++++------- sca/sles/12/cis_sles12_linux_rcl.yml | 2 +- sca/sunos/cis_solaris11_rcl.yml | 4 ++-- 6 files changed, 21 insertions(+), 27 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index d4ef2d7a8..ca709d198 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -996,7 +996,7 @@ checks: - cis: "9.3.1" condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*Protocol\s*\t*2' - id: 10578 title: "Set LogLevel to INFO" @@ -1030,7 +1030,6 @@ checks: condition: all rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' - - 'not f:/etc/ssh/sshd_config -> !r:^\s*\t*# && n:^MaxAuthTries\s+(\d+) compare > 4' - id: 10581 title: "Set SSH IgnoreRhosts to Yes" @@ -1042,7 +1041,6 @@ checks: condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^IgnoreRhosts\s+yes' - - 'not f:/etc/ssh/sshd_config -> !r:^\s*\t*# && r:IgnoreRhosts\s+yes' - id: 10582 title: "Set SSH HostbasedAuthentication to No" @@ -1054,7 +1052,6 @@ checks: condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^HostbasedAuthentication\s+no' - - 'not f:/etc/ssh/sshd_config -> !r:^\s*\t*# && r:HostbasedAuthentication\s+yes' - id: 10583 title: "Disable SSH Root Login" @@ -1066,7 +1063,6 @@ checks: condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s+no' - - 'not f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+yes' - id: 10584 title: "Set SSH PermitEmptyPasswords to No" @@ -1078,7 +1074,6 @@ checks: condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^PermitEmptyPasswords\s+no' - - 'not f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+yes' - id: 10585 title: "Do Not Allow Users to Set Environment Options" @@ -1090,7 +1085,6 @@ checks: condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^PermitUserEnvironment\s+no' - - 'not f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+yes' - id: 10586 title: "Set Idle Timeout Interval for User Login" @@ -1147,7 +1141,7 @@ checks: - cis: "10.1.1" condition: all rules: - - 'f:/etc/login.defs -> !n:^PASS_MAX_DAYS\s+(\d+) compare <= 90' + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s+(\d+) compare <= 90' - id: 10591 title: "Set Password Change Minimum Number of Days" @@ -1158,7 +1152,7 @@ checks: - cis: "10.1.2" condition: all rules: - - 'f:/etc/login.defs -> r:^PASS_MIN_DAYS\s+(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s+(\d+) compare <= 7' - id: 10592 title: "Set Password Expiring Warning Days" @@ -1169,7 +1163,7 @@ checks: - cis: "10.1.3" condition: all rules: - - 'f:/etc/login.defs -> r:^PASS_WARN_DAYS\s+(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^PASS_WARN_DAYS\s+(\d+) compare <= 7' - id: 10593 title: "Set Default Group for root Account" @@ -1203,7 +1197,7 @@ checks: - cis: "10.5" condition: all rules: - - 'f:/etc/default/useradd -> r:^INACTIVE=(\d+) compare <= 35' + - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' # 11 Warning Banners - id: 10596 diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml index 3a1d6b7fd..c8ed6f4bc 100644 --- a/sca/generic/system_audit_pw.yml +++ b/sca/generic/system_audit_pw.yml @@ -61,8 +61,8 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) >= 14' - - 'f:/etc/security/pwquality.conf -> n:minlen=(\d+) >= 14' + - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' + - 'f:/etc/security/pwquality.conf -> n:minlen=(\d+) compare >= 14' - id: 13002 title: "Ensure passwords contain at least one digit" @@ -153,8 +153,8 @@ checks: condition: any rules: - 'f:/etc/security/policy.conf -> r:^CRYPT_DEFAULT=\d && !r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__' - - 'f:$pam_d_files -> n:^password\.+pam_unix.so\.+sha(\d+) >= 256' - - 'f:/etc/login.defs -> r:^ENCRYPT_METHOD\s+ && n:SHA(\d+) >= 256' + - 'f:$pam_d_files -> n:^password\.+pam_unix.so\.+sha(\d+) compare >= 256' + - 'f:/etc/login.defs -> r:^ENCRYPT_METHOD\s+ && n:SHA(\d+) compare >= 256' - id: 13008 title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index e78a7889a..167a3da6d 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -35,7 +35,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> !r:^# && n:Port\s*\t*(\d+) compare != 22' + - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' - id: 1501 title: "SSH Hardening - 2: Protocol should not be 1" @@ -46,7 +46,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' - id: 1502 title: "SSH Hardening - 3: Root account should not be able to log in" diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 2c3852d5d..7c59e021e 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -919,7 +919,7 @@ checks: - pci_dss: "4.1" condition: all rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - id: 6561 @@ -959,9 +959,9 @@ checks: - cis: "5.2.6" - cis_csc: "9" - pci_dss: "4.1" - condition: none + condition: all rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 6564 @@ -973,9 +973,9 @@ checks: - cis: "5.2.7" - cis_csc: "9" - pci_dss: "4.1" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' # 5.2.8 Disable SSH Root Login (Scored) - id: 6565 @@ -1001,9 +1001,9 @@ checks: - cis: "5.2.9" - cis_csc: "16" - pci_dss: "4.1" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' ############################################### # 6 System Maintenance diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index e35c6e360..3d5721f68 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -820,7 +820,7 @@ checks: - pci_dss: "4.1" condition: all rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' # 5.2.3 Set LogLevel to INFO (Scored) - id: 7555 diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml index a7ecdd130..20acb41f8 100644 --- a/sca/sunos/cis_solaris11_rcl.yml +++ b/sca/sunos/cis_solaris11_rcl.yml @@ -546,8 +546,8 @@ checks: - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' - 'f:/etc/default/passwd -> r:^namecheck\pyes' - 'f:/etc/default/passwd -> n:^history\p(\d+) compare >= 10' - - 'f:/etc/default/passwd -> n:^mindiff\p(\d+) >= 3' - - 'f:/etc/default/passwd -> n:^minalpha\p(\d+) >= 2' + - 'f:/etc/default/passwd -> n:^mindiff\p(\d+) compare >= 3' + - 'f:/etc/default/passwd -> n:^minalpha\p(\d+) compare >= 2' - 'f:/etc/default/passwd -> n:^minupper\p(\d+) compare >= 1' - 'f:/etc/default/passwd -> n:^minlower\p(\d+) compare >= 1' - 'f:/etc/default/passwd -> n:^minnonalpha\p(\d+) compare >= 1' From 796c9468c4a07d29cf512f7f8051f24ea0f46ccb Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 30 May 2019 19:03:56 +0200 Subject: [PATCH 032/247] Adapt Microsoft Office 2016 rules --- sca/windows/acsc_office2016_rcl.yml | 390 ++++++++++++++-------------- 1 file changed, 195 insertions(+), 195 deletions(-) diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016_rcl.yml index 51b5f8820..880da32a5 100644 --- a/sca/windows/acsc_office2016_rcl.yml +++ b/sca/windows/acsc_office2016_rcl.yml @@ -34,264 +34,264 @@ checks: description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> !ExploitGuard_ASR_Rules;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - id: 10001 title: "Ensure 'Block executable content from email client and webmail' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - id: 10002 title: "Ensure 'block Office applications from creating child processes' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D4F940AB-401B-4EFC-AADC-AD5F3C50688A;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' - id: 10003 title: "Ensure 'block Office applications from creating executable content' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !3B576869-A4EC-4529-8536-B80A7769E899;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' - id: 10004 title: "Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' - id: 10005 title: "Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D3E037E1-3EB8-44C8-A917-57927947596D;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' - id: 10006 title: "Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !5BEB7EFE-FD9A-4556-801D-275E5FFC04CC;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - id: 10007 title: "Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' # ACSC - Active X - id: 10008 title: "Ensure 'Disable All Active X' is set to 'Enabled'" description: "While ActiveX controls can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, ActiveX controls should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> !disableallactivex;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> 1' # ACSC - Add-ins - id: 10009 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Excel" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> !restricttolist;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> 1' - id: 10010 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Excel" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> !policyon;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> 1' - id: 10011 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for PowerPoint" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> !restricttolist;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> 1' - id: 10012 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> !policyon;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> 1' - id: 10013 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Word" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> !restricttolist;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> 1' - id: 10014 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Word" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> !policyon;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> 1' # ACSC - Extension Hardening - id: 10015 title: "Ensure if Extension Hardening functionality in Microsoft Excel is enabled" description: "Extension Hardening mitigates a number of scenarios whereby an adversary would deceive users into opening malicious Microsoft Excel files. By default, users will be warned when file content or MIME type doesn’t match the file extension;however, users can still allow such files to open. As such, it is important that only Microsoft Excel files that pass integrity checks are allowed to be opened. To reduce this risk, Extension Hardening functionality should be enabled for Microsoft Excel." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> !extensionhardening;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> 2' # ACSC - File Type Blocking - id: 10016 title: "Ensure dBase III / IV files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !dbasefiles;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> 2' - id: 10017 title: "Ensure Dif and Sylk files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !difandsylkfiles;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> 2' - id: 10018 title: "Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl2macros;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> 2' - id: 10019 title: "Ensure Excel 2 worksheets are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl2worksheets;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> 2' - id: 10020 title: "Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl3macros;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> 2' - id: 10021 title: "Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl3worksheets;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> 2' - id: 10022 title: "Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4macros;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> 2' - id: 10023 title: "Ensure Excel 4 workbooks are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4workbooks;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> 2' - id: 10024 title: "Ensure Excel 4 worksheets are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl4worksheets;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> 2' - id: 10025 title: "Ensure Excel 95 workbooks are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl95workbooks;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> 2' - id: 10026 title: "Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !xl9597workbooksandtemplates;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> 2' - id: 10027 title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !openinprotectedview;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> 0' - id: 10028 title: "Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> !htmlandxmlssfiles;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> 2' # CIS 2.22 - Office Converters - id: 10029 title: "Ensure 'Block Opening of Pre-Release Versions of File Formats New to PowerPoint Through the Compatibility Pack for Office and PowerPoint Converter' is set to Enabled" @@ -300,29 +300,29 @@ checks: remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Office 2016 Converters\\Block Opening of Pre-Release Versions of File Formats New to PowerPoint 2016 Through the Compatibility Pack for Office 2013 and PowerPoint 2016 Converter" compliance: - cis: "2.22.1" - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> !powerpoint12betafilesfromconverters;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> 2' # ACSC - File Type Blocking (Cont'd) - id: 10030 title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> !openinprotectedview;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> 0' - id: 10031 title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !openinprotectedview;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> 0' - id: 10032 title: "Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -330,154 +330,154 @@ checks: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: any rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> !2;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> 2' - id: 10033 title: "Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word60files;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> 2' - id: 10034 title: "Ensure Word 95 binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word95files;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> 2' - id: 10035 title: "Ensure Word 97 binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> !2;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> !word97files;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> 2' # ACSC - Hidden Markup - id: 10036 title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint" description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> !markupopensave;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> 1' - id: 10037 title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word" description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> !showmarkupopensave;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> 1' # ACSC - Office File Validation - id: 10038 title: "Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> !disablereporting;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> 1' - id: 10039 title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> !enableonload;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> 1' - id: 10040 title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> !enableonload;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> 1' - id: 10041 title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> !enableonload;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> 1' # ACSC - Protected View - id: 10042 title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableinternetfilesinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> 0' - id: 10043 title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableunsafelocationsinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> 0' - id: 10044 title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> !openinprotectedview;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> 0' - id: 10045 title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> !disableattachmentsinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> 0' - id: 10046 title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableinternetfilesinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> 0' - id: 10047 title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableunsafelocationsinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> 0' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv' - id: 10048 title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> !openinprotectedview;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> 0' - id: 10049 title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -485,99 +485,99 @@ checks: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: any rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> !disableattachmentsinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> 0' - id: 10050 title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> 0' - id: 10051 title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> !disableunsafelocationsinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> 0' - id: 10052 title: "Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> !openinprotectedview;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> 0' - id: 10053 title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> !disableattachmentsinpv;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> 0' # ACSC - Trusted Documents - id: 10054 title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> !disabletrusteddocuments;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> 1' - id: 10055 title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> !disablenetworktrusteddocuments;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> 1' - id: 10056 title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> disabletrusteddocuments -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> !disabletrusteddocuments;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> 1' - id: 10057 title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> disablenetworktrusteddocuments -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> !disablenetworktrusteddocuments;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments -> 1' - id: 10058 title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> !disabletrusteddocuments;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> 1' - id: 10059 title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> !disablenetworktrusteddocuments;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> 1' # CIS 2.24 - Privacy - id: 10060 title: "Ensure 'Disable Opt-in Wizard on First Run' is set to Enabled" @@ -586,10 +586,10 @@ checks: remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Disable Opt-in Wizard on First Run" compliance: - cis: "2.24.1.1" - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> !1;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> !shownfirstrunoptin;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> 1' - id: 10061 title: "Ensure 'Enable Customer Experience Improvement Program' is set to Disabled" description: "This policy setting controls whether users can participate in the Microsoft Office Customer Experience Improvement Program to help improve Microsoft Office. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. The recommended state for this setting is: Disabled" @@ -597,10 +597,10 @@ checks: remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Enable Customer Experience Improvement Program" compliance: - cis: "2.24.1.2" - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !qmenable;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> 0' - id: 10062 title: "Ensure 'Allow including screenshot with Office Feedback' is set to Disabled" description: "This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." @@ -608,10 +608,10 @@ checks: remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Allow including screenshot with Office Feedback" compliance: - cis: "2.24.1.3" - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> !includescreenshot;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> 0' - id: 10063 title: "Ensure 'Send Office Feedback' is set to Disabled" description: "This policy setting manages the Office Feedback Tool (a.k.a. Send a Smile). The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." @@ -619,10 +619,10 @@ checks: remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send Office Feedback" compliance: - cis: "2.24.1.4" - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> !enabled;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> 0' - id: 10064 title: "Ensure 'Send personal information' is set to Disabled" description: "This policy setting controls whether users can send personal information to Office. When users choose to send information Office applications automatically send information to Office." @@ -630,10 +630,10 @@ checks: remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send personal information" compliance: - cis: "2.24.1.5" - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !sendcustomerdata;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> 0' - id: 10065 title: "Ensure Set 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled" description: "This policy setting controls whether Microsoft Office Diagnostics is enabled. Office Diagnostics enables Microsoft to diagnose system problems by periodically downloading a small file to the computer. If you enable this policy setting, Office Diagnostics collects information about specific errors and the IP address of the computer. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. If you disable this policy setting, users will not receive updates from Office Diagnostics. If you do not configure this policy setting, this policy setting is not enabled, but users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run an Office application. The recommended state for this setting is: Disabled." @@ -641,7 +641,7 @@ checks: remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" compliance: - cis: "2.24.1.6" - condition: any + condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata -> !0;' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> !updatereliabilitydata;' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata -> 0' From b577749f96e3e31fe953e1890d93ce9379416730 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 31 May 2019 15:35:58 +0200 Subject: [PATCH 033/247] WIP W10 L1, some testing needed --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 1679 ++++++++++--------- 1 file changed, 922 insertions(+), 757 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 8a5fa99e0..03bcaa745 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -23,7 +23,7 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows 10" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10;' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' checks: # 2.3 Security Options @@ -35,10 +35,11 @@ checks: compliance: - cis: "2.3.1.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> r:^3$' + - id: 12001 title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." @@ -47,9 +48,11 @@ checks: compliance: - cis: "2.3.1.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' + - id: 12002 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." @@ -58,9 +61,11 @@ checks: compliance: - cis: "2.3.2.1" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' + - id: 12003 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." @@ -69,10 +74,11 @@ checks: compliance: - cis: "2.3.2.2" - cis_csc: "6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' + - id: 12004 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users." @@ -81,10 +87,11 @@ checks: compliance: - cis: "2.3.4.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 2;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' + - id: 12005 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." @@ -93,9 +100,11 @@ checks: compliance: - cis: "2.3.6.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' + - id: 12006 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." @@ -104,9 +113,11 @@ checks: compliance: - cis: "2.3.6.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' + - id: 12007 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." @@ -115,9 +126,11 @@ checks: compliance: - cis: "2.3.6.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' + - id: 12008 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled" @@ -126,9 +139,11 @@ checks: compliance: - cis: "2.3.6.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + - id: 12009 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." @@ -137,9 +152,11 @@ checks: compliance: - cis: "2.3.6.6" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' + - id: 12010 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." @@ -148,9 +165,11 @@ checks: compliance: - cis: "2.3.7.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' + - id: 12011 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." @@ -159,9 +178,11 @@ checks: compliance: - cis: "2.3.7.2" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' + ç- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + - id: 12012 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit" @@ -170,26 +191,12 @@ checks: compliance: - cis: "2.3.7.4" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> !r:^0$' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:(\d+) <= 900' + - id: 12013 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." @@ -198,25 +205,12 @@ checks: compliance: - cis: "2.3.7.8" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:(\d+) compare => 5' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:(\d+) compare <= 14' + - id: 12014 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." @@ -225,10 +219,11 @@ checks: compliance: - cis: "2.3.7.9" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ScRemoveOption;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' + - id: 12015 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the \"Microsoft network client and server: Digitally sign communications (four related settings)\" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." @@ -237,10 +232,11 @@ checks: compliance: - cis: "2.3.8.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' + - id: 12016 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -249,9 +245,11 @@ checks: compliance: - cis: "2.3.8.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' + - id: 12017 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." @@ -260,9 +258,11 @@ checks: compliance: - cis: "2.3.8.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' + - id: 12018 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." @@ -271,21 +271,12 @@ checks: compliance: - cis: "2.3.9.1" - cis_csc: "3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:^\d$|^a$|^b$|^c$|^d$|^e$|^f$' + - id: 12019 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." @@ -294,10 +285,11 @@ checks: compliance: - cis: "2.3.9.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' + - id: 12020 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -306,10 +298,10 @@ checks: compliance: - cis: "2.3.9.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - id: 12021 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." @@ -318,9 +310,11 @@ checks: compliance: - cis: "2.3.9.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + - id: 12022 title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark." @@ -329,10 +323,11 @@ checks: compliance: - cis: "2.3.9.5" - cis_csc: "14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> 0' + - id: 12023 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." @@ -341,9 +336,11 @@ checks: compliance: - cis: "2.3.10.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' + - id: 12024 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers" @@ -352,10 +349,11 @@ checks: compliance: - cis: "2.3.10.3" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> !RestrictAnonymous;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + - id: 12025 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." @@ -364,10 +362,11 @@ checks: compliance: - cis: "2.3.10.4" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + - id: 12026 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." @@ -376,10 +375,11 @@ checks: compliance: - cis: "2.3.10.5" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' + - id: 12027 title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None)." @@ -388,10 +388,11 @@ checks: compliance: - cis: "2.3.10.6" - cis_csc: "14.1, 14.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> None' + - id: 12028 title: "Ensure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)." @@ -400,10 +401,11 @@ checks: compliance: - cis: "2.3.10.7" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> !Machine;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + - id: 12029 title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog" @@ -412,10 +414,11 @@ checks: compliance: - cis: "2.3.10.8" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> !Machine;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog' + - id: 12030 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled" @@ -424,9 +427,11 @@ checks: compliance: - cis: "2.3.10.9" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' + - id: 12031 title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" description: "This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy." @@ -435,9 +440,11 @@ checks: compliance: - cis: "2.3.10.10" - cis_csc: "5.1, 9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> !r:O:BAG:BAD:\(A;;RC;;;BA\);' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)' + - id: 12032 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." @@ -446,9 +453,10 @@ checks: compliance: - cis: "2.3.10.11" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' - id: 12033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -457,9 +465,11 @@ checks: compliance: - cis: "2.3.10.12" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' + - id: 12034 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." @@ -468,10 +478,11 @@ checks: compliance: - cis: "2.3.11.1" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' + - id: 12035 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled" @@ -480,10 +491,11 @@ checks: compliance: - cis: "2.3.11.2" - cis_csc: "14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' + - id: 12036 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." @@ -492,9 +504,11 @@ checks: compliance: - cis: "2.3.11.3" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' + - id: 12037 title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting" @@ -503,10 +517,11 @@ checks: compliance: - cis: "2.3.11.4" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> !SupportedEncryptionTypes;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' + - id: 12038 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled" @@ -515,9 +530,11 @@ checks: compliance: - cis: "2.3.11.5" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' + - id: 12039 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." @@ -526,9 +543,9 @@ checks: compliance: - cis: "2.3.11.6" - cis_csc: "16" - condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 12040 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" @@ -537,14 +554,11 @@ checks: compliance: - cis: "2.3.11.7" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' + - id: 12041 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." @@ -553,9 +567,11 @@ checks: compliance: - cis: "2.3.11.8" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' + - id: 12042 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -564,10 +580,11 @@ checks: compliance: - cis: "2.3.11.9" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' + - id: 12043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -576,10 +593,11 @@ checks: compliance: - cis: "2.3.11.10" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' + - id: 12044 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." @@ -587,9 +605,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems" compliance: - cis: "2.3.15.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' + - id: 12045 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." @@ -598,9 +618,11 @@ checks: compliance: - cis: "2.3.15.2" - cis_csc: "14.4, 14.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' + - id: 12046 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." @@ -609,10 +631,11 @@ checks: compliance: - cis: "2.3.17.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' + - id: 12047 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." @@ -621,9 +644,11 @@ checks: compliance: - cis: "2.3.17.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' + - id: 12048 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." @@ -632,11 +657,11 @@ checks: compliance: - cis: "2.3.17.3" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' + - id: 12049 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." @@ -645,10 +670,11 @@ checks: compliance: - cis: "2.3.17.4" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' + - id: 12050 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." @@ -657,10 +683,11 @@ checks: compliance: - cis: "2.3.17.5" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' + - id: 12051 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:  …\\Program Files\\, including subfolders  …\\Windows\\system32\\  …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." @@ -669,9 +696,11 @@ checks: compliance: - cis: "2.3.17.6" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' + - id: 12052 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." @@ -680,9 +709,11 @@ checks: compliance: - cis: "2.3.17.7" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' + - id: 12053 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." @@ -691,9 +722,11 @@ checks: compliance: - cis: "2.3.17.8" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' + - id: 12054 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:  %ProgramFiles%  %Windir%  %Windir%\\system32  HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." @@ -701,9 +734,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - cis: "2.3.17.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' + # 5 System Services - id: 12055 title: "Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" @@ -715,7 +750,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> 4' + - id: 12056 title: "Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'" description: "Makes local computer changes associated with configuration and maintenance of the HomeGroup-joined computer. The recommended state for this setting is: Disabled." @@ -724,10 +761,11 @@ checks: compliance: - cis: "5.6" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start -> 4' + - id: 12057 title: "Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'" description: "Performs networking tasks associated with configuration and maintenance of HomeGroups. The recommended state for this setting is: Disabled." @@ -736,10 +774,11 @@ checks: compliance: - cis: "5.7" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start -> 4' + - id: 12058 title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." @@ -750,7 +789,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> 4' + - id: 12059 title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'" description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled" @@ -759,10 +800,11 @@ checks: compliance: - cis: "5.9" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4' + - id: 12060 title: "Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'" description: "Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. The recommended state for this setting is: Disabled." @@ -771,10 +813,12 @@ checks: compliance: - cis: "5.10" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' + + - id: 12061 title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)." @@ -785,7 +829,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> 4' + - id: 12062 title: "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" description: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" @@ -796,7 +842,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> 4' + - id: 12063 title: "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" description: "In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. The recommended state for this setting is: Disabled." @@ -807,8 +855,8 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' - id: 12064 title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled." @@ -817,10 +865,11 @@ checks: compliance: - cis: "5.26" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4' + - id: 12065 title: "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" description: "Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc))." @@ -831,7 +880,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> 4' + - id: 12066 title: "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" description: "Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. The recommended state for this setting is: Disabled." @@ -840,10 +891,11 @@ checks: compliance: - cis: "5.30" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4' + - id: 12067 title: "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" description: "Allows UPnP devices to be hosted on this computer. The recommended state for this setting is: Disabled." @@ -852,10 +904,11 @@ checks: compliance: - cis: "5.31" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4' + - id: 12068 title: "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" description: "The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service)." @@ -866,7 +919,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> 4' + - id: 12069 title: "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" description: "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. The recommended state for this setting is: Disabled or Not Installed" @@ -877,7 +932,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4' + - id: 12070 title: "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" description: "Provides the ability to share a cellular data connection with another device. The recommended state for this setting is: Disabled." @@ -886,10 +943,11 @@ checks: compliance: - cis: "5.36" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4' + - id: 12071 title: "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" description: "Provides Web connectivity and administration through the Internet Information Services Manager. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." @@ -900,7 +958,9 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> !4;' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> 4' + - id: 12072 title: "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" description: "This service manages connected Xbox Accessories. The recommended state for this setting is: Disabled." @@ -909,10 +969,11 @@ checks: compliance: - cis: "5.42" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4' + - id: 12073 title: "Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'" description: "This service supports Xbox Game Monitoring. The recommended state for this setting is: Disabled." @@ -921,10 +982,11 @@ checks: compliance: - cis: "5.43" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> 4' + - id: 12074 title: "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" description: "Provides authentication and authorization services for interacting with Xbox Live. The recommended state for this setting is: Disabled." @@ -933,10 +995,11 @@ checks: compliance: - cis: "5.44" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> !Start;#' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4' + - id: 12075 title: "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" description: "This service syncs save data for Xbox Live save enabled games. The recommended state for this setting is: Disabled." @@ -945,10 +1008,11 @@ checks: compliance: - cis: "5.45" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4' + - id: 12076 title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled" @@ -957,10 +1021,11 @@ checks: compliance: - cis: "5.46" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' + # 9 Windows Firewall with Advanced Security - id: 12077 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" @@ -970,10 +1035,13 @@ checks: compliance: - cis: "9.1.1" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 1' + - id: 12078 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -982,10 +1050,13 @@ checks: compliance: - cis: "9.1.2" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 1' + - id: 12079 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." @@ -994,10 +1065,13 @@ checks: compliance: - cis: "9.1.3" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 0' + - id: 12080 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -1005,12 +1079,13 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.1.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0' +#TODO - id: 12081 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log" @@ -1023,6 +1098,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' +#TODO - id: 12082 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1053,10 +1129,13 @@ checks: compliance: - cis: "9.1.7" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 1' + - id: 12084 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -1065,10 +1144,13 @@ checks: compliance: - cis: "9.1.8" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 12085 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." @@ -1077,10 +1159,12 @@ checks: compliance: - cis: "9.2.1" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 1' - id: 12086 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -1089,10 +1173,12 @@ checks: compliance: - cis: "9.2.2" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 1' - id: 12087 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -1101,10 +1187,13 @@ checks: compliance: - cis: "9.2.3" - cis_csc: "9.2, 9.4" - condition: any + condition: All rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 0' + - id: 12088 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -1112,10 +1201,13 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.2.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 1' +#TODO - id: 12089 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." @@ -1128,6 +1220,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' +#TODO - id: 12090 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1158,10 +1251,13 @@ checks: compliance: - cis: "9.2.7" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 1' + - id: 12092 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -1170,10 +1266,12 @@ checks: compliance: - cis: "9.2.8" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 1' - id: 12093 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." @@ -1182,10 +1280,12 @@ checks: compliance: - cis: "9.3.1" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 1' - id: 12094 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -1194,10 +1294,12 @@ checks: compliance: - cis: "9.3.2" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 1' - id: 12095 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -1206,10 +1308,12 @@ checks: compliance: - cis: "9.3.3" - cis_csc: "9.2, 9.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 0' - id: 12096 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No" @@ -1217,10 +1321,12 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 1' - id: 12097 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -1229,10 +1335,13 @@ checks: compliance: - cis: "9.3.5" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0' + - id: 12098 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." @@ -1241,10 +1350,13 @@ checks: compliance: - cis: "9.3.6" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' +#TODO - id: 12099 title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." @@ -1255,8 +1367,10 @@ checks: - cis_csc: "6.2, 6.3" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' +#TODO - id: 12100 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1287,10 +1401,10 @@ checks: compliance: - cis: "9.3.9" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 1' - id: 12102 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -1299,10 +1413,11 @@ checks: compliance: - cis: "9.3.10" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + # 18 Administrative templates (Computer) - id: 12103 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" @@ -1311,10 +1426,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera" compliance: - cis: "18.1.1.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' + - id: 12104 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled" @@ -1322,10 +1438,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" compliance: - cis: "18.1.1.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' - id: 12105 title: "Ensure 'Allow input personalization' is set to 'Disabled'" description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled." @@ -1334,10 +1450,11 @@ checks: compliance: - cis: "18.1.2.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> !AllowInputPersonalization;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' + - id: 12106 title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1346,9 +1463,10 @@ checks: compliance: - cis: "18.2.1" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName;' + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' + - id: 12107 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1357,10 +1475,10 @@ checks: compliance: - cis: "18.2.2" - cis_csc: "16.2, 16.10" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - id: 12108 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1369,10 +1487,11 @@ checks: compliance: - cis: "18.2.3" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' + - id: 12109 title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1381,9 +1500,11 @@ checks: compliance: - cis: "18.2.4" - cis_csc: "5.7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' + - id: 12110 title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1392,15 +1513,16 @@ checks: compliance: - cis: "18.2.5" - cis_csc: "5.7" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength;' + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^\d$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^a$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^b$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^c$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^d$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^e$' + - id: 12111 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1409,19 +1531,20 @@ checks: compliance: - cis: "18.2.6" - cis_csc: "16.5" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+;' + condition: all + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:1F|1f' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+' - id: 12112 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1." @@ -1430,9 +1553,11 @@ checks: compliance: - cis: "18.3.1" - cis_csc: "5.8, 4.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' + - id: 12113 title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems" @@ -1441,10 +1566,11 @@ checks: compliance: - cis: "18.3.2" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4' + - id: 12114 title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'" description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled." @@ -1453,10 +1579,10 @@ checks: compliance: - cis: "18.3.3" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> !SMB1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' - id: 12115 title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled." @@ -1465,10 +1591,10 @@ checks: compliance: - cis: "18.3.4" - cis_csc: "8.4, 8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> !DisableExceptionChainValidation;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' - id: 12116 title: "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" description: "Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware." @@ -1477,9 +1603,11 @@ checks: compliance: - cis: "18.3.5" - cis_csc: "8.4, 8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 1' + - id: 12117 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server." @@ -1488,9 +1616,11 @@ checks: compliance: - cis: "18.3.6" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' + - id: 12118 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group." @@ -1499,9 +1629,10 @@ checks: compliance: - cis: "18.4.1" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 12119 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1510,10 +1641,11 @@ checks: compliance: - cis: "18.4.2" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' + - id: 12120 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1522,10 +1654,11 @@ checks: compliance: - cis: "18.4.3" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' + - id: 12121 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." @@ -1534,10 +1667,10 @@ checks: compliance: - cis: "18.4.5" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - id: 12122 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." @@ -1546,9 +1679,9 @@ checks: compliance: - cis: "18.4.7" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - id: 12123 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:  Search folders specified in the system path first, and then search the current working folder.  Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." @@ -1557,9 +1690,9 @@ checks: compliance: - cis: "18.4.9" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - id: 12124 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds" @@ -1568,13 +1701,10 @@ checks: compliance: - cis: "18.4.10" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:(\d+) compare <= 5' + - id: 12125 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less." @@ -1583,20 +1713,20 @@ checks: compliance: - cis: "18.4.13" - cis_csc: "6.3, 6.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;' + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5B|5b' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5C|5c' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5D|5d' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5E|5e' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5F|5f' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+' - id: 12126 title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." @@ -1605,10 +1735,10 @@ checks: compliance: - cis: "18.5.4.1" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> !2;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> !NodeType;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' - id: 12127 title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'" description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled." @@ -1617,10 +1747,10 @@ checks: compliance: - cis: "18.5.4.2" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> !EnableMulticast;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' - id: 12128 title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'" description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled." @@ -1629,10 +1759,11 @@ checks: compliance: - cis: "18.5.8.1" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> !AllowInsecureGuestAuth;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' + - id: 12129 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled." @@ -1641,10 +1772,11 @@ checks: compliance: - cis: "18.5.11.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' + - id: 12130 title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" description: "Although this legacy setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled." @@ -1653,10 +1785,11 @@ checks: compliance: - cis: "18.5.11.3" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_ShowSharedAccessUI;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0' + - id: 12131 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." @@ -1665,10 +1798,11 @@ checks: compliance: - cis: "18.5.11.4" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' +#TODO - id: 12132 title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'" description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing" @@ -1689,9 +1823,10 @@ checks: compliance: - cis: "18.5.21.1" - cis_csc: "12" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' - id: 12134 title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." @@ -1700,10 +1835,11 @@ checks: compliance: - cis: "18.5.21.2" - cis_csc: "12" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' + - id: 12135 title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" description: "This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services.  Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.  Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.  Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled." @@ -1712,10 +1848,10 @@ checks: compliance: - cis: "18.5.23.2.1" - cis_csc: "15.4, 15.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> !AutoConnectAllowedOEM;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' - id: 12136 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." @@ -1724,9 +1860,11 @@ checks: compliance: - cis: "18.8.3.1" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' + - id: 12137 title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled." @@ -1735,10 +1873,10 @@ checks: compliance: - cis: "18.8.4.1" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> !AllowProtectedCreds;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' - id: 12138 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  Good: The driver has been signed and has not been tampered with.  Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." @@ -1747,9 +1885,10 @@ checks: compliance: - cis: "18.8.14.1" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - id: 12139 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The \"Do not apply during periodic background processing\" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart." @@ -1758,10 +1897,10 @@ checks: compliance: - cis: "18.8.21.2" - cis_csc: "3.7, 5.4, 5.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - id: 12140 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed." @@ -1770,10 +1909,10 @@ checks: compliance: - cis: "18.8.21.3" - cis_csc: "3.7, 5.4, 5.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - id: 12141 title: "Ensure 'Continue experiences on this device' is set to 'Disabled'" description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences)." @@ -1782,10 +1921,10 @@ checks: compliance: - cis: "18.8.21.4" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableCdp;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' - id: 12142 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers." @@ -1794,9 +1933,10 @@ checks: compliance: - cis: "18.8.21.5" - cis_csc: "3.7, 5.4, 5.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - id: 12143 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application." @@ -1805,10 +1945,10 @@ checks: compliance: - cis: "18.8.22.1.2" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - id: 12144 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards." @@ -1817,10 +1957,10 @@ checks: compliance: - cis: "18.8.22.1.6" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - id: 12145 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet." @@ -1829,10 +1969,10 @@ checks: compliance: - cis: "18.8.22.1.7" - cis_csc: "13.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - id: 12146 title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen." @@ -1841,10 +1981,10 @@ checks: compliance: - cis: "18.8.27.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockUserFromShowingAccountDetailsOnSignin;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' - id: 12147 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen." @@ -1853,10 +1993,10 @@ checks: compliance: - cis: "18.8.27.2" - cis_csc: "5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - id: 12148 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers." @@ -1865,10 +2005,10 @@ checks: compliance: - cis: "18.8.27.3" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - id: 12149 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers." @@ -1877,9 +2017,10 @@ checks: compliance: - cis: "18.8.27.4" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - id: 12150 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen." @@ -1888,10 +2029,10 @@ checks: compliance: - cis: "18.8.27.5" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - id: 12151 title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled." @@ -1900,10 +2041,10 @@ checks: compliance: - cis: "18.8.27.6" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !BlockDomainPicturePassword;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' - id: 12152 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work." @@ -1912,9 +2053,10 @@ checks: compliance: - cis: "18.8.27.7" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - id: 12153 title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." @@ -1923,10 +2065,10 @@ checks: compliance: - cis: "18.8.33.6.1" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !DCSettingIndex;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' - id: 12154 title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." @@ -1935,10 +2077,10 @@ checks: compliance: - cis: "18.8.33.6.2" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> !ACSettingIndex;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' - id: 12155 title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" description: "Dictates whether or not Windows is allowed to use standby states when sleeping the computer." @@ -1947,9 +2089,10 @@ checks: compliance: - cis: "18.8.33.6.5" - cis_csc: "13.2, 13.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - id: 12156 title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep." @@ -1958,9 +2101,10 @@ checks: compliance: - cis: "18.8.33.6.6" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - id: 12157 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests." @@ -1969,9 +2113,10 @@ checks: compliance: - cis: "18.8.35.1" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - id: 12158 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer." @@ -1980,10 +2125,10 @@ checks: compliance: - cis: "18.8.35.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - id: 12159 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." @@ -1992,10 +2137,10 @@ checks: compliance: - cis: "18.8.36.1" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' - id: 12160 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" @@ -2004,9 +2149,10 @@ checks: compliance: - cis: "18.8.36.2" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' - id: 12161 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it" @@ -2015,10 +2161,10 @@ checks: compliance: - cis: "18.9.6.1" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - id: 12162 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones" @@ -2027,10 +2173,10 @@ checks: compliance: - cis: "18.9.8.1" - cis_csc: "8.3, 8.4, 8.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - id: 12163 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." @@ -2039,10 +2185,10 @@ checks: compliance: - cis: "18.9.8.2" - cis_csc: "8.3, 8.4, 8.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - id: 12164 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives." @@ -2051,10 +2197,10 @@ checks: compliance: - cis: "18.9.8.3" - cis_csc: "8.3, 8.4, 8.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' - id: 12165 title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it." @@ -2063,10 +2209,10 @@ checks: compliance: - cis: "18.9.10.1.1" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> !EnhancedAntiSpoofing;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' - id: 12166 title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account." @@ -2075,10 +2221,10 @@ checks: compliance: - cis: "18.9.13.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> !DisableWindowsConsumerFeatures;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' - id: 12167 title: "Ensure 'Require pin for pairing' is set to 'Enabled'" description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device." @@ -2087,10 +2233,10 @@ checks: compliance: - cis: "18.9.14.1" - cis_csc: "15.8, 15.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> !RequirePinForPairing;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' - id: 12168 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences." @@ -2099,10 +2245,10 @@ checks: compliance: - cis: "18.9.15.1" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - id: 12169 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application." @@ -2111,9 +2257,10 @@ checks: compliance: - cis: "18.9.15.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - id: 12170 title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'" description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." @@ -2122,11 +2269,10 @@ checks: compliance: - cis: "18.9.16.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> 3;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !AllowTelemetry;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' - id: 12171 title: "Ensure 'Disable pre-release features or settings' is set to 'Disabled'" description: "This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimentations." @@ -2135,10 +2281,10 @@ checks: compliance: - cis: "18.9.16.3" - cis_csc: "3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !EnableConfigFlighting;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> 0' - id: 12172 title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'" description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft." @@ -2147,10 +2293,10 @@ checks: compliance: - cis: "18.9.16.4" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DoNotShowFeedbackNotifications;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' - id: 12173 title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" description: "This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under \"Get Insider builds,\" and enable users to make their devices available for downloading and installing Windows preview software." @@ -2159,10 +2305,10 @@ checks: compliance: - cis: "18.9.16.5" - cis_csc: "3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> !AllowBuildPreview;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' - id: 12174 title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:  0 = HTTP only, no peering.  1 = HTTP blended with peering behind the same NAT.  2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.  3 = HTTP blended with Internet Peering.  99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.  100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." @@ -2171,10 +2317,10 @@ checks: compliance: - cis: "18.9.17.1" - cis_csc: "4.5, 3.4, 3.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> 3;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> !DODownloadMode;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^1$|^2$' - id: 12175 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2183,9 +2329,10 @@ checks: compliance: - cis: "18.9.26.1.1" - cis_csc: "6.3, 6.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - id: 12176 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." @@ -2194,20 +2341,20 @@ checks: compliance: - cis: "18.9.26.1.2" - cis_csc: "6.3, 6.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;' + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^0\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^1\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^2\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^3\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^4\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^5\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^6\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^7\w\w\w$' - id: 12177 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2216,9 +2363,10 @@ checks: compliance: - cis: "18.9.26.2.1" - cis_csc: "6.3, 6.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - id: 12178 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." @@ -2227,16 +2375,16 @@ checks: compliance: - cis: "18.9.26.2.2" - cis_csc: "6.3, 6.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;' + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^0\w\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^1\w\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^2\w\w\w\w$' - id: 12179 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2245,9 +2393,11 @@ checks: compliance: - cis: "18.9.26.3.1" - cis_csc: "6.3, 6.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' + - id: 12180 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." @@ -2256,20 +2406,20 @@ checks: compliance: - cis: "18.9.26.3.2" - cis_csc: "6.3, 6.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;' + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^0\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^1\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^2\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^3\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^4\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^5\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^6\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^7\w\w\w$' - id: 12181 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2278,9 +2428,10 @@ checks: compliance: - cis: "18.9.26.4.1" - cis_csc: "6.3, 6.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - id: 12182 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." @@ -2289,20 +2440,20 @@ checks: compliance: - cis: "18.9.26.4.2" - cis_csc: "6.3, 6.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;' + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^0\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^1\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^2\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^3\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^4\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^5\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^6\w\w\w$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^7\w\w\w$' - id: 12183 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer." @@ -2311,9 +2462,10 @@ checks: compliance: - cis: "18.9.30.2" - cis_csc: "8.4, 8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - id: 12184 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this." @@ -2322,9 +2474,10 @@ checks: compliance: - cis: "18.9.30.3" - cis_csc: "8.4, 8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - id: 12185 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows." @@ -2333,9 +2486,10 @@ checks: compliance: - cis: "18.9.30.4" - cis_csc: "8.4, 8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - id: 12186 title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" description: "By default, users can add their computer to a HomeGroup on a home network." @@ -2344,10 +2498,10 @@ checks: compliance: - cis: "18.9.35.1" - cis_csc: "14.1, 14.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> !DisableHomeGroup;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' - id: 12187 title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs." @@ -2356,10 +2510,10 @@ checks: compliance: - cis: "18.9.44.1" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> !DisableUserAuth;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' - id: 12188 title: "Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" description: "This setting lets you configure how your company deals with cookies. The recommended state for this setting is: Enabled: Block only 3rd-party cookies. Configuring this setting to Enabled: Block all cookies also conforms to the benchmark." @@ -2368,10 +2522,10 @@ checks: compliance: - cis: "18.9.45.4" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> 2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !Cookies;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' - id: 12189 title: "Ensure 'Configure Password Manager' is set to 'Disabled'" description: "This setting lets you decide whether employees can save their passwords locally, using Password Manager." @@ -2380,10 +2534,10 @@ checks: compliance: - cis: "18.9.45.5" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> !no;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !FormSuggest Passwords;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' - id: 12190 title: "Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" description: "This setting controls whether Adobe Flash (within the Microsoft Edge web browser) will require the user to click on the Flash element before the browser will display the Flash content." @@ -2392,9 +2546,10 @@ checks: compliance: - cis: "18.9.45.8" - cis_csc: "7.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' - id: 12191 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client." @@ -2403,10 +2558,10 @@ checks: compliance: - cis: "18.9.52.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - id: 12192 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer." @@ -2415,10 +2570,10 @@ checks: compliance: - cis: "18.9.58.2.2" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - id: 12193 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them." @@ -2427,10 +2582,10 @@ checks: compliance: - cis: "18.9.58.3.3.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> 1' - id: 12194 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client." @@ -2439,10 +2594,10 @@ checks: compliance: - cis: "18.9.58.3.9.1" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - id: 12195 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests." @@ -2451,10 +2606,10 @@ checks: compliance: - cis: "18.9.58.3.9.2" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - id: 12196 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption." @@ -2463,9 +2618,10 @@ checks: compliance: - cis: "18.9.58.3.9.3" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - id: 12197 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff." @@ -2474,9 +2630,10 @@ checks: compliance: - cis: "18.9.58.3.11.1" - cis_csc: "14.4, 14.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - id: 12198 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session." @@ -2485,9 +2642,10 @@ checks: compliance: - cis: "18.9.58.3.11.2" - cis_csc: "14.4, 14.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - id: 12199 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer." @@ -2496,10 +2654,10 @@ checks: compliance: - cis: "18.9.59.1" - cis_csc: "7.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - id: 12200 title: "Ensure 'Allow Cortana' is set to 'Disabled'" description: "This policy setting specifies whether Cortana is allowed on the device" @@ -2508,10 +2666,10 @@ checks: compliance: - cis: "18.9.60.3" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortana;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' - id: 12201 title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked." @@ -2520,10 +2678,10 @@ checks: compliance: - cis: "18.9.60.4" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCortanaAboveLock;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' - id: 12202 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files." @@ -2532,9 +2690,10 @@ checks: compliance: - cis: "18.9.60.5" - cis_csc: "13.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - id: 12203 title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results." @@ -2543,10 +2702,10 @@ checks: compliance: - cis: "18.9.60.6" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowSearchToUseLocation;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' - id: 12204 title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" description: "This setting enables or disables the automatic download and installation of Windows Store app updates." @@ -2555,9 +2714,10 @@ checks: compliance: - cis: "18.9.68.2" - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> !4;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' - id: 12205 title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" description: "Enables or disables the Windows Store offer to update to the latest version of Windows." @@ -2566,10 +2726,10 @@ checks: compliance: - cis: "18.9.68.3" - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableOSUpgrade;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' - id: 12206 title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". This setting can only be set by Group Policy." @@ -2578,9 +2738,10 @@ checks: compliance: - cis: "18.9.76.3.1" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' - id: 12207 title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus." @@ -2589,9 +2750,10 @@ checks: compliance: - cis: "18.9.76.7.1" - cis_csc: "8.1, 8.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' - id: 12208 title: "Ensure 'Scan removable drives' is set to 'Enabled'" description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan." @@ -2600,10 +2762,10 @@ checks: compliance: - cis: "18.9.76.10.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> !DisableRemovableDriveScanning;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' - id: 12209 title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac)." @@ -2612,10 +2774,10 @@ checks: compliance: - cis: "18.9.76.10.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> !DisableEmailScanning;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' - id: 12210 title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules." @@ -2624,10 +2786,10 @@ checks: compliance: - cis: "18.9.76.13.1.1" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> !ExploitGuard_ASR_Rules;' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - id: 12211 title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail)" @@ -2636,22 +2798,22 @@ checks: compliance: - cis: "18.9.76.13.1.2" - cis_csc: "8.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D4F940AB-401B-4EFC-AADC-AD5F3C50688A;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !3B576869-A4EC-4529-8536-B80A7769E899;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !D3E037E1-3EB8-44C8-A917-57927947596D;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !5BEB7EFE-FD9A-4556-801D-275E5FFC04CC;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> !92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' - id: 12212 title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" description: "This policy setting controls Windows Defender Exploit Guard network protection." @@ -2660,10 +2822,10 @@ checks: compliance: - cis: "18.9.76.13.3.1" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> !EnableNetworkProtection;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' - id: 12213 title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software." @@ -2672,9 +2834,10 @@ checks: compliance: - cis: "18.9.76.14" - cis_csc: "8.1, 8.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' - id: 12214 title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center." @@ -2683,10 +2846,10 @@ checks: compliance: - cis: "18.9.79.1.1" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> !DisallowExploitProtectionOverride;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' - id: 12215 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled." @@ -2695,12 +2858,13 @@ checks: compliance: - cis: "18.9.80.1.1" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> !Block;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !ShellSmartScreenLevel;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block' + - id: 12216 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" description: "This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software." @@ -2709,9 +2873,10 @@ checks: compliance: - cis: "18.9.80.2.1" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' - id: 12217 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files." @@ -2720,10 +2885,10 @@ checks: compliance: - cis: "18.9.80.2.2" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverrideAppRepUnknown;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' - id: 12218 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites." @@ -2732,10 +2897,10 @@ checks: compliance: - cis: "18.9.80.2.3" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> !PreventOverride;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' - id: 12219 title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" description: "This setting enables or disables the Windows Game Recording and Broadcasting features." @@ -2744,10 +2909,10 @@ checks: compliance: - cis: "18.9.82.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> !AllowGameDVR;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' - id: 12220 title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" description: "This policy setting determines whether Windows Ink items are allowed above the lock screen." @@ -2756,10 +2921,10 @@ checks: compliance: - cis: "18.9.84.2" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> 2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowWindowsInkWorkspace;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' - id: 12221 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user." @@ -2768,9 +2933,10 @@ checks: compliance: - cis: "18.9.85.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' - id: 12222 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure." @@ -2779,9 +2945,10 @@ checks: compliance: - cis: "18.9.85.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 12223 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system." @@ -2790,10 +2957,10 @@ checks: compliance: - cis: "18.9.86.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - id: 12224 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-WindowsPowerShell/Operational event log." @@ -2802,10 +2969,10 @@ checks: compliance: - cis: "18.9.95.1" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - id: 12225 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts." @@ -2814,9 +2981,10 @@ checks: compliance: - cis: "18.9.95.2" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 01' - id: 12226 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication." @@ -2825,9 +2993,10 @@ checks: compliance: - cis: "18.9.97.1.1" - cis_csc: "16.13, 16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - id: 12227 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network." @@ -2836,9 +3005,10 @@ checks: compliance: - cis: "18.9.97.1.2" - cis_csc: "16.5, 16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - id: 12228 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication." @@ -2847,10 +3017,10 @@ checks: compliance: - cis: "18.9.97.1.3" - cis_csc: "16.5, 16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - id: 12229 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client." @@ -2859,9 +3029,10 @@ checks: compliance: - cis: "18.9.97.2.1" - cis_csc: "16.5, 16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - id: 12230 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." @@ -2870,9 +3041,10 @@ checks: compliance: - cis: "18.9.97.2.3" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - id: 12231 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network." @@ -2881,10 +3053,10 @@ checks: compliance: - cis: "18.9.97.2.4" - cis_csc: "16.5, 16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - id: 12232 title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" description: "This policy setting determines whether users can access the Windows Insider Program controls in Settings -> Update and Security. These controls enable users to make their devices available for downloading and installing preview (beta) builds of Windows software." @@ -2893,12 +3065,12 @@ checks: compliance: - cis: "18.9.101.1.1" - cis_csc: "3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !ManagePreviewBuilds;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !ManagePreviewBuildsPolicyValue;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' - id: 12233 title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:  Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.  Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.  Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.  Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.  Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." @@ -2907,22 +3079,14 @@ checks: compliance: - cis: "18.9.101.1.2" - cis_csc: "3" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferFeatureUpdates;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:10\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:11\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:12\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:13\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:14\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:15\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:16\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> r:17\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> !r:\d\d\d+;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferFeatureUpdatesPeriodInDays;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> !32;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !BranchReadinessLevel;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:(\d+) compare >= 180' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> 32' - id: 12234 title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" description: "This settings controls when Quality Updates are received." @@ -2931,12 +3095,12 @@ checks: compliance: - cis: "18.9.101.1.3" - cis_csc: "3.4, 3.5, 4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferQualityUpdates;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> !DeferQualityUpdatesPeriodInDays;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0' - id: 12235 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" @@ -2945,10 +3109,10 @@ checks: compliance: - cis: "18.9.101.2" - cis_csc: "3.4, 3.5, 4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' - id: 12236 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS." @@ -2957,10 +3121,10 @@ checks: compliance: - cis: "18.9.101.3" - cis_csc: "3.4, 3.5, 4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - id: 12237 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation." @@ -2969,6 +3133,7 @@ checks: compliance: - cis: "18.9.101.4" - cis_csc: "3.4, 3.5, 4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 1' From 2b221801c914de28eba711f43a80a0043af85a1d Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 3 Jun 2019 18:39:19 +0200 Subject: [PATCH 034/247] Adapt Windows 10 L2 --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 638 +++++++++++--------- 1 file changed, 367 insertions(+), 271 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index 44bbff12d..32c7bc44e 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -23,7 +23,7 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L2 under Windows 10" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10;' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' checks: # 2.3 Security Options @@ -35,10 +35,11 @@ checks: compliance: - cis: "2.3.4.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> !AddPrinterDrivers;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + - id: 12501 title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)." @@ -47,10 +48,11 @@ checks: compliance: - cis: "2.3.7.7" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:(\d+) compare <= 4' + - id: 12502 title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark." @@ -59,10 +61,11 @@ checks: compliance: - cis: "2.3.14.1" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> !ForceKeyProtection;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0' + # 5 System Services - id: 12503 title: "Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'" @@ -72,10 +75,11 @@ checks: compliance: - cis: "5.1" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> 4' + - id: 12504 title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." @@ -84,10 +88,11 @@ checks: compliance: - cis: "5.2" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' + - id: 12505 title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" description: "Windows service for application access to downloaded maps. This service is started on- demand by application accessing downloaded maps." @@ -96,10 +101,11 @@ checks: compliance: - cis: "5.4" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4' + - id: 12506 title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." @@ -108,10 +114,11 @@ checks: compliance: - cis: "5.5" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4' + - id: 12507 title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." @@ -120,10 +127,12 @@ checks: compliance: - cis: "5.11" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4' + + - id: 12508 title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." @@ -132,10 +141,11 @@ checks: compliance: - cis: "5.14" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4' + - id: 12509 title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." @@ -144,10 +154,11 @@ checks: compliance: - cis: "5.15" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4' + - id: 12510 title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." @@ -156,10 +167,11 @@ checks: compliance: - cis: "5.16" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4' + - id: 12511 title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." @@ -168,10 +180,11 @@ checks: compliance: - cis: "5.17" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4' + - id: 12512 title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." @@ -180,10 +193,11 @@ checks: compliance: - cis: "5.18" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4' + - id: 12513 title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." @@ -192,10 +206,11 @@ checks: compliance: - cis: "5.19" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4' + - id: 12514 title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address." @@ -204,10 +219,11 @@ checks: compliance: - cis: "5.20" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4' + - id: 12515 title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." @@ -216,10 +232,11 @@ checks: compliance: - cis: "5.21" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4' + - id: 12516 title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." @@ -228,10 +245,11 @@ checks: compliance: - cis: "5.22" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4' + - id: 12517 title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." @@ -240,10 +258,11 @@ checks: compliance: - cis: "5.23" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4' + - id: 12518 title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." @@ -252,10 +271,11 @@ checks: compliance: - cis: "5.25" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4' + - id: 12519 title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'" description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." @@ -264,10 +284,11 @@ checks: compliance: - cis: "5.27" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4' + - id: 12520 title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))." @@ -276,9 +297,11 @@ checks: compliance: - cis: "5.29" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> !4;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4' + - id: 12521 title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." @@ -287,10 +310,11 @@ checks: compliance: - cis: "5.33" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4' + - id: 12522 title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." @@ -299,10 +323,11 @@ checks: compliance: - cis: "5.34" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4' + - id: 12523 title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." @@ -311,10 +336,11 @@ checks: compliance: - cis: "5.37" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4' + - id: 12524 title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." @@ -323,10 +349,11 @@ checks: compliance: - cis: "5.38" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4' + - id: 12525 title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." @@ -335,10 +362,11 @@ checks: compliance: - cis: "5.39" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4' + - id: 12526 title: "Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'" description: "This service provides infrastructure support for the Windows Store. The recommended state for this setting is: Disabled." @@ -347,10 +375,11 @@ checks: compliance: - cis: "5.40" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> !4;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> !Start;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> 4' + # 18.1 Control Panel - id: 12527 title: "Ensure 'Allow Online Tips' is set to 'Disabled'" @@ -360,10 +389,11 @@ checks: compliance: - cis: "18.1.3" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !AllowOnlineTips;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' + # 18.4 MSS (Legacy) - id: 12528 title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" @@ -375,10 +405,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> !DisableSavePassword;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' + - id: 12529 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." @@ -389,10 +420,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' + - id: 12530 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." @@ -403,10 +435,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' + - id: 12531 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." @@ -417,10 +450,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' + - id: 12532 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." @@ -431,10 +465,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' + # 18.5 Network - id: 12533 title: "Ensure 'Enable Font Providers' is set to 'Disabled'" @@ -444,10 +479,11 @@ checks: compliance: - cis: "18.5.5.1" - cis_csc: "3, 13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableFontProviders;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' + - id: 12534 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." @@ -456,12 +492,13 @@ checks: compliance: - cis: "18.5.9.1" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' + - id: 12535 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." @@ -470,12 +507,13 @@ checks: compliance: - cis: "18.5.9.2" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' + - id: 12536 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." @@ -484,10 +522,11 @@ checks: compliance: - cis: "18.5.10.2" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' + - id: 12537 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" @@ -496,10 +535,11 @@ checks: compliance: - cis: "18.5.19.2.1" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' + - id: 12538 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." @@ -508,18 +548,19 @@ checks: compliance: - cis: "18.5.20.1" - cis_csc: "15.4, 15.5" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' + - id: 12539 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." @@ -528,10 +569,11 @@ checks: compliance: - cis: "18.5.20.2" - cis_csc: "15.4, 15.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' + # 18.8 System - id: 12540 title: "Ensure 'Turn off access to the Store' is set to 'Enabled'" @@ -541,10 +583,11 @@ checks: compliance: - cis: "18.8.22.1.1" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoUseStoreOpenWith;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' + - id: 12541 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." @@ -553,10 +596,11 @@ checks: compliance: - cis: "18.8.22.1.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' + - id: 12542 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." @@ -565,10 +609,11 @@ checks: compliance: - cis: "18.8.22.1.4" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' + - id: 12543 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." @@ -577,10 +622,11 @@ checks: compliance: - cis: "18.8.22.1.5" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' + - id: 12544 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." @@ -588,10 +634,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' + - id: 12545 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." @@ -600,10 +647,11 @@ checks: compliance: - cis: "18.8.22.1.9" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' + - id: 12546 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." @@ -612,10 +660,11 @@ checks: compliance: - cis: "18.8.22.1.10" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' + - id: 12547 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." @@ -624,10 +673,11 @@ checks: compliance: - cis: "18.8.22.1.11" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' + - id: 12548 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." @@ -636,10 +686,11 @@ checks: compliance: - cis: "18.8.22.1.12" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1' + - id: 12549 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." @@ -648,10 +699,11 @@ checks: compliance: - cis: "18.8.22.1.13" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' + - id: 12550 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." @@ -660,12 +712,13 @@ checks: compliance: - cis: "18.8.22.1.14" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + - id: 12551 title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic." @@ -674,10 +727,11 @@ checks: compliance: - cis: "18.8.25.1" - cis_csc: "1.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1;' + - id: 12552 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." @@ -686,10 +740,11 @@ checks: compliance: - cis: "18.8.26.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' + - id: 12553 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." @@ -698,10 +753,11 @@ checks: compliance: - cis: "18.8.44.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' + - id: 12554 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." @@ -710,10 +766,11 @@ checks: compliance: - cis: "18.8.44.11.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' + - id: 12555 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." @@ -722,10 +779,11 @@ checks: compliance: - cis: "18.8.46.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' + - id: 12556 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." @@ -734,10 +792,11 @@ checks: compliance: - cis: "18.8.49.1.1" - cis_csc: "6.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' + - id: 12557 title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled." @@ -746,9 +805,11 @@ checks: compliance: - cis: "18.8.49.1.2" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' + # 18.9 Windows Components - id: 12558 title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" @@ -758,9 +819,11 @@ checks: compliance: - cis: "18.9.4.1" - cis_csc: "14.4, 14.6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' + - id: 12559 title: "Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" description: "This policy setting controls whether Windows Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled." @@ -769,10 +832,11 @@ checks: compliance: - cis: "18.9.6.2" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !BlockHostedAppAccessWinRT;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1' + - id: 12560 title: "Ensure 'Allow Use of Camera' is set to 'Disabled'" description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." @@ -781,10 +845,11 @@ checks: compliance: - cis: "18.9.12.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> !AllowCamera;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' + - id: 12561 title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." @@ -793,10 +858,11 @@ checks: compliance: - cis: "18.9.16.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> !DisableEnterpriseAuthProxy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' + - id: 12562 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." @@ -805,10 +871,11 @@ checks: compliance: - cis: "18.9.39.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' + - id: 12563 title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." @@ -817,10 +884,11 @@ checks: compliance: - cis: "18.9.43.1" - cis_csc: "9.1, 9.2, 13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> !AllowMessageSync;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' + - id: 12564 title: "Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" description: "This setting determines whether the Address bar drop-down functionality is available in Microsoft Edge. The recommended state for this setting is: Disabled." @@ -829,10 +897,11 @@ checks: compliance: - cis: "18.9.45.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> !ShowOneBox;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' + - id: 12565 title: "Ensure 'Allow Adobe Flash' is set to 'Disabled'" description: "This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. The recommended state for this setting is: Disabled." @@ -841,10 +910,11 @@ checks: compliance: - cis: "18.9.45.2" - cis_csc: "7.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> !FlashPlayerEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' + - id: 12566 title: "Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" description: "This setting lets you decide whether employees can browse using InPrivate website browsing. The recommended state for this setting is: Disabled." @@ -853,10 +923,11 @@ checks: compliance: - cis: "18.9.45.3" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !AllowInPrivate;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' + - id: 12567 title: "Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" description: "This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop- ups to appear in secondary windows. The recommended state for this setting is: Enabled." @@ -865,9 +936,11 @@ checks: compliance: - cis: "18.9.45.6" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> !r:yes;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' + - id: 12568 title: "Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" description: "This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. The recommended state for this setting is: Disabled." @@ -876,10 +949,11 @@ checks: compliance: - cis: "18.9.45.7" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> !ShowSearchSuggestionsGlobal;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' + - id: 12569 title: "Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" description: "This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. The recommended state for this setting is: Enabled." @@ -888,10 +962,11 @@ checks: compliance: - cis: "18.9.45.9" - cis_csc: "3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !PreventAccessToAboutFlagsInMicrosoftEdge;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' + - id: 12570 title: "Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" description: "This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. The recommended state for this setting is: Enabled." @@ -900,10 +975,11 @@ checks: compliance: - cis: "18.9.45.10" - cis_csc: "7.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> !HideLocalHostIP;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' + - id: 12571 title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." @@ -912,10 +988,11 @@ checks: compliance: - cis: "18.9.57.1" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> !DisablePushToInstall;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' + - id: 12572 title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled." @@ -923,9 +1000,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: "18.9.58.3.2.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1' + - id: 12573 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." @@ -934,10 +1013,11 @@ checks: compliance: - cis: "18.9.58.3.3.1" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' + - id: 12574 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." @@ -946,10 +1026,11 @@ checks: compliance: - cis: "18.9.58.3.3.3" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' + - id: 12575 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." @@ -958,10 +1039,11 @@ checks: compliance: - cis: "18.9.58.3.3.4" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' + - id: 12576 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." @@ -972,8 +1054,9 @@ checks: - cis_csc: "16.5" references: - https://workbench.cisecurity.org/benchmarks/766 - condition: any + condition: none rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;' @@ -1000,7 +1083,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;' + - id: 12577 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." @@ -1009,10 +1092,11 @@ checks: compliance: - cis: "18.9.58.3.10.2" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> EA60' + - id: 12578 title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." @@ -1021,10 +1105,11 @@ checks: compliance: - cis: "18.9.60.2" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !AllowCloudSearch;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' + - id: 12579 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." @@ -1032,10 +1117,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: "18.9.65.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' + - id: 12580 title: "Ensure 'Disable all apps from Windows Store' is set to 'Disabled'" description: "This setting configures the launch of all apps from the Windows Store that came pre- installed or were downloaded. The recommended state for this setting is: Disabled." @@ -1044,10 +1130,11 @@ checks: compliance: - cis: "18.9.68.1" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !DisableStoreApps;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1' + - id: 12581 title: "Ensure 'Turn off the Store application' is set to 'Enabled'" description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education." @@ -1059,10 +1146,11 @@ checks: references: - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> !RemoveWindowsStore;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' + - id: 12582 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  (0x0) Disabled (default)  (0x1) Basic membership  (0x2) Advanced membership. The recommended state for this setting is: Disabled." @@ -1070,9 +1158,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: "18.9.76.3.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' + - id: 12583 title: "Ensure 'Configure Watson events' is set to 'Disabled'" description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled." @@ -1081,10 +1171,11 @@ checks: compliance: - cis: "18.9.76.9.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' + - id: 12584 title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled." @@ -1093,10 +1184,11 @@ checks: compliance: - cis: "18.9.84.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> !AllowSuggestedAppsInWindowsInkWorkspace;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' + - id: 12585 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." @@ -1105,9 +1197,11 @@ checks: compliance: - cis: "18.9.85.3" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' + - id: 12586 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." @@ -1116,9 +1210,11 @@ checks: compliance: - cis: "18.9.97.2.2" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' + - id: 12587 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." @@ -1127,8 +1223,8 @@ checks: compliance: - cis: "18.9.98.1" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' From 9cb9e0403fe49d3604a8fd10c91acfaad39135a6 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 4 Jun 2019 11:18:28 +0200 Subject: [PATCH 035/247] Adapt cis_win2012r2_domainL2_rcl.yml --- sca/windows/cis_win2012r2_domainL2_rcl.yml | 405 ++++++++++++--------- 1 file changed, 231 insertions(+), 174 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index f897b8cd2..b4a268d6d 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -37,10 +37,11 @@ checks: compliance: - cis: "2.3.10.4" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + # Section 18.4 - MSS (Legacy) - id: 8501 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" @@ -52,10 +53,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' + - id: 8502 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." @@ -66,24 +68,26 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' + - id: 8503 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: "18.4.10" - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' + - id: 8504 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." @@ -94,25 +98,31 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' + # Section 18.5 - Network - id: 8505 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.5.9.1" - cis_csc: "9" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' + - id: 8506 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." @@ -121,12 +131,17 @@ checks: compliance: - cis: "18.5.9.2" - cis_csc: "9" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' + - id: 8507 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." @@ -135,22 +150,24 @@ checks: compliance: - cis: "18.5.10.2" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' + - id: 8508 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not 'undo' the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - cis: "18.5.19.2.1" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' + - id: 8509 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." @@ -159,18 +176,19 @@ checks: compliance: - cis: "18.5.20.1" - cis_csc: "15.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' + - id: 8510 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." @@ -179,10 +197,11 @@ checks: compliance: - cis: "18.5.20.2" - cis_csc: "15.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' + # Section 18.8 - System - id: 8511 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" @@ -192,10 +211,11 @@ checks: compliance: - cis: "18.8.22.1.1" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableWebPnPDownload;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + - id: 8512 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." @@ -204,10 +224,11 @@ checks: compliance: - cis: "18.8.22.1.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' + - id: 8513 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." @@ -216,10 +237,11 @@ checks: compliance: - cis: "18.8.22.1.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' + - id: 8514 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." @@ -228,10 +250,11 @@ checks: compliance: - cis: "18.8.22.1.4" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' + - id: 8515 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." @@ -240,10 +263,11 @@ checks: compliance: - cis: "18.8.22.1.5" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoWebServices;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + - id: 8516 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." @@ -252,10 +276,11 @@ checks: compliance: - cis: "18.8.22.1.6" - cis_csc: "13.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> !DisableHTTPPrinting;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + - id: 8517 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." @@ -263,10 +288,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' + - id: 8518 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." @@ -275,10 +301,11 @@ checks: compliance: - cis: "18.8.22.1.8" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' + - id: 8519 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the 'Order Prints Online' task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled" @@ -287,10 +314,11 @@ checks: compliance: - cis: "18.8.22.1.9" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' + - id: 8520 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The recommended state for this setting is: Enabled." @@ -299,10 +327,11 @@ checks: compliance: - cis: "18.8.22.1.10" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' + - id: 8521 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." @@ -311,10 +340,11 @@ checks: compliance: - cis: "18.8.22.1.11" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' + - id: 8522 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." @@ -323,10 +353,11 @@ checks: compliance: - cis: "18.8.22.1.12" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' + - id: 8523 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." @@ -335,10 +366,11 @@ checks: compliance: - cis: "18.8.22.1.13" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + - id: 8524 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." @@ -347,10 +379,11 @@ checks: compliance: - cis: "18.8.26.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' + - id: 8525 title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." @@ -359,10 +392,11 @@ checks: compliance: - cis: "18.8.33.6.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !DCSettingIndex;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' + - id: 8526 title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." @@ -371,10 +405,11 @@ checks: compliance: - cis: "18.8.33.6.2" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> !ACSettingIndex;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' + - id: 8527 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." @@ -383,10 +418,11 @@ checks: compliance: - cis: "18.8.44.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' + - id: 8528 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." @@ -395,10 +431,11 @@ checks: compliance: - cis: "18.8.44.11.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' + - id: 8529 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." @@ -409,8 +446,9 @@ checks: - cis_csc: "13" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' + - id: 8530 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." @@ -419,23 +457,25 @@ checks: compliance: - cis: "18.8.49.1.1" - cis_csc: "6.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' + # Section 18.9 - System - id: 8531 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: "18.9.39.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' + - id: 8532 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." @@ -443,10 +483,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: "18.9.58.3.2.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' + - id: 8533 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." @@ -455,10 +496,11 @@ checks: compliance: - cis: "18.9.58.3.3.1" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' + - id: 8534 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." @@ -467,10 +509,11 @@ checks: compliance: - cis: "18.9.58.3.3.3" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' + - id: 8535 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." @@ -479,47 +522,51 @@ checks: compliance: - cis: "18.9.58.3.3.4" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' + - id: 8536 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: "18.9.58.3.10.1" - cis_csc: "16.5" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;' + references: + - https://workbench.cisecurity.org/benchmarks/766 + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w' + - id: 8537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." @@ -528,10 +575,11 @@ checks: compliance: - cis: "18.9.58.3.10.2" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> EA60' + - id: 8538 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." @@ -540,10 +588,11 @@ checks: compliance: - cis: "18.9.60.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' + - id: 8539 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." @@ -551,10 +600,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: "18.9.65.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' + - id: 8540 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." @@ -562,9 +612,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: "18.9.76.3.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' + - id: 8541 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." @@ -573,9 +625,11 @@ checks: compliance: - cis: "18.9.85.3" - cis_csc: "7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' + - id: 8542 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." @@ -584,9 +638,11 @@ checks: compliance: - cis: "18.9.97.2.2" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' + - id: 8543 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." @@ -595,7 +651,8 @@ checks: compliance: - cis: "18.9.98.1" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' + From b743b4f3f03061f41ecc00d16ea0d28c4f1b9eda Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 4 Jun 2019 11:22:28 +0200 Subject: [PATCH 036/247] Adapt Windows 2012 L1 L2 --- sca/windows/cis_win2012r2_memberL1_rcl.yml | 1050 +++++++++++--------- sca/windows/cis_win2012r2_memberL2_rcl.yml | 350 ++++--- 2 files changed, 723 insertions(+), 677 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 282f898f6..6c819cf66 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -37,7 +37,7 @@ checks: compliance: - cis: "1.1.2" - cis_csc: "16.5" - condition: any + condition: none rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0;' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D;' @@ -67,9 +67,8 @@ checks: - cis_csc: "16" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - id: 9002 title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." @@ -78,9 +77,10 @@ checks: compliance: - cis: "2.3.1.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - id: 9003 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." @@ -91,7 +91,7 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - id: 9004 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." @@ -103,8 +103,7 @@ checks: - cis_csc: "6" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - id: 9005 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." @@ -113,10 +112,10 @@ checks: compliance: - cis: "2.3.4.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 2;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 9006 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." @@ -125,9 +124,10 @@ checks: compliance: - cis: "2.3.4.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - id: 9007 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." @@ -136,9 +136,10 @@ checks: compliance: - cis: "2.3.6.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - id: 9008 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." @@ -147,9 +148,10 @@ checks: compliance: - cis: "2.3.6.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - id: 9009 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." @@ -158,9 +160,10 @@ checks: compliance: - cis: "2.3.6.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - id: 9010 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." @@ -169,9 +172,9 @@ checks: compliance: - cis: "2.3.6.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - id: 9011 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." @@ -180,9 +183,10 @@ checks: compliance: - cis: "2.3.6.6" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - id: 9012 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." @@ -191,10 +195,10 @@ checks: compliance: - cis: "2.3.7.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - id: 9013 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." @@ -203,10 +207,10 @@ checks: compliance: - cis: "2.3.7.2" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - id: 9014 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." @@ -215,26 +219,26 @@ checks: compliance: - cis: "2.3.7.3" - cis_csc: "16.5" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;' + condition: none + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+' - id: 9015 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." @@ -243,25 +247,25 @@ checks: compliance: - cis: "2.3.7.7" - cis_csc: "16" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;' + condition: none + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+' - id: 9016 title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled." @@ -270,10 +274,10 @@ checks: compliance: - cis: "2.3.7.8" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ForceUnlockLogon;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1' - id: 9017 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." @@ -282,10 +286,10 @@ checks: compliance: - cis: "2.3.7.9" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ScRemoveOption;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> !0' - id: 9018 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." @@ -294,10 +298,10 @@ checks: compliance: - cis: "2.3.8.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - id: 9019 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -306,9 +310,10 @@ checks: compliance: - cis: "2.3.8.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - id: 9020 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." @@ -317,9 +322,10 @@ checks: compliance: - cis: "2.3.8.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - id: 9021 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." @@ -328,8 +334,9 @@ checks: compliance: - cis: "2.3.9.1" - cis_csc: "3" - condition: any + condition: none rules: + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect;' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;' @@ -342,7 +349,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;' - id: 9022 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." @@ -351,10 +357,10 @@ checks: compliance: - cis: "2.3.9.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - id: 9023 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -363,10 +369,10 @@ checks: compliance: - cis: "2.3.9.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - id: 9024 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." @@ -375,9 +381,10 @@ checks: compliance: - cis: "2.3.9.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 9025 title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers." @@ -388,10 +395,10 @@ checks: - cis_csc: "14" references: - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> !SMBServerNameHardeningLevel;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0' - id: 9026 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." @@ -400,9 +407,10 @@ checks: compliance: - cis: "2.3.10.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - id: 9027 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." @@ -411,9 +419,10 @@ checks: compliance: - cis: "2.3.10.3" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - id: 9028 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." @@ -422,10 +431,10 @@ checks: compliance: - cis: "2.3.10.5" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - id: 9029 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." @@ -434,10 +443,10 @@ checks: compliance: - cis: "2.3.10.6" - cis_csc: "14.1, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*' - id: 9030 title: "Configure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." @@ -448,7 +457,7 @@ checks: - cis_csc: "14, 16" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - id: 9031 title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." @@ -459,7 +468,7 @@ checks: - cis_csc: "14, 16" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' - id: 9032 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." @@ -468,9 +477,10 @@ checks: compliance: - cis: "2.3.10.9" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - id: 9033 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." @@ -481,7 +491,7 @@ checks: - cis_csc: "14, 16" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\S*;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:None' - id: 9034 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -490,9 +500,10 @@ checks: compliance: - cis: "2.3.10.11" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - id: 9035 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." @@ -501,10 +512,10 @@ checks: compliance: - cis: "2.3.11.1" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - id: 9036 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." @@ -513,10 +524,10 @@ checks: compliance: - cis: "2.3.11.2" - cis_csc: "14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - id: 9037 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." @@ -525,9 +536,10 @@ checks: compliance: - cis: "2.3.11.3" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - id: 9038 title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." @@ -538,7 +550,7 @@ checks: - cis_csc: "16.14" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644;' - id: 9039 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." @@ -547,9 +559,10 @@ checks: compliance: - cis: "2.3.11.5" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - id: 9040 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." @@ -558,9 +571,10 @@ checks: compliance: - cis: "2.3.11.6" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 9041 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." @@ -569,15 +583,11 @@ checks: compliance: - cis: "2.3.11.7" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;' - - id: 9042 + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' + - id: 9042 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." @@ -585,9 +595,10 @@ checks: compliance: - cis: "2.3.11.8" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - id: 9043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -596,10 +607,10 @@ checks: compliance: - cis: "2.3.11.9" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - id: 9044 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -610,10 +621,10 @@ checks: - cis_csc: "13" references: - https://workbench.cisecurity.org/benchmarks/288 - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200;' - id: 9045 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." @@ -622,9 +633,10 @@ checks: compliance: - cis: "2.3.13.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' - id: 9046 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." @@ -632,9 +644,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - cis: "2.3.15.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - id: 9047 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." @@ -643,9 +656,10 @@ checks: compliance: - cis: "2.3.15.2" - cis_csc: "14.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - id: 9048 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." @@ -654,10 +668,10 @@ checks: compliance: - cis: "2.3.17.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - id: 9049 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." @@ -666,9 +680,10 @@ checks: compliance: - cis: "2.3.17.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - id: 9050 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." @@ -677,11 +692,10 @@ checks: compliance: - cis: "2.3.17.3" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> ^2$|^5$' - id: 9051 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." @@ -690,10 +704,10 @@ checks: compliance: - cis: "2.3.17.4" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1' - id: 9052 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." @@ -702,10 +716,10 @@ checks: compliance: - cis: "2.3.17.5" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - id: 9053 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." @@ -714,9 +728,10 @@ checks: compliance: - cis: "2.3.17.6" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - id: 9054 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." @@ -727,7 +742,8 @@ checks: - cis_csc: "5.1" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - id: 9055 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." @@ -736,9 +752,10 @@ checks: compliance: - cis: "2.3.17.8" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - id: 9056 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." @@ -746,9 +763,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - cis: "2.3.17.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # Section 9.1 - Domain Profile - id: 9057 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" @@ -760,8 +778,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 1' - id: 9058 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -772,8 +790,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 1' - id: 9059 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." @@ -784,8 +802,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 0' - id: 9060 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -795,10 +813,8 @@ checks: - cis: "9.1.4" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0' - id: 9061 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." @@ -809,8 +825,8 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' - id: 9062 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -821,18 +837,20 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:4\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:5\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:6\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:7\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:8\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:4\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:5\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:6\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:7\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:8\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - id: 9063 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -843,8 +861,8 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 1' - id: 9064 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -855,8 +873,8 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile - id: 9065 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" @@ -868,8 +886,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 1' - id: 9066 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -880,8 +898,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 1' - id: 9067 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -892,8 +910,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 0' - id: 9068 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -903,8 +921,8 @@ checks: - cis: "9.2.4" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 1' - id: 9069 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." @@ -927,18 +945,20 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:5\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:6\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:7\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:8\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:4\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:4\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:5\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:6\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:7\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:8\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - id: 9071 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -949,8 +969,8 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 1' - id: 9072 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -961,8 +981,8 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile - id: 9073 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" @@ -974,8 +994,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 1' - id: 9074 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" @@ -986,8 +1006,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 1' - id: 9075 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -998,8 +1018,8 @@ checks: - cis_csc: "9.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 0' - id: 9076 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." @@ -1009,8 +1029,8 @@ checks: - cis: "9.3.4" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 1' - id: 9077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -1021,8 +1041,8 @@ checks: - cis_csc: "5.1" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 1' - id: 9078 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." @@ -1033,8 +1053,8 @@ checks: - cis_csc: "5.1" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' - id: 9079 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." @@ -1057,18 +1077,20 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:4\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:5\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:6\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:7\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:8\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:4\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:5\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:6\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:7\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:8\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - id: 9081 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -1079,8 +1101,8 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 1' - id: 9082 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -1091,8 +1113,8 @@ checks: - cis_csc: "6.2" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel - id: 9083 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" @@ -1101,10 +1123,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - cis: "18.1.1.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - id: 9084 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." @@ -1112,10 +1134,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: "18.1.1.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' # Section 18.2 - LAPS - id: 9085 title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" @@ -1127,7 +1149,7 @@ checks: - cis_csc: "16.9" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> !DllName;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName;' - id: 9086 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1136,10 +1158,10 @@ checks: compliance: - cis: "18.2.2" - cis_csc: "16.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PwdExpirationProtectionEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - id: 9087 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1148,10 +1170,10 @@ checks: compliance: - cis: "18.2.3" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !AdmPwdEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - id: 9088 title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1162,7 +1184,7 @@ checks: - cis_csc: "5.7" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> !4;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - id: 9089 title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1173,13 +1195,8 @@ checks: - cis_csc: "5.7" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:a;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:b;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:c;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:e;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> !PasswordLength;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\w\w+' - id: 9090 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1190,17 +1207,22 @@ checks: - cis_csc: "16.5" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1F;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1E' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1D' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1C' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1B' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1A' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 19' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 18' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 17' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 16' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 15' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 14' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 13' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 12' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 11' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 10' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w' # Section 18.3 - MS Security Guide - id: 9091 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" @@ -1214,9 +1236,10 @@ checks: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ - condition: any + condition: aLL rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' - id: 9092 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." @@ -1231,7 +1254,8 @@ checks: - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' # Section 18.4 - MSS (Legacy) - id: 9093 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" @@ -1246,7 +1270,8 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 9094 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1257,10 +1282,10 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - id: 9095 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1271,10 +1296,10 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - id: 9096 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." @@ -1285,10 +1310,10 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - id: 9097 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." @@ -1299,9 +1324,10 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - id: 9098 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." @@ -1312,9 +1338,10 @@ checks: - cis_csc: "8" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - id: 9099 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." @@ -1327,11 +1354,12 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 2' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 3' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 4' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 5' - id: 9100 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." @@ -1344,18 +1372,22 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:1\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:2\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:3\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:4\w' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 50' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 51' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 52' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 53' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 54' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 55' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 56' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 57' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 58' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 59' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5A' # Section 18.5 - Network - id: 9101 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" @@ -1365,10 +1397,10 @@ checks: compliance: - cis: "18.5.11.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' - id: 9102 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." @@ -1377,10 +1409,10 @@ checks: compliance: - cis: "18.5.11.3" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - id: 9103 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." @@ -1389,9 +1421,10 @@ checks: compliance: - cis: "18.5.21.1" - cis_csc: "12" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' # Section 18.8 - System - id: 9104 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" @@ -1401,9 +1434,10 @@ checks: compliance: - cis: "18.8.3.1" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - id: 9105 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." @@ -1412,9 +1446,10 @@ checks: compliance: - cis: "18.8.14.1" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - id: 9106 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." @@ -1423,10 +1458,10 @@ checks: compliance: - cis: "18.8.21.2" - cis_csc: "3.7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - id: 9107 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." @@ -1435,10 +1470,10 @@ checks: compliance: - cis: "18.8.21.3" - cis_csc: "3.7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - id: 9108 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." @@ -1449,7 +1484,8 @@ checks: - cis_csc: "3.7" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - id: 9109 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." @@ -1458,10 +1494,10 @@ checks: compliance: - cis: "18.8.27.1" - cis_csc: "5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - id: 9110 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." @@ -1470,10 +1506,10 @@ checks: compliance: - cis: "18.8.27.2" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - id: 9111 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." @@ -1484,7 +1520,8 @@ checks: - cis_csc: "16.9" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - id: 9112 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." @@ -1493,10 +1530,10 @@ checks: compliance: - cis: "18.8.27.4" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - id: 9113 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." @@ -1505,9 +1542,10 @@ checks: compliance: - cis: "18.8.27.6" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - id: 9114 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" @@ -1516,9 +1554,10 @@ checks: compliance: - cis: "18.8.35.1" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - id: 9115 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." @@ -1527,10 +1566,10 @@ checks: compliance: - cis: "18.8.35.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - id: 9116 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled." @@ -1541,10 +1580,10 @@ checks: - cis_csc: "9.1" references: - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !EnableAuthEpResolution;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' # Section 18.9 - Windows Components - id: 9117 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" @@ -1554,10 +1593,10 @@ checks: compliance: - cis: "18.9.6.1" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - id: 9118 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." @@ -1566,10 +1605,10 @@ checks: compliance: - cis: "18.9.8.1" - cis_csc: "8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - id: 9119 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." @@ -1578,10 +1617,10 @@ checks: compliance: - cis: "18.9.8.2" - cis_csc: "8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - id: 9120 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." @@ -1590,10 +1629,10 @@ checks: compliance: - cis: "18.9.8.3" - cis_csc: "8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' - id: 9121 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." @@ -1602,10 +1641,10 @@ checks: compliance: - cis: "18.9.15.1" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - id: 9122 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." @@ -1614,9 +1653,10 @@ checks: compliance: - cis: "18.9.15.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - id: 9123 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1625,9 +1665,10 @@ checks: compliance: - cis: "18.9.26.1.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - id: 9124 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1638,18 +1679,15 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:8\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:9\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:a\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:b\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:c\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:d\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:e\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:f\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w\w\w+' - id: 9125 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1658,9 +1696,10 @@ checks: compliance: - cis: "18.9.26.2.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - id: 9126 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." @@ -1671,14 +1710,20 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:3\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:4\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:5\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:6\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:7\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:8\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:9\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:a\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:b\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:c\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:d\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:e\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:f\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w\w+' - id: 9127 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1687,9 +1732,10 @@ checks: compliance: - cis: "18.9.26.3.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - id: 9128 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1700,18 +1746,15 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:8\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:9\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:a\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:b\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:c\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:d\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:e\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:f\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w\w\w+' - id: 9129 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1733,18 +1776,15 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:8\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:9\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:a\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:b\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:c\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:d\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:e\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:f\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w\w\w+' - id: 9131 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." @@ -1755,7 +1795,8 @@ checks: - cis_csc: "8.4" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - id: 9132 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." @@ -1764,9 +1805,10 @@ checks: compliance: - cis: "18.9.30.3" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - id: 9133 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." @@ -1775,9 +1817,10 @@ checks: compliance: - cis: "18.9.30.4" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - id: 9134 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." @@ -1786,10 +1829,10 @@ checks: compliance: - cis: "18.9.52.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - id: 9135 title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." @@ -1798,10 +1841,10 @@ checks: compliance: - cis: "18.9.52.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' - id: 9136 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." @@ -1810,10 +1853,10 @@ checks: compliance: - cis: "18.9.58.2.2" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - id: 9137 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." @@ -1822,10 +1865,10 @@ checks: compliance: - cis: "18.9.58.3.3.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - id: 9138 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." @@ -1834,10 +1877,10 @@ checks: compliance: - cis: "18.9.58.3.9.1" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - id: 9139 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." @@ -1846,10 +1889,10 @@ checks: compliance: - cis: "18.9.58.3.9.2" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - id: 9140 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." @@ -1858,9 +1901,10 @@ checks: compliance: - cis: "18.9.58.3.9.3" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - id: 9141 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." @@ -1869,9 +1913,10 @@ checks: compliance: - cis: "18.9.58.3.11.1" - cis_csc: "14.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - id: 9142 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." @@ -1880,9 +1925,10 @@ checks: compliance: - cis: "18.9.58.3.11.2" - cis_csc: "14.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - id: 9143 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." @@ -1891,10 +1937,10 @@ checks: compliance: - cis: "18.9.59.1" - cis_csc: "7.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - id: 9144 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." @@ -1903,9 +1949,10 @@ checks: compliance: - cis: "18.9.60.2" - cis_csc: "13.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - id: 9145 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." @@ -1914,10 +1961,10 @@ checks: compliance: - cis: "18.9.80.1.1" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - id: 9146 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" @@ -1926,9 +1973,10 @@ checks: compliance: - cis: "18.9.81.2.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - id: 9147 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." @@ -1937,10 +1985,10 @@ checks: compliance: - cis: "18.9.81.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - id: 9148 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." @@ -1949,9 +1997,10 @@ checks: compliance: - cis: "18.9.85.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - id: 9149 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." @@ -1960,9 +2009,10 @@ checks: compliance: - cis: "18.9.85.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 9150 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." @@ -1971,10 +2021,10 @@ checks: compliance: - cis: "18.9.86.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - id: 9151 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." @@ -1983,10 +2033,10 @@ checks: compliance: - cis: "18.9.95.1" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - id: 9152 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." @@ -1995,9 +2045,10 @@ checks: compliance: - cis: "18.9.95.2" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - id: 9153 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." @@ -2006,9 +2057,10 @@ checks: compliance: - cis: "18.9.97.1.1" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - id: 9154 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." @@ -2017,9 +2069,10 @@ checks: compliance: - cis: "18.9.97.1.2" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - id: 9155 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." @@ -2028,10 +2081,10 @@ checks: compliance: - cis: "18.9.97.1.3" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - id: 9156 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." @@ -2040,9 +2093,10 @@ checks: compliance: - cis: "18.9.97.2.1" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - id: 9157 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." @@ -2051,9 +2105,10 @@ checks: compliance: - cis: "18.9.97.2.3" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - id: 9158 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." @@ -2062,10 +2117,10 @@ checks: compliance: - cis: "18.9.97.2.4" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - id: 9159 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." @@ -2074,10 +2129,10 @@ checks: compliance: - cis: "18.9.101.2" - cis_csc: "4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' - id: 9160 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." @@ -2086,10 +2141,10 @@ checks: compliance: - cis: "18.9.101.3" - cis_csc: "4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - id: 9161 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." @@ -2098,6 +2153,7 @@ checks: compliance: - cis: "18.9.101.4" - cis_csc: "4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 70d04b502..006d861ca 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -34,21 +34,10 @@ checks: compliance: - cis: "2.3.7.6" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 5;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 6;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 7;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 8;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> 9;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> a;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> b;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> c;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> d;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> e;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> f;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> \w\w+;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> !CachedLogonsCount;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> r:^0$|^1$|^2$|^3$|^4$' # Section 2.3.10 - Network access - id: 9501 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" @@ -58,10 +47,10 @@ checks: compliance: - cis: "2.3.10.4" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !DisableDomainCreds;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' # Section 18.4 - MSS (Legacy) - id: 9502 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" @@ -71,10 +60,10 @@ checks: compliance: - cis: "18.4.5" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> !493e0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !KeepAliveTime;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' - id: 9503 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis." @@ -83,10 +72,10 @@ checks: compliance: - cis: "18.4.7" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !PerformRouterDiscovery;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - id: 9504 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." @@ -95,10 +84,10 @@ checks: compliance: - cis: "18.4.10" - cis_csc: "5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !TcpMaxDataRetransmissions;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - id: 9505 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." @@ -107,10 +96,10 @@ checks: compliance: - cis: "18.4.11" - cis_csc: "5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !TcpMaxDataRetransmissions;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # Section 18.5.9 - Link-Layer Topology Discovery - id: 9506 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" @@ -120,12 +109,12 @@ checks: compliance: - cis: "18.5.9.1" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - id: 9507 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver." @@ -134,12 +123,12 @@ checks: compliance: - cis: "18.5.9.2" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' # Section 18.5.10 - Microsoft Peer-to-Peer Networking Services - id: 9508 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" @@ -149,10 +138,10 @@ checks: compliance: - cis: "18.5.10.2" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> !Disabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 0' # Section 18.5.19.2 - Parameters - id: 9509 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" @@ -161,10 +150,10 @@ checks: compliance: - cis: "18.5.19.2.1" - cis_csc: "9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> !ff;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> !DisabledComponents;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' # Section 18.5.20 - Windows Connect Now - id: 9510 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" @@ -174,18 +163,18 @@ checks: compliance: - cis: "18.5.20.1" - cis_csc: "15.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !EnableRegistrars;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableUPnPRegistrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableInBand802DOT11Registrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableFlashConfigRegistrar;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> !DisableWPDRegistrar;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - id: 9511 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards." @@ -194,10 +183,10 @@ checks: compliance: - cis: "18.5.20.2" - cis_csc: "15.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> !DisableWcnUi;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # Section 18.5.21 - Windows Connection Manager - id: 9512 title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" @@ -207,10 +196,10 @@ checks: compliance: - cis: "18.5.21.2" - cis_csc: "12" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> !fBlockNonDomain;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' # Section 18.8.22.1 - Internet Communication settings - id: 9513 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" @@ -220,10 +209,10 @@ checks: compliance: - cis: "18.8.22.1.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> !PreventHandwritingDataSharing;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - id: 9514 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool." @@ -232,10 +221,10 @@ checks: compliance: - cis: "18.8.22.1.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> !PreventHandwritingErrorReports;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - id: 9515 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs)." @@ -244,10 +233,10 @@ checks: compliance: - cis: "18.8.22.1.4" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> !ExitOnMSICW;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - id: 9516 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration." @@ -256,10 +245,10 @@ checks: compliance: - cis: "18.8.22.1.7" - cis_csc: "" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> !1;' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> !NoRegistration;' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - id: 9517 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches." @@ -268,10 +257,10 @@ checks: compliance: - cis: "18.8.22.1.8" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> !DisableContentFileUpdates;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - id: 9518 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders." @@ -280,10 +269,10 @@ checks: compliance: - cis: 18.8.22.1.9" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoOnlinePrintsWizard;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - id: 9519 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders." @@ -292,10 +281,10 @@ checks: compliance: - cis: "18.8.22.1.10" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoPublishingWizard;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - id: 9520 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." @@ -304,10 +293,10 @@ checks: compliance: - cis: "18.8.22.1.11" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> !CEIP;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 0' - id: 9521 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." @@ -316,10 +305,10 @@ checks: compliance: - cis: "18.8.22.1.12" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> !CEIPEnable;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - id: 9522 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft." @@ -328,12 +317,12 @@ checks: compliance: - cis: "18.8.22.1.13" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !Disabled;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> !DoReport;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' # Section 18.8.26 - Locale Services - id: 9523 title: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" @@ -343,10 +332,10 @@ checks: compliance: - cis: "18.8.26.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> !BlockUserInputMethodsForSignIn;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' # Section 18.8.36 - Remote Procedure Call - id: 9524 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" @@ -356,10 +345,10 @@ checks: compliance: - cis: "18.8.36.2" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> !RestrictRemoteClients;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' # Section 18.8.44.5 - Microsoft Support Diagnostic Tool - id: 9525 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" @@ -369,10 +358,10 @@ checks: compliance: - cis: "18.8.44.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> !DisableQueryRemoteServer;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' # Section 18.8.44.11 - Windows Performance PerfTrack - id: 9526 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" @@ -382,10 +371,10 @@ checks: compliance: - cis: "18.8.44.11.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> !ScenarioExecutionEnabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' # Section 18.8.46 User Profiles - id: 9527 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" @@ -395,10 +384,10 @@ checks: compliance: - cis: "18.8.46.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> !DisabledByGroupPolicy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' # Section 18.8.49.1 - Time Providers - id: 9528 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" @@ -408,10 +397,10 @@ checks: compliance: - cis: "18.8.49.1.1" - cis_csc: "6.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> !Enabled;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' - id: 9529 title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" description: "This policy setting allows you to specify whether the Windows NTP Server is enabled." @@ -420,9 +409,10 @@ checks: compliance: - cis: "18.8.49.1.2" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' # Section 18.9.39 - Location and Sensors - id: 9530 title: "Ensure 'Turn off Windows Location Provider' is set to 'Enabled'" @@ -432,10 +422,10 @@ checks: compliance: - cis: "18.9.39.1.1" - cis_csc: "" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableWindowsLocationProvider;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider -> 1' - id: 9531 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer." @@ -444,10 +434,10 @@ checks: compliance: - cis: "18.9.39.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> !DisableLocation;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' # Section 18.9.58.3.2 - Connections - id: 9532 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" @@ -457,10 +447,10 @@ checks: compliance: - cis: "18.9.58.3.2.1" - cis_csc: "" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fSingleSessionPerUser;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' # Section 18.9.58.3.3 Device and Resource Redirection - id: 9533 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" @@ -470,10 +460,10 @@ checks: compliance: - cis: "18.9.58.3.3.1" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCcm;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - id: 9534 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session." @@ -482,10 +472,10 @@ checks: compliance: - cis: "18.9.58.3.3.3" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableLPT;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - id: 9535 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session." @@ -494,10 +484,10 @@ checks: compliance: - cis: "18.9.58.3.3.4" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisablePNPRedir;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' # Section 18.9.58.3.10 - Session Time Limits - id: 9536 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" @@ -507,35 +497,35 @@ checks: compliance: - cis: "18.9.58.3.10.1" - cis_csc: "16.5" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxIdleTime;' + condition: none + rules: + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w' - id: 9537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions." @@ -544,10 +534,10 @@ checks: compliance: - cis: "18.9.58.3.10.2" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> !EA60;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !MaxDisconnectionTime;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> EA60' # Section 18.9.60.1 - OCR - id: 9538 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" @@ -557,10 +547,10 @@ checks: compliance: - cis: "18.9.60.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> !3;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> !ConnectedSearchPrivacy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' # Section 18.9.56 - Software Protection Platform - id: 9539 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" @@ -570,10 +560,10 @@ checks: compliance: - cis: "18.9.65.1" - cis_csc: "" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> !NoGenTicket;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' # Section 18.9.76.3 - MAPS - id: 9540 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" @@ -585,7 +575,7 @@ checks: - cis_csc: "" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' # Section - 18.9.76.9 - Reporting - id: 9541 title: "Ensure 'Configure Watson events' is set to 'Disabled'" @@ -595,10 +585,10 @@ checks: compliance: - cis: "18.9.76.9.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> !DisableGenericRePorts;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' # Section 18.9.85 - Windows Installer - id: 9542 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" @@ -610,7 +600,7 @@ checks: - cis_csc: "7" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' # Section 18.9.97.2 - WinRM Service - id: 9543 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" @@ -622,7 +612,7 @@ checks: - cis_csc: "3.4" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' # Section 18.9.98 - Windows Remote Shell - id: 9544 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" @@ -632,7 +622,7 @@ checks: compliance: - cis: "18.9.98.1" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> !AllowRemoteShellAccess;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' From c0e576e8dc71014f6ec8913e9ec1fe8f1181b3f1 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 4 Jun 2019 12:18:57 +0200 Subject: [PATCH 037/247] Add newlines to windows/cis_win2012r2_memberL1_rcl.yml --- sca/windows/cis_win2012r2_memberL1_rcl.yml | 244 +++++++++++++++++---- 1 file changed, 207 insertions(+), 37 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 6c819cf66..e54fbef9b 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -28,6 +28,7 @@ requirements: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2;' checks: + # Section 1.1 - Password Policies - id: 9000 title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" @@ -39,23 +40,25 @@ checks: - cis_csc: "16.5" condition: none rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+;' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+' + # Section 2.3 - Security Options - id: 9001 title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" @@ -69,6 +72,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' + - id: 9002 title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." @@ -81,6 +85,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' + - id: 9003 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." @@ -89,9 +94,11 @@ checks: compliance: - cis: "2.3.2.1" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' + - id: 9004 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." @@ -101,9 +108,11 @@ checks: compliance: - cis: "2.3.2.2" - cis_csc: "6" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' + - id: 9005 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." @@ -116,6 +125,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' + - id: 9006 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." @@ -128,6 +138,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + - id: 9007 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." @@ -140,6 +151,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' + - id: 9008 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." @@ -152,6 +164,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' + - id: 9009 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." @@ -164,6 +177,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' + - id: 9010 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." @@ -174,7 +188,9 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + - id: 9011 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." @@ -187,6 +203,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' + - id: 9012 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." @@ -199,6 +216,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' + - id: 9013 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." @@ -211,6 +229,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + - id: 9014 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." @@ -221,7 +240,7 @@ checks: - cis_csc: "16.5" condition: none rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386' @@ -239,6 +258,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+' + - id: 9015 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." @@ -249,6 +269,7 @@ checks: - cis_csc: "16" condition: none rules: + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2' @@ -266,6 +287,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+' + - id: 9016 title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled." @@ -278,6 +300,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1' + - id: 9017 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." @@ -290,6 +313,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> !0' + - id: 9018 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." @@ -302,6 +326,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' + - id: 9019 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -314,6 +339,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' + - id: 9020 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." @@ -326,6 +352,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' + - id: 9021 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." @@ -336,19 +363,20 @@ checks: - cis_csc: "3" condition: none rules: - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+' + - id: 9022 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." @@ -361,6 +389,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' + - id: 9023 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -373,6 +402,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' + - id: 9024 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." @@ -385,6 +415,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + - id: 9025 title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers." @@ -399,6 +430,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0' + - id: 9026 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." @@ -411,6 +443,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' + - id: 9027 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." @@ -423,6 +456,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + - id: 9028 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." @@ -435,6 +469,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' + - id: 9029 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." @@ -447,6 +482,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*' + - id: 9030 title: "Configure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." @@ -455,9 +491,11 @@ checks: compliance: - cis: "2.3.10.7" - cis_csc: "14, 16" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + - id: 9031 title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." @@ -466,9 +504,11 @@ checks: compliance: - cis: "2.3.10.8" - cis_csc: "14, 16" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' + - id: 9032 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." @@ -481,6 +521,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' + - id: 9033 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." @@ -489,9 +530,11 @@ checks: compliance: - cis: "2.3.10.10" - cis_csc: "14, 16" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:None' + - id: 9034 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -504,6 +547,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' + - id: 9035 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." @@ -516,6 +560,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' + - id: 9036 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." @@ -528,6 +573,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' + - id: 9037 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." @@ -540,6 +586,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' + - id: 9038 title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." @@ -548,9 +595,11 @@ checks: compliance: - cis: "2.3.11.4" - cis_csc: "16.14" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644;' + - id: 9039 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." @@ -563,6 +612,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' + - id: 9040 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." @@ -575,6 +625,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + - id: 9041 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." @@ -599,6 +650,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' + - id: 9043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -611,6 +663,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' + - id: 9044 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -625,6 +678,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200;' + - id: 9045 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." @@ -637,6 +691,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' + - id: 9046 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." @@ -648,6 +703,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' + - id: 9047 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." @@ -660,6 +716,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' + - id: 9048 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." @@ -672,6 +729,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' + - id: 9049 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." @@ -684,6 +742,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' + - id: 9050 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." @@ -696,6 +755,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> ^2$|^5$' + - id: 9051 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." @@ -708,6 +768,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1' + - id: 9052 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." @@ -720,6 +781,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' + - id: 9053 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." @@ -732,6 +794,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' + - id: 9054 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." @@ -744,6 +807,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' + - id: 9055 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." @@ -756,6 +820,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' + - id: 9056 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." @@ -767,6 +832,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' + # Section 9.1 - Domain Profile - id: 9057 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" @@ -780,6 +846,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 1' + - id: 9058 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -792,6 +859,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 1' + - id: 9059 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." @@ -804,6 +872,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 0' + - id: 9060 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -815,6 +884,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0' + - id: 9061 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." @@ -827,6 +897,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' + - id: 9062 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -851,6 +922,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:8\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:9\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - id: 9063 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -863,6 +935,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 1' + - id: 9064 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -875,6 +948,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + # Section 9.2 - Private Profile - id: 9065 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" @@ -888,6 +962,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 1' + - id: 9066 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -900,6 +975,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 1' + - id: 9067 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -912,6 +988,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 0' + - id: 9068 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -923,6 +1000,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 1' + - id: 9069 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." @@ -935,6 +1013,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog;' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog;' + - id: 9070 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -959,6 +1038,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:8\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:9\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - id: 9071 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -971,6 +1051,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 1' + - id: 9072 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -983,6 +1064,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 1' + # Sectin 9.3 - Public Profile - id: 9073 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" @@ -996,6 +1078,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 1' + - id: 9074 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" @@ -1008,6 +1091,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 1' + - id: 9075 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -1020,6 +1104,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 0' + - id: 9076 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." @@ -1031,6 +1116,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 1' + - id: 9077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -1043,6 +1129,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 1' + - id: 9078 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." @@ -1055,6 +1142,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' + - id: 9079 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." @@ -1067,6 +1155,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog;' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog;' + - id: 9080 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1091,6 +1180,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:8\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:9\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - id: 9081 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -1103,6 +1193,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 1' + - id: 9082 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -1115,6 +1206,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + # Section 18.1 - Control Panel - id: 9083 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" @@ -1127,6 +1219,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' + - id: 9084 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." @@ -1138,6 +1231,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' + # Section 18.2 - LAPS - id: 9085 title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" @@ -1150,6 +1244,7 @@ checks: condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName;' + - id: 9086 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1162,6 +1257,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' + - id: 9087 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1174,6 +1270,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' + - id: 9088 title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1185,6 +1282,7 @@ checks: condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' + - id: 9089 title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1197,6 +1295,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\w\w+' + - id: 9090 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1223,6 +1322,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 11' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 10' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w' + # Section 18.3 - MS Security Guide - id: 9091 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" @@ -1240,6 +1340,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' + - id: 9092 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." @@ -1256,6 +1357,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' + # Section 18.4 - MSS (Legacy) - id: 9093 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" @@ -1272,6 +1374,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + - id: 9094 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1286,6 +1389,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' + - id: 9095 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1300,6 +1404,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' + - id: 9096 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." @@ -1314,6 +1419,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' + - id: 9097 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." @@ -1328,6 +1434,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' + - id: 9098 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." @@ -1342,6 +1449,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' + - id: 9099 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." @@ -1360,6 +1468,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 3' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 4' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 5' + - id: 9100 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." @@ -1388,6 +1497,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 58' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 59' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5A' + # Section 18.5 - Network - id: 9101 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" @@ -1401,6 +1511,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' + - id: 9102 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." @@ -1413,6 +1524,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' + - id: 9103 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." @@ -1425,6 +1537,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' + # Section 18.8 - System - id: 9104 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" @@ -1438,6 +1551,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' + - id: 9105 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." @@ -1450,6 +1564,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' + - id: 9106 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." @@ -1462,6 +1577,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' + - id: 9107 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." @@ -1474,6 +1590,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' + - id: 9108 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." @@ -1486,6 +1603,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' + - id: 9109 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." @@ -1498,6 +1616,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' + - id: 9110 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." @@ -1510,6 +1629,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' + - id: 9111 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." @@ -1522,6 +1642,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' + - id: 9112 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." @@ -1534,6 +1655,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' + - id: 9113 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." @@ -1546,6 +1668,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' + - id: 9114 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" @@ -1558,6 +1681,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' + - id: 9115 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." @@ -1570,6 +1694,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' + - id: 9116 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled." @@ -1584,6 +1709,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' + # Section 18.9 - Windows Components - id: 9117 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" @@ -1597,6 +1723,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' + - id: 9118 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." @@ -1609,6 +1736,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' + - id: 9119 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." @@ -1621,6 +1749,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' + - id: 9120 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." @@ -1633,6 +1762,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' + - id: 9121 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." @@ -1645,6 +1775,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' + - id: 9122 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." @@ -1657,6 +1788,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' + - id: 9123 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1669,6 +1801,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' + - id: 9124 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1688,6 +1821,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:e\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:f\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w\w\w+' + - id: 9125 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1700,6 +1834,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' + - id: 9126 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." @@ -1724,6 +1859,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:e\w\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:f\w\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w\w+' + - id: 9127 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1736,6 +1872,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' + - id: 9128 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1755,6 +1892,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:e\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:f\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w\w\w+' + - id: 9129 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1766,6 +1904,7 @@ checks: condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;' + - id: 9130 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1785,6 +1924,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:e\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:f\w\w\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w\w\w+' + - id: 9131 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." @@ -1797,6 +1937,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' + - id: 9132 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." @@ -1809,6 +1950,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' + - id: 9133 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." @@ -1821,6 +1963,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' + - id: 9134 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." @@ -1833,6 +1976,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' + - id: 9135 title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." @@ -1845,6 +1989,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' + - id: 9136 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." @@ -1857,6 +2002,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' + - id: 9137 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." @@ -1869,6 +2015,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' + - id: 9138 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." @@ -1881,6 +2028,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' + - id: 9139 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." @@ -1893,6 +2041,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' + - id: 9140 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." @@ -1905,6 +2054,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' + - id: 9141 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." @@ -1917,6 +2067,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' + - id: 9142 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." @@ -1929,6 +2080,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' + - id: 9143 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." @@ -1941,6 +2093,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' + - id: 9144 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." @@ -1953,6 +2106,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' + - id: 9145 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." @@ -1965,6 +2119,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' + - id: 9146 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" @@ -1977,6 +2132,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' + - id: 9147 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." @@ -1989,6 +2145,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' + - id: 9148 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." @@ -2001,6 +2158,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' + - id: 9149 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." @@ -2013,6 +2171,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' + - id: 9150 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." @@ -2025,6 +2184,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' + - id: 9151 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." @@ -2037,6 +2197,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' + - id: 9152 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." @@ -2049,6 +2210,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' + - id: 9153 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." @@ -2061,6 +2223,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' + - id: 9154 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." @@ -2073,6 +2236,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' + - id: 9155 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." @@ -2085,6 +2249,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' + - id: 9156 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." @@ -2097,6 +2262,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' + - id: 9157 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." @@ -2109,6 +2275,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' + - id: 9158 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." @@ -2121,6 +2288,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' + - id: 9159 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." @@ -2133,6 +2301,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + - id: 9160 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." @@ -2145,6 +2314,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' + - id: 9161 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." From 21573d5d33948347645f9339168049ed6a240fbf Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 4 Jun 2019 13:47:19 +0200 Subject: [PATCH 038/247] Complete some checks and remove useless rules --- sca/windows/cis_win2012r2_memberL1_rcl.yml | 143 ++++++++++----------- 1 file changed, 71 insertions(+), 72 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index e54fbef9b..4440ca570 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -842,10 +842,10 @@ checks: compliance: - cis: "9.1.1" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 1' - id: 9058 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" @@ -855,10 +855,10 @@ checks: compliance: - cis: "9.1.2" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 1' - id: 9059 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" @@ -868,10 +868,10 @@ checks: compliance: - cis: "9.1.3" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 0' - id: 9060 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" @@ -880,10 +880,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.1.4" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0' - id: 9061 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" @@ -893,10 +893,10 @@ checks: compliance: - cis: "9.1.5" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' - id: 9062 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -914,14 +914,13 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:7\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:8\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:a\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:b\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:c\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:d\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:e\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:f\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:4\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:5\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:6\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:7\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:8\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:9\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - id: 9063 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" @@ -931,10 +930,10 @@ checks: compliance: - cis: "9.1.7" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 1' - id: 9064 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" @@ -944,10 +943,10 @@ checks: compliance: - cis: "9.1.8" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile - id: 9065 @@ -958,10 +957,10 @@ checks: compliance: - cis: "9.2.1" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 1' - id: 9066 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" @@ -971,10 +970,10 @@ checks: compliance: - cis: "9.2.2" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 1' - id: 9067 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" @@ -984,10 +983,10 @@ checks: compliance: - cis: "9.2.3" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 0' - id: 9068 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" @@ -996,10 +995,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.2.4" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 1' - id: 9069 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" @@ -1009,10 +1008,10 @@ checks: compliance: - cis: "9.2.5" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog;' - id: 9070 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1024,20 +1023,19 @@ checks: - cis_csc: "6.3" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:4\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:5\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:6\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:7\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:8\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:4\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:a\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:b\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:c\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:d\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:e\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:f\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:4\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:5\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:6\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:7\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:8\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:9\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - id: 9071 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" @@ -1047,10 +1045,10 @@ checks: compliance: - cis: "9.2.7" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 1' - id: 9072 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" @@ -1060,10 +1058,10 @@ checks: compliance: - cis: "9.2.8" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile - id: 9073 @@ -1074,10 +1072,10 @@ checks: compliance: - cis: "9.3.1" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 1' - id: 9074 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" @@ -1087,10 +1085,10 @@ checks: compliance: - cis: "9.3.2" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 1' - id: 9075 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" @@ -1100,10 +1098,10 @@ checks: compliance: - cis: "9.3.3" - cis_csc: "9.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 0' - id: 9076 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" @@ -1112,10 +1110,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.3.4" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 1' - id: 9077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" @@ -1125,10 +1123,10 @@ checks: compliance: - cis: "9.3.5" - cis_csc: "5.1" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 1' - id: 9078 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" @@ -1138,10 +1136,10 @@ checks: compliance: - cis: "9.3.6" - cis_csc: "5.1" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' - id: 9079 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" @@ -1151,10 +1149,10 @@ checks: compliance: - cis: "9.3.7" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog;' - id: 9080 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1172,14 +1170,13 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:7\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:8\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:9\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:a\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:b\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:c\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:d\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:e\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:f\w\w\w+' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:4\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:5\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:6\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:7\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:8\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:9\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' - id: 9081 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" @@ -1189,10 +1186,10 @@ checks: compliance: - cis: "9.3.9" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 1' - id: 9082 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" @@ -1202,10 +1199,10 @@ checks: compliance: - cis: "9.3.10" - cis_csc: "6.2" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel - id: 9083 @@ -1241,9 +1238,9 @@ checks: compliance: - cis: "18.2.1" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - id: 9086 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" @@ -1281,6 +1278,7 @@ checks: - cis_csc: "5.7" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - id: 9089 @@ -1901,9 +1899,10 @@ checks: compliance: - cis: "18.9.26.4.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - id: 9130 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" From 4bc1fee571e68f1da5a8e54e601ef4511cd5ba18 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 4 Jun 2019 18:44:09 +0200 Subject: [PATCH 039/247] Adapt Audit rules --- sca/windows/cis_win2012r2_memberL1_rcl.yml | 4 +- sca/windows/cis_win2012r2_memberL2_rcl.yml | 2 +- sca/windows/win_audit_rcl.yml | 93 +++++++++++++--------- 3 files changed, 57 insertions(+), 42 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 4440ca570..45756fbcf 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -25,7 +25,7 @@ requirements: description: "Requirements for running the CIS benchmark Member Server L1 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2;' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: @@ -754,7 +754,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> ^2$|^5$' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$|^5$' - id: 9051 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 006d861ca..099fe6c12 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -22,7 +22,7 @@ requirements: description: "Requirements for running the CIS benchmark Member Server L2 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2;' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: # Section 2.3.7 - Interactive logon diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml index 4cdde4ef1..5829dd6d9 100644 --- a/sca/windows/win_audit_rcl.yml +++ b/sca/windows/win_audit_rcl.yml @@ -19,90 +19,105 @@ requirements: description: "Requirements for running the audit policy under a Windows platform" condition: "any required" rules: - - 'r:HKEY_LOCAL_MACHINE\SAM\SAM;' + - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' checks: - id: 2500 - title: "Disabled Registry tools set" + title: "Ensure Registry tools set is enabled" compliance: - pci_dss: "10.6.1" - condition: any + condition: all rules: - - 'r:HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;' - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 1;' + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' - id: 2501 - title: "DCOM disabled" + title: "Ensure DCOM is enabled" description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." compliance: - pci_dss: "10.6.1" references: - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> N;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - id: 2502 - title: "LM authentication allowed (weak passwords)" + title: "LM authentication allowed (disable weak passwords)" compliance: - pci_dss: "10.6.1, 11.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^0$|^1$' # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). - id: 2503 - title: "Firewall/Anti Virus notification disabled" + title: "Ensure Firewall/Anti Virus notifications are enabled" compliance: - pci_dss: "10.6.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' # Checking for the microsoft firewall. - id: 2504 - title: "Microsoft Firewall disabled" + title: "Ensure Microsoft Firewall is disabled" compliance: - pci_dss: "10.6.1, 1.4" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0' - id: 2505 - title: "Null sessions allowed" + title: "Ensure Null sessions are disallowed" compliance: - pci_dss: "11.4" - condition: any + condition: all rules: - - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 0;' + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - id: 2506 - title: "Error reporting disabled" + title: "Ensure Error reporting is enabled" compliance: - pci_dss: "10.6.1" references: - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 1' - id: 2507 - title: "Automatic Logon enabled" + title: "Ensure Automatic Logon is disabled" compliance: - pci_dss: "10.6.1" condition: any rules: - - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword;' - - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 1;' + - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 2508 - title: "Winpcap packet filter driver found" + title: "Ensure Winpcap packet filter driver is not present" compliance: - pci_dss: "10.6.1" - condition: any + condition: none rules: - - 'f:%WINDIR%\System32\drivers\npf.sys;' - - 'f:%WINDIR%\Sysnative\drivers\npf.sys;' + - 'f:%WINDIR%\System32\drivers\npf.sys' + - 'f:%WINDIR%\Sysnative\drivers\npf.sys' From 92c7e4cc7307e800558b2665a6e81e069470ba32 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 5 Jun 2019 11:12:30 +0200 Subject: [PATCH 040/247] Remove hexadecimal comparisons --- sca/windows/cis_win2012r2_memberL1_rcl.yml | 253 ++++----------------- sca/windows/cis_win2012r2_memberL2_rcl.yml | 35 +-- 2 files changed, 55 insertions(+), 233 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 45756fbcf..63015c809 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -38,26 +38,11 @@ checks: compliance: - cis: "1.1.2" - cis_csc: "16.5" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' # Section 2.3 - Security Options - id: 9001 @@ -238,26 +223,11 @@ checks: compliance: - cis: "2.3.7.3" - cis_csc: "16.5" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - id: 9015 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" @@ -267,26 +237,11 @@ checks: compliance: - cis: "2.3.7.7" - cis_csc: "16" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare <= 14' - id: 9016 title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" @@ -361,21 +316,11 @@ checks: compliance: - cis: "2.3.9.1" - cis_csc: "3" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:(\d+) compare <= 15' - id: 9022 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" @@ -906,21 +851,10 @@ checks: compliance: - cis: "9.1.6" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:4\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:5\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:6\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:7\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:8\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:9\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:a\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:b\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:c\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:d\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:e\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:f\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 9063 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" @@ -1021,21 +955,10 @@ checks: compliance: - cis: "9.2.6" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:4\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:5\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:6\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:7\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:8\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:9\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:a\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:b\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:c\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:d\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:e\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:f\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 9071 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" @@ -1162,21 +1085,10 @@ checks: compliance: - cis: "9.3.8" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:4\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:5\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:6\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:7\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:8\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:9\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:a\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:b\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:c\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:d\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:e\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:f\w\w\w+' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 9081 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" @@ -1302,24 +1214,10 @@ checks: compliance: - cis: "18.2.6" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1E' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1D' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1C' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1B' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 1A' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 19' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 18' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 17' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 16' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 15' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 14' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 13' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 12' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 11' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> 10' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n: ^(\d+) compare <= 30' # Section 18.3 - MS Security Guide - id: 9091 @@ -1458,14 +1356,10 @@ checks: - cis_csc: "16.5" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 2' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 3' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 4' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 5' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - id: 9100 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" @@ -1477,24 +1371,10 @@ checks: - cis_csc: "6.3" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:1\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:2\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:3\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:4\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 50' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 51' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 52' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 53' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 54' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 55' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 56' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 57' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 58' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 59' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5A' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' # Section 18.5 - Network - id: 9101 @@ -1808,17 +1688,10 @@ checks: compliance: - cis: "18.9.26.1.2" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:8\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:9\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:a\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:b\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:c\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:d\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:e\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:f\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - id: 9125 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" @@ -1841,22 +1714,10 @@ checks: compliance: - cis: "18.9.26.2.2" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:3\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:4\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:5\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:6\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:7\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:8\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:9\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:a\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:b\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:c\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:d\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:e\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:f\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - id: 9127 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" @@ -1879,17 +1740,10 @@ checks: compliance: - cis: "18.9.26.3.2" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:8\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:9\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:a\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:b\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:c\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:d\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:e\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:f\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - id: 9129 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" @@ -1912,17 +1766,10 @@ checks: compliance: - cis: "18.9.26.4.2" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:8\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:9\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:a\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:b\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:c\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:d\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:e\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:f\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - id: 9131 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 099fe6c12..c3f259ad7 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -63,7 +63,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' - id: 9503 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis." @@ -497,35 +497,10 @@ checks: compliance: - cis: "18.9.58.3.10.1" - cis_csc: "16.5" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - id: 9537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions." From c28d6b6494cf4503445d38c27aee65d748fb08f5 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 12:47:14 +0200 Subject: [PATCH 041/247] Fix some checks on cis_win10_enterprise_L2_rcl.yml --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 49 +++++++-------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index 32c7bc44e..40dc6c84c 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -494,9 +494,13 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - id: 12535 @@ -509,9 +513,13 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - id: 12536 @@ -689,7 +697,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - id: 12549 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" @@ -729,8 +737,10 @@ checks: - cis_csc: "1.6" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1' - id: 12552 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" @@ -1054,35 +1064,10 @@ checks: - cis_csc: "16.5" references: - https://workbench.cisecurity.org/benchmarks/766 - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w;' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' - id: 12577 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" From af5e1c383a4d633f9077aa14c8170fdc823c3a56 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 12:49:33 +0200 Subject: [PATCH 042/247] Remove trailling whitespaces --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 22 ++++++++++----------- sca/windows/cis_win2012r2_memberL1_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL2_rcl.yml | 12 +++++------ 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 03bcaa745..38b75a0d1 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -223,7 +223,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' - + - id: 12015 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the \"Microsoft network client and server: Digitally sign communications (four related settings)\" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." @@ -236,7 +236,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - + - id: 12016 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -276,7 +276,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:^\d$|^a$|^b$|^c$|^d$|^e$|^f$' - + - id: 12019 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." @@ -289,7 +289,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - + - id: 12020 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -508,7 +508,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - + - id: 12037 title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting" @@ -661,7 +661,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - + - id: 12049 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." @@ -674,7 +674,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - + - id: 12050 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." @@ -1026,7 +1026,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' -# 9 Windows Firewall with Advanced Security +# 9 Windows Firewall with Advanced Security - id: 12077 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." @@ -1356,7 +1356,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' -#TODO +#TODO - id: 12099 title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." @@ -1367,7 +1367,7 @@ checks: - cis_csc: "6.2, 6.3" condition: any rules: - + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' #TODO @@ -1533,7 +1533,7 @@ checks: - cis_csc: "16.5" condition: all rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:1F|1f' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w' diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 63015c809..c1a179f92 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -239,7 +239,7 @@ checks: - cis_csc: "16" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare <= 14' diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index c3f259ad7..025a34869 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -81,7 +81,7 @@ checks: description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remedtiation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted" - compliance: + compliance: - cis: "18.4.10" - cis_csc: "5" condition: all @@ -198,7 +198,7 @@ checks: - cis_csc: "12" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' # Section 18.8.22.1 - Internet Communication settings - id: 9513 @@ -218,7 +218,7 @@ checks: description: "Turns off the handwriting recognition error reporting tool." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting" - compliance: + compliance: - cis: "18.8.22.1.3" - cis_csc: "13" condition: all @@ -487,7 +487,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' # Section 18.9.58.3.10 - Session Time Limits - id: 9536 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" @@ -506,7 +506,7 @@ checks: description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions" - compliance: + compliance: - cis: "18.9.58.3.10.2" - cis_csc: "16.5" condition: all @@ -570,7 +570,7 @@ checks: description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts" - compliance: + compliance: - cis: "18.9.85.3" - cis_csc: "7" condition: any From 036f0b427967fff6a5eeab229451d2e0081d444a Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 12:55:25 +0200 Subject: [PATCH 043/247] Correct some description messages --- sca/windows/cis_win2012r2_domainL2_rcl.yml | 57 +++++++++++----------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index b4a268d6d..9332a8dee 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -25,7 +25,7 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L2 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2;' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: # Section 2.3 - Security Options @@ -47,7 +47,7 @@ checks: title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: "18.4.5" - cis_csc: "9" @@ -62,7 +62,7 @@ checks: title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: "18.4.7" - cis_csc: "9" @@ -92,7 +92,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: "18.4.11" - cis_csc: "9" @@ -233,7 +233,7 @@ checks: title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.3" - cis_csc: "13" @@ -246,7 +246,7 @@ checks: title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.4" - cis_csc: "13" @@ -297,7 +297,7 @@ checks: title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.8" - cis_csc: "13" @@ -308,9 +308,9 @@ checks: - id: 8519 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" - description: "This policy setting specifies whether the 'Order Prints Online' task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled" + description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the 'Order Prints' picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.9" - cis_csc: "13" @@ -321,9 +321,9 @@ checks: - id: 8520 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" - description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the 'Publish to Web' task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.10" - cis_csc: "13" @@ -336,7 +336,7 @@ checks: title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.11" - cis_csc: "13" @@ -349,7 +349,7 @@ checks: title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.12" - cis_csc: "13" @@ -362,7 +362,7 @@ checks: title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.22.1.13" - cis_csc: "13" @@ -413,8 +413,8 @@ checks: - id: 8527 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information. " - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: "18.8.44.5.1" - cis_csc: "13" @@ -427,7 +427,7 @@ checks: title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: "18.8.44.11.1" - cis_csc: "13" @@ -440,7 +440,7 @@ checks: title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: "18.8.46.1" - cis_csc: "13" @@ -452,8 +452,8 @@ checks: - id: 8530 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." - rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.8.49.1.1" - cis_csc: "6.1" @@ -492,7 +492,7 @@ checks: title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.9.58.3.3.1" - cis_csc: "9.1" @@ -505,7 +505,7 @@ checks: title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.9.58.3.3.3" - cis_csc: "9.1" @@ -515,10 +515,10 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - id: 8535 - title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.9.58.3.3.4" - cis_csc: "9.1" @@ -571,7 +571,7 @@ checks: title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: "18.9.58.3.10.2" - cis_csc: "16.5" @@ -617,11 +617,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' + - id: 8541 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: "18.9.85.3" - cis_csc: "7" @@ -634,7 +635,7 @@ checks: title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: "18.9.97.2.2" - cis_csc: "3.4" @@ -645,7 +646,7 @@ checks: - id: 8543 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" - description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." + description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: From 6016b2f15175f3d28e5197b8f49866b69ed7eb69 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 12:55:36 +0200 Subject: [PATCH 044/247] Adapt cis_win2012r2_domainL1_rcl.yml --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 1161 +++++++++++--------- 1 file changed, 615 insertions(+), 546 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index fd1031e19..e6bd11321 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -25,7 +25,7 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2;' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: # Section 1.1 - Password Policies @@ -37,50 +37,39 @@ checks: compliance: - cis: "1.1.2" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3D;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3E;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 3F;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:A\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:B\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:C\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:D\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:E\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:F\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> r:\w\w\w+;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) <= 60' + # Section 2.3 - Security Options - id: 8001 title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." - rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." - remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." + rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." + remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" compliance: - cis: "2.3.1.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !NoConnectedUser;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' + - id: 8002 - title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled" + title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." - rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." + rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - cis: "2.3.1.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' + - id: 8003 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." @@ -89,34 +78,36 @@ checks: compliance: - cis: "2.3.2.1" - cis_csc: "6.2" - condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' + - id: 8004 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" - description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" - default_value: "Disabled." compliance: - cis: "2.3.2.2" - cis_csc: "6" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 2;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' + - id: 8005 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - cis: "2.3.4.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 2;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' + - id: 8006 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." @@ -125,9 +116,11 @@ checks: compliance: - cis: "2.3.4.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + - id: 8007 title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." @@ -136,9 +129,11 @@ checks: compliance: - cis: "2.3.5.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> !0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> 0' + - id: 8008 title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." @@ -149,9 +144,11 @@ checks: - cis_csc: "3" references: - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> !2;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' + - id: 8009 title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." @@ -160,9 +157,11 @@ checks: compliance: - cis: "2.3.5.3" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' + - id: 8010 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." @@ -171,9 +170,11 @@ checks: compliance: - cis: "2.3.6.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' + - id: 8011 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." @@ -182,9 +183,11 @@ checks: compliance: - cis: "2.3.6.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' + - id: 8012 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." @@ -193,9 +196,11 @@ checks: compliance: - cis: "2.3.6.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' + - id: 8013 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." @@ -204,9 +209,11 @@ checks: compliance: - cis: "2.3.6.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + - id: 8014 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." @@ -215,9 +222,11 @@ checks: compliance: - cis: "2.3.6.6" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' + - id: 8015 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." @@ -226,10 +235,11 @@ checks: compliance: - cis: "2.3.7.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DontDisplayLastUserName;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' + - id: 8016 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." @@ -238,10 +248,11 @@ checks: compliance: - cis: "2.3.7.2" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableCAD;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + - id: 8017 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." @@ -250,26 +261,12 @@ checks: compliance: - cis: "2.3.7.3" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 385;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 386;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 387;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 388;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 389;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:38\D;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:39\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:3\D\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:4\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:5\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:6\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:7\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:8\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:9\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\D\w\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> r:\w\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !InactivityTimeoutSecs;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' + - id: 8018 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." @@ -278,25 +275,11 @@ checks: compliance: - cis: "2.3.7.7" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 2;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 3;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 4;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> 0F;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:1\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> r:\w\w\w+;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' + - id: 8019 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." @@ -305,10 +288,11 @@ checks: compliance: - cis: "2.3.7.9" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> !ScRemoveOption;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' + - id: 8020 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." @@ -317,10 +301,11 @@ checks: compliance: - cis: "2.3.8.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> !RequireSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' + - id: 8021 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -329,9 +314,11 @@ checks: compliance: - cis: "2.3.8.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' + - id: 8022 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." @@ -340,9 +327,11 @@ checks: compliance: - cis: "2.3.8.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> !0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 1' + - id: 8023 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." @@ -351,21 +340,12 @@ checks: compliance: - cis: "2.3.9.1" - cis_csc: "3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:1\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:2\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:3\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:4\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:5\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !AutoDisconnect;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' + - id: 8024 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." @@ -374,10 +354,11 @@ checks: compliance: - cis: "2.3.9.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !RequireSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' + - id: 8025 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." @@ -386,10 +367,11 @@ checks: compliance: - cis: "2.3.9.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !EnableSecuritySignature;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' + - id: 8026 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." @@ -398,9 +380,11 @@ checks: compliance: - cis: "2.3.9.4" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + - id: 8027 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." @@ -409,10 +393,11 @@ checks: compliance: - cis: "2.3.10.5" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 2;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' + - id: 8028 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." @@ -421,10 +406,11 @@ checks: compliance: - cis: "2.3.10.6" - cis_csc: "14.1, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> !r:lsarpc|netlogon|samr;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> !NullSessionPipes;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:lsarpc|netlogon|samr' + - id: 8029 title: "Configure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." @@ -435,7 +421,9 @@ checks: - cis_csc: "14, 16" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + - id: 8030 title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." @@ -444,9 +432,11 @@ checks: compliance: - cis: "2.3.10.8" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' + - id: 8031 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." @@ -455,9 +445,11 @@ checks: compliance: - cis: "2.3.10.9" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' + - id: 8032 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." @@ -466,9 +458,10 @@ checks: compliance: - cis: "2.3.10.10" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.+;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:^$' - id: 8033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -477,9 +470,11 @@ checks: compliance: - cis: "2.3.10.11" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' + - id: 8034 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." @@ -488,10 +483,11 @@ checks: compliance: - cis: "2.3.11.1" - cis_csc: "14, 16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> !1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !UseMachineId;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' + - id: 8035 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." @@ -500,10 +496,11 @@ checks: compliance: - cis: "2.3.11.2" - cis_csc: "14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !allownullsessionfallback;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' + - id: 8036 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." @@ -512,9 +509,11 @@ checks: compliance: - cis: "2.3.11.3" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> !0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' + - id: 8037 title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." @@ -523,9 +522,11 @@ checks: compliance: - cis: "2.3.11.4" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> !2147483644;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' + - id: 8038 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." @@ -534,9 +535,11 @@ checks: compliance: - cis: "2.3.11.5" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 0;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' + - id: 8039 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." @@ -545,9 +548,11 @@ checks: compliance: - cis: "2.3.11.6" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + - id: 8040 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." @@ -556,14 +561,11 @@ checks: compliance: - cis: "2.3.11.7" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 0;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 1;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 2;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 3;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 4;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> !LmCompatibilityLevel;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' + - id: 8041 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." @@ -572,9 +574,10 @@ checks: compliance: - cis: "2.3.11.8" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - id: 8042 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -583,10 +586,11 @@ checks: compliance: - cis: "2.3.11.9" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> !537395200;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinClientSec;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' + - id: 8043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -597,10 +601,11 @@ checks: - cis_csc: "13" references: - https://workbench.cisecurity.org/benchmarks/288 - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> !537395200;' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> !NTLMMinServerSec;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' + - id: 8044 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." @@ -609,9 +614,11 @@ checks: compliance: - cis: "2.3.13.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 1;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' + - id: 8045 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." @@ -619,9 +626,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - cis: "2.3.15.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' + - id: 8046 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." @@ -630,9 +639,11 @@ checks: compliance: - cis: "2.3.15.2" - cis_csc: "14.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> !1;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' + - id: 8047 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." @@ -641,10 +652,11 @@ checks: compliance: - cis: "2.3.17.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !FilterAdministratorToken;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' + - id: 8048 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." @@ -653,9 +665,11 @@ checks: compliance: - cis: "2.3.17.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 1;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' + - id: 8049 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." @@ -664,11 +678,11 @@ checks: compliance: - cis: "2.3.17.3" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 0;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorAdmin;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' + - id: 8050 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." @@ -677,10 +691,11 @@ checks: compliance: - cis: "2.3.17.4" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1;' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !ConsentPromptBehaviorUser;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' + - id: 8051 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." @@ -689,10 +704,11 @@ checks: compliance: - cis: "2.3.17.5" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 0;' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> !EnableInstallerDetection;' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' + - id: 8052 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." @@ -701,9 +717,11 @@ checks: compliance: - cis: "2.3.17.6" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' + - id: 8053 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." @@ -712,9 +730,11 @@ checks: compliance: - cis: "2.3.17.7" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0' + - id: 8054 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." @@ -723,9 +743,11 @@ checks: compliance: - cis: "2.3.17.8" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' + - id: 8055 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." @@ -733,9 +755,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - cis: "2.3.17.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 0;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' + # Section 9.1 - Domain Profile - id: 8056 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" @@ -745,10 +769,11 @@ checks: compliance: - cis: "9.1.1" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' + - id: 8057 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -757,10 +782,11 @@ checks: compliance: - cis: "9.1.2" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' + - id: 8058 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." @@ -769,10 +795,11 @@ checks: compliance: - cis: "9.1.3" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' + - id: 8059 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -782,10 +809,9 @@ checks: - cis: "9.1.4" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> !DisableNotifications;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> !DisableNotifications;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' + - id: 8060 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." @@ -794,10 +820,11 @@ checks: compliance: - cis: "9.1.5" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' + - id: 8061 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -806,20 +833,11 @@ checks: compliance: - cis: "9.1.6" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:(\d+) compare >= 16384' + - id: 8062 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -828,10 +846,11 @@ checks: compliance: - cis: "9.1.7" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' + - id: 8063 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -840,10 +859,11 @@ checks: compliance: - cis: "9.1.8" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + # Section 9.2 - Private Profile - id: 8064 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" @@ -853,10 +873,11 @@ checks: compliance: - cis: "9.2.1" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' + - id: 8065 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -865,10 +886,11 @@ checks: compliance: - cis: "9.2.2" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' + - id: 8066 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -877,10 +899,11 @@ checks: compliance: - cis: "9.2.3" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' + - id: 8067 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -888,10 +911,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.2.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' + - id: 8068 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." @@ -900,10 +924,10 @@ checks: compliance: - cis: "9.2.5" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' + - id: 8069 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -912,20 +936,11 @@ checks: compliance: - cis: "9.2.6" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + - id: 8070 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -934,10 +949,11 @@ checks: compliance: - cis: "9.2.7" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' + - id: 8071 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -946,10 +962,11 @@ checks: compliance: - cis: "9.2.8" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' + # Sectin 9.3 - Public Profile - id: 8072 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" @@ -959,10 +976,11 @@ checks: compliance: - cis: "9.3.1" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' + - id: 8073 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" @@ -971,10 +989,11 @@ checks: compliance: - cis: "9.3.2" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' + - id: 8074 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -983,21 +1002,24 @@ checks: compliance: - cis: "9.3.3" - cis_csc: "9.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' + - id: 8075 - title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0' + + - id: 8076 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -1006,10 +1028,11 @@ checks: compliance: - cis: "9.3.5" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' + - id: 8077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." @@ -1018,10 +1041,11 @@ checks: compliance: - cis: "9.3.6" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' + - id: 8078 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." @@ -1030,10 +1054,11 @@ checks: compliance: - cis: "9.3.7" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' + - id: 8079 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1042,20 +1067,11 @@ checks: compliance: - cis: "9.3.8" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + - id: 8080 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -1064,10 +1080,11 @@ checks: compliance: - cis: "9.3.9" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' + - id: 8081 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -1076,10 +1093,11 @@ checks: compliance: - cis: "9.3.10" - cis_csc: "6.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 0;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + # Section 18.1 - Control Panel - id: 8082 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" @@ -1088,10 +1106,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - cis: "18.1.1.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenCamera;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' + - id: 8083 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." @@ -1099,10 +1118,11 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: "18.1.1.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> !NoLockScreenSlideshow;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' + # Section 18.3 - MS Security Guide - id: 8084 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" @@ -1116,9 +1136,11 @@ checks: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' + # Section 18.4 - MSS (Legacy) - id: 8085 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" @@ -1131,9 +1153,11 @@ checks: references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + - id: 8086 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1144,10 +1168,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> !DisableIPSourceRouting;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' + - id: 8087 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1158,10 +1183,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !DisableIPSourceRouting;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' + - id: 8088 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." @@ -1172,10 +1198,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> !EnableICMPRedirect;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' + - id: 8089 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." @@ -1186,9 +1213,11 @@ checks: - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' + - id: 8090 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." @@ -1199,9 +1228,11 @@ checks: - cis_csc: "8" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 0;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' + - id: 8091 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." @@ -1212,13 +1243,11 @@ checks: - cis_csc: "16.5" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 6;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 7;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 8;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> 9;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> r:\w\w+;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' + - id: 8092 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." @@ -1229,20 +1258,11 @@ checks: - cis_csc: "6.3" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5B;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5C;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5D;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5E;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> 5F;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> !WarningLevel;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' + # Section 18.5 - Network - id: 8093 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" @@ -1252,10 +1272,11 @@ checks: compliance: - cis: "18.5.11.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_AllowNetBridge_NLA;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' + - id: 8094 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." @@ -1264,10 +1285,11 @@ checks: compliance: - cis: "18.5.11.3" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> !NC_StdDomainUserSetLocation;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' + - id: 8095 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." @@ -1276,9 +1298,11 @@ checks: compliance: - cis: "18.5.21.1" - cis_csc: "12" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' + # Section 18.8 - System - id: 8096 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" @@ -1288,9 +1312,11 @@ checks: compliance: - cis: "18.8.3.1" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' + - id: 8097 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." @@ -1299,9 +1325,11 @@ checks: compliance: - cis: "18.8.14.1" - cis_csc: "8" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> !3;' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' + - id: 8098 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." @@ -1310,10 +1338,11 @@ checks: compliance: - cis: "18.8.21.2" - cis_csc: "3.7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoBackgroundPolicy;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' + - id: 8099 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." @@ -1322,10 +1351,11 @@ checks: compliance: - cis: "18.8.21.3" - cis_csc: "3.7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> !NoGPOListChanges;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' + - id: 8100 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." @@ -1334,9 +1364,11 @@ checks: compliance: - cis: "18.8.21.4" - cis_csc: "3.7" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' + - id: 8101 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." @@ -1345,10 +1377,11 @@ checks: compliance: - cis: "18.8.27.1" - cis_csc: "5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontDisplayNetworkSelectionUI;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' + - id: 8102 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." @@ -1357,10 +1390,11 @@ checks: compliance: - cis: "18.8.27.2" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DontEnumerateConnectedUsers;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' + - id: 8103 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." @@ -1369,9 +1403,11 @@ checks: compliance: - cis: "18.8.27.3" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' + - id: 8104 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." @@ -1380,10 +1416,11 @@ checks: compliance: - cis: "18.8.27.4" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !DisableLockScreenAppNotifications;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' + - id: 8105 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." @@ -1392,9 +1429,10 @@ checks: compliance: - cis: "18.8.27.6" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - id: 8106 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" @@ -1403,9 +1441,11 @@ checks: compliance: - cis: "18.8.35.1" - cis_csc: "9.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' + - id: 8107 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." @@ -1414,10 +1454,11 @@ checks: compliance: - cis: "18.8.35.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fAllowToGetHelp;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' + # Section 18.9 - Windows Components - id: 8108 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" @@ -1427,10 +1468,11 @@ checks: compliance: - cis: "18.9.6.1" - cis_csc: "16.9" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !MSAOptional;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' + - id: 8109 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." @@ -1439,10 +1481,11 @@ checks: compliance: - cis: "18.9.8.1" - cis_csc: "8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> !NoAutoplayfornonVolume;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' + - id: 8110 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." @@ -1451,10 +1494,11 @@ checks: compliance: - cis: "18.9.8.2" - cis_csc: "8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> !NoAutorun;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' + - id: 8111 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." @@ -1463,10 +1507,11 @@ checks: compliance: - cis: "18.9.8.3" - cis_csc: "8.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> !ff;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> !NoDriveTypeAutoRun;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' + - id: 8112 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." @@ -1475,10 +1520,11 @@ checks: compliance: - cis: "18.9.15.1" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> !DisablePasswordReveal;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' + - id: 8113 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." @@ -1487,9 +1533,11 @@ checks: compliance: - cis: "18.9.15.2" - cis_csc: "16" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' + - id: 8114 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1498,9 +1546,11 @@ checks: compliance: - cis: "18.9.26.1.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' + - id: 8115 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1509,20 +1559,11 @@ checks: compliance: - cis: "18.9.26.1.2" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' + - id: 8116 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1531,9 +1572,11 @@ checks: compliance: - cis: "18.9.26.2.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' + - id: 8117 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." @@ -1542,16 +1585,11 @@ checks: compliance: - cis: "18.9.26.2.2" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:0\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:1\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:2\w\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' + - id: 8118 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1560,9 +1598,11 @@ checks: compliance: - cis: "18.9.26.3.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' + - id: 8119 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1571,20 +1611,11 @@ checks: compliance: - cis: "18.9.26.3.2" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' + - id: 8120 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." @@ -1593,9 +1624,11 @@ checks: compliance: - cis: "18.9.26.4.1" - cis_csc: "6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' + - id: 8121 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." @@ -1606,18 +1639,9 @@ checks: - cis_csc: "6.3" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:0\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:4\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:5\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:6\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:7\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> !MaxSize;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' + - id: 8122 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." @@ -1626,9 +1650,11 @@ checks: compliance: - cis: "18.9.30.2" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' + - id: 8123 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." @@ -1637,9 +1663,11 @@ checks: compliance: - cis: "18.9.30.3" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' + - id: 8124 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." @@ -1648,9 +1676,11 @@ checks: compliance: - cis: "18.9.30.4" - cis_csc: "8.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' + - id: 8125 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." @@ -1659,10 +1689,11 @@ checks: compliance: - cis: "18.9.52.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> !DisableFileSyncNGSC;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' + - id: 8126 title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." @@ -1671,10 +1702,11 @@ checks: compliance: - cis: "18.9.52.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> !DisableFileSync;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' + - id: 8127 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." @@ -1683,10 +1715,11 @@ checks: compliance: - cis: "18.9.58.2.2" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !DisablePasswordSaving;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' + - id: 8128 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." @@ -1695,10 +1728,10 @@ checks: compliance: - cis: "18.9.58.3.3.2" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fDisableCdm;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - id: 8129 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." @@ -1707,10 +1740,11 @@ checks: compliance: - cis: "18.9.58.3.9.1" - cis_csc: "16.14" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fPromptForPassword;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' + - id: 8130 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." @@ -1719,10 +1753,11 @@ checks: compliance: - cis: "18.9.58.3.9.2" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> !fEncryptRPCTraffic;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' + - id: 8131 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." @@ -1731,9 +1766,11 @@ checks: compliance: - cis: "18.9.58.3.9.3" - cis_csc: "3.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> !3;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' + - id: 8132 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." @@ -1742,9 +1779,11 @@ checks: compliance: - cis: "18.9.58.3.11.1" - cis_csc: "14.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' + - id: 8133 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." @@ -1753,9 +1792,11 @@ checks: compliance: - cis: "18.9.58.3.11.2" - cis_csc: "14.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' + - id: 8134 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." @@ -1764,10 +1805,11 @@ checks: compliance: - cis: "18.9.59.1" - cis_csc: "7.2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> !DisableEnclosureDownload;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' + - id: 8135 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." @@ -1776,9 +1818,11 @@ checks: compliance: - cis: "18.9.60.2" - cis_csc: "13.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' + - id: 8136 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." @@ -1787,10 +1831,11 @@ checks: compliance: - cis: "18.9.80.1.1" - cis_csc: "2" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> !2;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> !EnableSmartScreen;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' + - id: 8137 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" @@ -1799,9 +1844,11 @@ checks: compliance: - cis: "18.9.81.2.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> !1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' + - id: 8138 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." @@ -1810,10 +1857,11 @@ checks: compliance: - cis: "18.9.81.3" - cis_csc: "13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> !AutoApproveOSDumps;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' + - id: 8139 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." @@ -1822,9 +1870,11 @@ checks: compliance: - cis: "18.9.85.1" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' + - id: 8140 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." @@ -1833,9 +1883,11 @@ checks: compliance: - cis: "18.9.85.2" - cis_csc: "5.1" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' + - id: 8141 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." @@ -1844,10 +1896,11 @@ checks: compliance: - cis: "18.9.86.1" - cis_csc: "16.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> !DisableAutomaticRestartSignOn;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' + - id: 8142 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." @@ -1856,10 +1909,11 @@ checks: compliance: - cis: "18.9.95.1" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> !EnableScriptBlockLogging;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' + - id: 8143 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." @@ -1868,9 +1922,11 @@ checks: compliance: - cis: "18.9.95.2" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' + - id: 8144 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." @@ -1879,9 +1935,11 @@ checks: compliance: - cis: "18.9.97.1.1" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' + - id: 8145 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." @@ -1890,9 +1948,11 @@ checks: compliance: - cis: "18.9.97.1.2" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' + - id: 8146 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." @@ -1901,10 +1961,11 @@ checks: compliance: - cis: "18.9.97.1.3" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> !AllowDigest;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' + - id: 8147 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." @@ -1913,9 +1974,11 @@ checks: compliance: - cis: "18.9.97.2.1" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' + - id: 8148 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." @@ -1924,9 +1987,11 @@ checks: compliance: - cis: "18.9.97.2.3" - cis_csc: "16.13" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' + - id: 8149 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." @@ -1935,10 +2000,11 @@ checks: compliance: - cis: "18.9.97.2.4" - cis_csc: "16.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> !DisableRunAs;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' + - id: 8150 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." @@ -1947,10 +2013,11 @@ checks: compliance: - cis: "18.9.101.2" - cis_csc: "4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> !1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !NoAutoUpdate;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + - id: 8151 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." @@ -1959,10 +2026,11 @@ checks: compliance: - cis: "18.9.101.3" - cis_csc: "4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> !0;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> !ScheduledInstallDay;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' + - id: 8152 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." @@ -1971,6 +2039,7 @@ checks: compliance: - cis: "18.9.101.4" - cis_csc: "4.5" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> !0;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' From cb524cc63f9cb2618b79024c747d07fb30f93c12 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 13:36:14 +0200 Subject: [PATCH 045/247] Fix some rules --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 392 ++++++++++---------- 1 file changed, 198 insertions(+), 194 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 38b75a0d1..6700e1e8e 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -194,8 +194,8 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> !r:^0$' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:(\d+) <= 900' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - id: 12013 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" @@ -208,8 +208,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:(\d+) compare => 5' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:(\d+) compare <= 14' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare => 5 && n:^(\d+) compare <= 14' - id: 12014 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" @@ -275,7 +274,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> r:^\d$|^a$|^b$|^c$|^d$|^e$|^f$' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - id: 12019 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" @@ -302,6 +301,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' + - id: 12021 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." @@ -326,7 +326,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> 0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - id: 12023 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" @@ -404,7 +404,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - id: 12029 title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" @@ -417,7 +417,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> !r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog' - id: 12030 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" @@ -457,6 +457,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' + - id: 12033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -546,6 +547,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + - id: 12040 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" @@ -818,7 +820,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' - - id: 12061 title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)." @@ -857,6 +858,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' + - id: 12064 title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled." @@ -1039,8 +1041,6 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> EnableFirewall -> 1' - id: 12078 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" @@ -1054,8 +1054,6 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultInboundAction -> 1' - id: 12079 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" @@ -1069,8 +1067,6 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DefaultOutboundAction -> 0' - id: 12080 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" @@ -1083,9 +1079,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> DisableNotifications -> 0' -#TODO + - id: 12081 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log" @@ -1094,11 +1088,11 @@ checks: compliance: - cis: "9.1.5" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' -#TODO + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + - id: 12082 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1109,18 +1103,9 @@ checks: - cis_csc: "6.3, 6.4" condition: any rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + - id: 12083 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -1133,8 +1118,6 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogDroppedPackets -> 1' - id: 12084 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" @@ -1148,8 +1131,6 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - id: 12085 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" @@ -1163,8 +1144,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> EnableFirewall -> 1' + - id: 12086 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -1177,8 +1157,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultInboundAction -> 1' + - id: 12087 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -1187,12 +1166,10 @@ checks: compliance: - cis: "9.2.3" - cis_csc: "9.2, 9.4" - condition: All + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DefaultOutboundAction -> 0' - id: 12088 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" @@ -1205,9 +1182,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> DisableNotifications -> 1' -#TODO + - id: 12089 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." @@ -1216,11 +1191,11 @@ checks: compliance: - cis: "9.2.5" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' -#TODO + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + - id: 12090 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1229,20 +1204,11 @@ checks: compliance: - cis: "9.2.6" - cis_csc: "6.3, 6.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + - id: 12091 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -1255,8 +1221,6 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogDroppedPackets -> 1' - id: 12092 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" @@ -1270,8 +1234,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 12093 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." @@ -1284,8 +1247,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> EnableFirewall -> 1' + - id: 12094 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." @@ -1298,8 +1260,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultInboundAction -> 1' + - id: 12095 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." @@ -1312,8 +1273,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DefaultOutboundAction -> 0' + - id: 12096 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No" @@ -1325,8 +1285,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> DisableNotifications -> 1' + - id: 12097 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." @@ -1339,8 +1298,6 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalPolicyMerge -> 0' - id: 12098 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" @@ -1354,9 +1311,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' -#TODO + - id: 12099 title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." @@ -1365,12 +1320,11 @@ checks: compliance: - cis: "9.3.7" - cis_csc: "6.2, 6.3" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog;' -#TODO - id: 12100 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." @@ -1379,20 +1333,11 @@ checks: compliance: - cis: "9.3.8" - cis_csc: "6.3, 6.4" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:1\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:2\w\w\w;' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogFileSize -> r:3\w\w\w;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + - id: 12101 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." @@ -1403,8 +1348,9 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogDroppedPackets -> 1' + - id: 12102 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." @@ -1415,8 +1361,8 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # 18 Administrative templates (Computer) - id: 12103 @@ -1442,6 +1388,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' + - id: 12105 title: "Ensure 'Allow input personalization' is set to 'Disabled'" description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled." @@ -1465,7 +1412,8 @@ checks: - cis_csc: "16.9" condition: all rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName -> C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll' - id: 12107 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" @@ -1479,6 +1427,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' + - id: 12108 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." @@ -1513,15 +1462,10 @@ checks: compliance: - cis: "18.2.5" - cis_csc: "5.7" - condition: none + condition: all rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^\d$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^a$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^b$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^c$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^d$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:^e$' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - id: 12111 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" @@ -1533,18 +1477,9 @@ checks: - cis_csc: "16.5" condition: all rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:1F|1f' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:2\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:3\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:4\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:5\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:6\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:7\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:8\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:9\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\D\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> r:\w\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) <= 30' + - id: 12112 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1." @@ -1583,6 +1518,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' + - id: 12115 title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled." @@ -1595,6 +1531,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' + - id: 12116 title: "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" description: "Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware." @@ -1633,6 +1570,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + - id: 12119 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." @@ -1671,6 +1609,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' + - id: 12122 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." @@ -1681,7 +1620,9 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' + - id: 12123 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:  Search folders specified in the system path first, and then search the current working folder.  Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." @@ -1692,7 +1633,9 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' + - id: 12124 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds" @@ -1703,7 +1646,8 @@ checks: - cis_csc: "16.5" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:(\d+) compare <= 5' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - id: 12125 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" @@ -1713,20 +1657,11 @@ checks: compliance: - cis: "18.4.13" - cis_csc: "6.3, 6.4" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5B|5b' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5C|5c' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5D|5d' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5E|5e' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:5F|5f' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:6\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:7\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:8\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:9\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\D\w' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> r:\w\w\w+' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' + - id: 12126 title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." @@ -1739,6 +1674,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' + - id: 12127 title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'" description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled." @@ -1751,6 +1687,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' + - id: 12128 title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'" description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled." @@ -1802,7 +1739,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' -#TODO + - id: 12132 title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'" description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing" @@ -1811,10 +1748,13 @@ checks: compliance: - cis: "18.5.14.1" - cis_csc: "3" - condition: any + condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> !r:RequireMutualAuthentication=1, RequireIntegrity=1;' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> !r:RequireMutualAuthentication=1, RequireIntegrity=1;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' + - id: 12133 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled." @@ -1827,6 +1767,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' + - id: 12134 title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." @@ -1852,6 +1793,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' + - id: 12136 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." @@ -1877,6 +1819,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' + - id: 12138 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  Good: The driver has been signed and has not been tampered with.  Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." @@ -1889,6 +1832,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' + - id: 12139 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The \"Do not apply during periodic background processing\" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart." @@ -1901,6 +1845,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' + - id: 12140 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed." @@ -1913,6 +1858,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' + - id: 12141 title: "Ensure 'Continue experiences on this device' is set to 'Disabled'" description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences)." @@ -1925,6 +1871,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' + - id: 12142 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers." @@ -1937,6 +1884,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' + - id: 12143 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application." @@ -1949,6 +1897,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + - id: 12144 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards." @@ -1961,6 +1910,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + - id: 12145 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet." @@ -1973,6 +1923,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + - id: 12146 title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen." @@ -1985,6 +1936,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' + - id: 12147 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen." @@ -1997,6 +1949,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' + - id: 12148 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers." @@ -2009,6 +1962,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' + - id: 12149 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers." @@ -2021,6 +1975,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' + - id: 12150 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen." @@ -2033,6 +1988,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' + - id: 12151 title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled." @@ -2045,6 +2001,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' + - id: 12152 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work." @@ -2057,6 +2014,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' + - id: 12153 title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." @@ -2069,6 +2027,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' + - id: 12154 title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." @@ -2081,6 +2040,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' + - id: 12155 title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" description: "Dictates whether or not Windows is allowed to use standby states when sleeping the computer." @@ -2093,6 +2053,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' + - id: 12156 title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep." @@ -2105,6 +2066,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' + - id: 12157 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests." @@ -2117,6 +2079,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' + - id: 12158 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer." @@ -2129,6 +2092,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' + - id: 12159 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." @@ -2141,6 +2105,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' + - id: 12160 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" @@ -2153,6 +2118,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' + - id: 12161 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it" @@ -2165,6 +2131,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' + - id: 12162 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones" @@ -2177,6 +2144,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' + - id: 12163 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." @@ -2189,6 +2157,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' + - id: 12164 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives." @@ -2201,6 +2170,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' + - id: 12165 title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it." @@ -2213,6 +2183,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' + - id: 12166 title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account." @@ -2225,6 +2196,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' + - id: 12167 title: "Ensure 'Require pin for pairing' is set to 'Enabled'" description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device." @@ -2237,6 +2209,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' + - id: 12168 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences." @@ -2249,6 +2222,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' + - id: 12169 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application." @@ -2261,6 +2235,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' + - id: 12170 title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'" description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." @@ -2273,6 +2248,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' + - id: 12171 title: "Ensure 'Disable pre-release features or settings' is set to 'Disabled'" description: "This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimentations." @@ -2285,6 +2261,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> 0' + - id: 12172 title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'" description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft." @@ -2297,6 +2274,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' + - id: 12173 title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" description: "This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under \"Get Insider builds,\" and enable users to make their devices available for downloading and installing Windows preview software." @@ -2309,6 +2287,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' + - id: 12174 title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:  0 = HTTP only, no peering.  1 = HTTP blended with peering behind the same NAT.  2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.  3 = HTTP blended with Internet Peering.  99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.  100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." @@ -2321,6 +2300,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^1$|^2$' + - id: 12175 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2333,6 +2313,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' + - id: 12176 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." @@ -2341,20 +2322,11 @@ checks: compliance: - cis: "18.9.26.1.2" - cis_csc: "6.3, 6.4" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^0\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^1\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^2\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^3\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^4\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^5\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^6\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> r:^7\w\w\w$' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' + - id: 12177 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2367,6 +2339,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' + - id: 12178 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." @@ -2375,16 +2348,11 @@ checks: compliance: - cis: "18.9.26.2.2" - cis_csc: "6.3, 6.4" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^\w\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^0\w\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^1\w\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> r:^2\w\w\w\w$' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' + - id: 12179 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2406,20 +2374,11 @@ checks: compliance: - cis: "18.9.26.3.2" - cis_csc: "6.3, 6.4" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^0\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^1\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^2\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^3\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^4\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^5\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^6\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> r:^7\w\w\w$' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' + - id: 12181 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." @@ -2432,6 +2391,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' + - id: 12182 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." @@ -2440,20 +2400,11 @@ checks: compliance: - cis: "18.9.26.4.2" - cis_csc: "6.3, 6.4" - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^0\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^1\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^2\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^3\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^4\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^5\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^6\w\w\w$' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> r:^7\w\w\w$' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' + - id: 12183 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer." @@ -2466,6 +2417,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' + - id: 12184 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this." @@ -2478,6 +2430,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' + - id: 12185 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows." @@ -2490,6 +2443,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' + - id: 12186 title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" description: "By default, users can add their computer to a HomeGroup on a home network." @@ -2502,6 +2456,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' + - id: 12187 title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs." @@ -2514,6 +2469,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' + - id: 12188 title: "Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" description: "This setting lets you configure how your company deals with cookies. The recommended state for this setting is: Enabled: Block only 3rd-party cookies. Configuring this setting to Enabled: Block all cookies also conforms to the benchmark." @@ -2526,6 +2482,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' + - id: 12189 title: "Ensure 'Configure Password Manager' is set to 'Disabled'" description: "This setting lets you decide whether employees can save their passwords locally, using Password Manager." @@ -2538,6 +2495,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' + - id: 12190 title: "Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" description: "This setting controls whether Adobe Flash (within the Microsoft Edge web browser) will require the user to click on the Flash element before the browser will display the Flash content." @@ -2550,6 +2508,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' + - id: 12191 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client." @@ -2562,6 +2521,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' + - id: 12192 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer." @@ -2574,6 +2534,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' + - id: 12193 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them." @@ -2586,6 +2547,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> 1' + - id: 12194 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client." @@ -2598,6 +2560,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' + - id: 12195 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests." @@ -2610,6 +2573,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' + - id: 12196 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption." @@ -2622,6 +2586,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' + - id: 12197 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff." @@ -2634,6 +2599,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' + - id: 12198 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session." @@ -2646,6 +2612,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' + - id: 12199 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer." @@ -2658,6 +2625,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' + - id: 12200 title: "Ensure 'Allow Cortana' is set to 'Disabled'" description: "This policy setting specifies whether Cortana is allowed on the device" @@ -2670,6 +2638,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' + - id: 12201 title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked." @@ -2682,6 +2651,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' + - id: 12202 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files." @@ -2694,6 +2664,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' + - id: 12203 title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results." @@ -2706,6 +2677,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' + - id: 12204 title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" description: "This setting enables or disables the automatic download and installation of Windows Store app updates." @@ -2718,6 +2690,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' + - id: 12205 title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" description: "Enables or disables the Windows Store offer to update to the latest version of Windows." @@ -2730,6 +2703,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' + - id: 12206 title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". This setting can only be set by Group Policy." @@ -2742,6 +2716,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' + - id: 12207 title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus." @@ -2754,6 +2729,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' + - id: 12208 title: "Ensure 'Scan removable drives' is set to 'Enabled'" description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan." @@ -2766,6 +2742,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' + - id: 12209 title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac)." @@ -2778,6 +2755,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' + - id: 12210 title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules." @@ -2790,6 +2768,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' + - id: 12211 title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail)" @@ -2814,6 +2793,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' + - id: 12212 title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" description: "This policy setting controls Windows Defender Exploit Guard network protection." @@ -2826,6 +2806,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' + - id: 12213 title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software." @@ -2838,6 +2819,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' + - id: 12214 title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center." @@ -2850,6 +2832,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' + - id: 12215 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled." @@ -2877,6 +2860,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' + - id: 12217 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files." @@ -2889,6 +2873,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' + - id: 12218 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites." @@ -2901,6 +2886,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' + - id: 12219 title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" description: "This setting enables or disables the Windows Game Recording and Broadcasting features." @@ -2913,6 +2899,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' + - id: 12220 title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" description: "This policy setting determines whether Windows Ink items are allowed above the lock screen." @@ -2925,6 +2912,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' + - id: 12221 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user." @@ -2937,6 +2925,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' + - id: 12222 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure." @@ -2949,6 +2938,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' + - id: 12223 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system." @@ -2961,6 +2951,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' + - id: 12224 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-WindowsPowerShell/Operational event log." @@ -2973,6 +2964,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' + - id: 12225 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts." @@ -2985,6 +2977,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 01' + - id: 12226 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication." @@ -2997,6 +2990,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' + - id: 12227 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network." @@ -3009,6 +3003,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' + - id: 12228 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication." @@ -3021,6 +3016,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' + - id: 12229 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client." @@ -3033,6 +3029,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' + - id: 12230 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." @@ -3045,6 +3042,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' + - id: 12231 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network." @@ -3057,6 +3055,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' + - id: 12232 title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" description: "This policy setting determines whether users can access the Windows Insider Program controls in Settings -> Update and Security. These controls enable users to make their devices available for downloading and installing preview (beta) builds of Windows software." @@ -3071,6 +3070,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' + - id: 12233 title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:  Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.  Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.  Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.  Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.  Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." @@ -3084,9 +3084,10 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:(\d+) compare >= 180' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> 32' + - id: 12234 title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" description: "This settings controls when Quality Updates are received." @@ -3101,6 +3102,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0' + - id: 12235 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" @@ -3113,6 +3115,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + - id: 12236 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS." @@ -3125,6 +3128,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' + - id: 12237 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation." From 23bd21b5f16d78c9a3022cf4464d8a9d5b397afb Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 14:11:38 +0200 Subject: [PATCH 046/247] Remove some ; leftovers --- sca/windows/acsc_office2016_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL1_rcl.yml | 8 ++++---- sca/windows/cis_win2012r2_memberL2_rcl.yml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016_rcl.yml index 880da32a5..8bcda063b 100644 --- a/sca/windows/acsc_office2016_rcl.yml +++ b/sca/windows/acsc_office2016_rcl.yml @@ -25,7 +25,7 @@ requirements: description: "Requirements for running the CIS benchmark against Office 2016" condition: "any required" rules: - - 'r:HKLM\Software\Microsoft\Office\16.0\Word\InstallRoot::Path;' + - 'r:HKLM\Software\Microsoft\Office\16.0\Word\InstallRoot::Path' checks: # ACSC - Attack Surface Reduction diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index c1a179f92..e3e66ace1 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -543,7 +543,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644;' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - id: 9039 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" @@ -622,7 +622,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200;' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - id: 9045 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" @@ -945,7 +945,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' - id: 9070 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1075,7 +1075,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' - id: 9080 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 025a34869..84cdf033d 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -167,7 +167,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar;' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' From 5b97b8277b980612715f545b7db132968ee1f6a5 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 14:19:15 +0200 Subject: [PATCH 047/247] Fix some HEX rules --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 2 +- sca/windows/cis_win2012r2_domainL2_rcl.yml | 35 +++------------------ sca/windows/cis_win2012r2_memberL2_rcl.yml | 2 +- 3 files changed, 7 insertions(+), 32 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index 40dc6c84c..e45295b9d 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -1080,7 +1080,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> EA60' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - id: 12578 title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index 9332a8dee..d0be91239 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -537,35 +537,10 @@ checks: - cis_csc: "16.5" references: - https://workbench.cisecurity.org/benchmarks/766 - condition: none - rules: - - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba2' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba3' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba4' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba5' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba6' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba7' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba8' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba9' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbba\D' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbb\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbc\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbd\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbe\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbbf\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbc\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbd\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbe\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dbf\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dc\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:dd\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:de\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:df\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:e\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:f\w\w\w\w' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> r:\w\w\w\w\w\w' + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' - id: 8537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" @@ -578,7 +553,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> EA60' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - id: 8538 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 84cdf033d..0facfe42c 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -512,7 +512,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> EA60' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' # Section 18.9.60.1 - OCR - id: 9538 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" From af75b82e6d3842eacc32f3ccda621f9a53de2736 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 14:24:56 +0200 Subject: [PATCH 048/247] Improve comparisons --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL1_rcl.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index e45295b9d..fdf65879e 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -51,7 +51,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:(\d+) compare <= 4' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' - id: 12502 title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index e3e66ace1..1f6aef267 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -320,7 +320,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:(\d+) compare <= 15' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - id: 9022 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" @@ -1217,7 +1217,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n: ^(\d+) compare <= 30' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' # Section 18.3 - MS Security Guide - id: 9091 From 96181befbf1d6c140a3716e37a59c1ae9e7b878c Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 14:41:14 +0200 Subject: [PATCH 049/247] Change hex comparison --- sca/windows/cis_win2012r2_memberL1_rcl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 1f6aef267..acfc6f445 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -1201,10 +1201,10 @@ checks: compliance: - cis: "18.2.5" - cis_csc: "5.7" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> r:\w\w+' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - id: 9090 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" From dadc5d62a23bac1cac79bdb6c31421da232880a7 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 14:45:21 +0200 Subject: [PATCH 050/247] Remove ; leftovers --- .../cis_mysql5-6_community_rcl.yml | 20 ++++++------- .../cis_mysql5-6_enterprise_rcl.yml | 22 +++++++------- sca/darwin/16/cis_apple_macOS_10.12.yml | 2 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 2 +- sca/darwin/system_audit_rcl_mac.yml | 30 +++++++++---------- 5 files changed, 38 insertions(+), 38 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index adc2accf8..5cdde99e5 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -97,7 +97,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: all rules: - - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$;' + - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -110,7 +110,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all rules: - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false;' + - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" @@ -137,7 +137,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;' + - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -271,13 +271,13 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: none rules: - - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$;' - - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$;' - - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$;' - - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1;' - - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*;' + - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' + - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' + - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' #9 Replication - id: 4518 diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 9648d028d..9d8a00359 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -97,7 +97,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: all rules: - - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$;' + - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -110,7 +110,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all rules: - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false;' + - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" @@ -137,7 +137,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*;' + - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -271,13 +271,13 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: none rules: - - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$;' - - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$;' - - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$;' - - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$;' - - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1;' - - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*;' + - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' + - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' + - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' #9 Replication - id: 4518 @@ -325,7 +325,7 @@ checks: - cis: "6.7" condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$;' + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$' - id: 4522 title: "Ensure audit_log_policy is set to log logins and connections" diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 0856029f5..2423bf890 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -414,4 +414,4 @@ checks: - cis: "6.3" condition: all rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$ diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 67f1a425c..779c5193e 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -403,4 +403,4 @@ checks: - cis: "6.3" condition: all rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' diff --git a/sca/darwin/system_audit_rcl_mac.yml b/sca/darwin/system_audit_rcl_mac.yml index 38b17511c..c1e668651 100644 --- a/sca/darwin/system_audit_rcl_mac.yml +++ b/sca/darwin/system_audit_rcl_mac.yml @@ -24,22 +24,22 @@ checks: title: "PHP - Register globals are enabled" condition: any rules: - - 'f:$php.ini -> r:^register_globals = On;' + - 'f:$php.ini -> r:^register_globals = On' - id: 2001 title: "PHP - Expose PHP is enabled" condition: any rules: - - 'f:$php.ini -> r:^expose_php = On;' + - 'f:$php.ini -> r:^expose_php = On' - id: 2002 title: "PHP - Allow URL fopen is enabled" condition: any rules: - - 'f:$php.ini -> r:^allow_url_fopen = On;' + - 'f:$php.ini -> r:^allow_url_fopen = On' - id: 2003 title: "PHP - Displaying of errors is enabled" condition: any rules: - - 'f:$php.ini -> r:^display_errors = On;' + - 'f:$php.ini -> r:^display_errors = On' # WEB checks - id: 2004 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" @@ -47,35 +47,35 @@ checks: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> ^.yop$;' + - 'd:$web_dirs -> ^.yop$' - id: 2005 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> ^id$;' + - 'd:$web_dirs -> ^id$' - id: 2006 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> ^.ssh$;' + - 'd:$web_dirs -> ^.ssh$' - id: 2007 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> ^...$;' + - 'd:$web_dirs -> ^...$' - id: 2008 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> ^.shell$;' + - 'd:$web_dirs -> ^.shell$' # Outdated Web applications - id: 2009 title: "Web vulnerability - Outdated WordPress installation" @@ -83,14 +83,14 @@ checks: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2'';' + - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' - id: 2010 title: "Web vulnerability - Outdated Joomla installation" compliance: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8'';' + - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' - id: 2011 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: @@ -105,14 +105,14 @@ checks: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo;' + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' - id: 2013 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - pci_dss: "6.5, 6.6, 11.4" condition: any rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST;' + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' - id: 2014 title: "Web vulnerability - .htaccess file compromised" compliance: @@ -121,7 +121,7 @@ checks: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: any rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google;' + - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' - id: 2015 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: @@ -130,4 +130,4 @@ checks: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: any rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file;' + - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' From 5f6825eb87ff69c14d61468c5904227cee886611 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 14:56:42 +0200 Subject: [PATCH 051/247] Trimming spaces and ";" --- sca/applications/cis_apache2224_rcl.yml | 4 ++-- sca/applications/cis_mysql5-6_community_rcl.yml | 4 ++-- sca/applications/cis_mysql5-6_enterprise_rcl.yml | 4 ++-- sca/darwin/15/cis_apple_macOS_10.11.yml | 2 +- sca/darwin/system_audit_rcl_mac.yml | 4 ++-- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 2 +- sca/generic/web_vulnerabilities.yml | 4 ++-- sca/rhel/5/cis_rhel5_linux_rcl.yml | 1 - sca/sles/11/cis_sles11_linux_rcl.yml | 6 +++--- sca/sles/12/cis_sles12_linux_rcl.yml | 2 +- sca/sunos/cis_solaris11_rcl.yml | 6 +++--- 11 files changed, 19 insertions(+), 20 deletions(-) diff --git a/sca/applications/cis_apache2224_rcl.yml b/sca/applications/cis_apache2224_rcl.yml index 41241faf7..de52625b9 100644 --- a/sca/applications/cis_apache2224_rcl.yml +++ b/sca/applications/cis_apache2224_rcl.yml @@ -506,7 +506,7 @@ checks: condition: all rules: - 'f:$main-conf -> !r:^# && n:timeout\s+(\d+) compare <= 10' - + #9.2:Set the KeepAlive directive to On - id: 3532 title: "Ensure KeepAlive Is Enabled" @@ -522,7 +522,7 @@ checks: condition: none rules: - 'f:$main-conf -> !r:^# && r:keepalive\s+off' - + #9.3:Set MaxKeepAliveRequests to 100 or greater - id: 3533 title: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed. It is recommended that the MaxKeepAliveRequests directive be set to 100 or greater." diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index 5cdde99e5..38fb917ad 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -138,7 +138,7 @@ checks: condition: all rules: - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' - + - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." @@ -177,7 +177,7 @@ checks: condition: all rules: - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - + - id: 4511 title: "Ensure 'log_warning' is set to 2" description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 9d8a00359..3e89e8a32 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -138,7 +138,7 @@ checks: condition: all rules: - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' - + - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." @@ -177,7 +177,7 @@ checks: condition: all rules: - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - + - id: 4511 title: "Ensure 'log_warning' is set to 2" description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 3b2382c73..f45a4235f 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -377,7 +377,7 @@ checks: remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." compliance: - cis: "5.9" - condition: + condition: rules: - 'c:defaults read com.apple.screensaver askForPassword -> r:^1$' diff --git a/sca/darwin/system_audit_rcl_mac.yml b/sca/darwin/system_audit_rcl_mac.yml index c1e668651..76e61ccf0 100644 --- a/sca/darwin/system_audit_rcl_mac.yml +++ b/sca/darwin/system_audit_rcl_mac.yml @@ -14,8 +14,8 @@ policy: description: "Guidance for establishing a secure configuration for web-related vulnerabilities." variables: - $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini; - $web_dirs: /Library/WebServer/Documents,/usr/htdocs,/usr/local/var/htdocs,/usr/local/var/www; + $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini + $web_dirs: /Library/WebServer/Documents,/usr/htdocs,/usr/local/var/htdocs,/usr/local/var/www # PHP checks diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index a9620e967..a93b40e98 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -155,7 +155,7 @@ checks: - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*ignore|syslog|suspend|single|halt' - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single' - + - id: 11010 title: "Keep All Auditing Information" description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml index c5d460a80..9da998671 100644 --- a/sca/generic/web_vulnerabilities.yml +++ b/sca/generic/web_vulnerabilities.yml @@ -14,8 +14,8 @@ policy: description: "Guidance for establishing a secure configuration for web-related vulnerabilities." variables: - $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini; - $web_dirs: /var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www; + $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini + $web_dirs: /var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www requirements: title: Check if web-server files are present diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 6a81b9c78..8e6492b8d 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -742,7 +742,6 @@ checks: condition: all rules: - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - # 4.1.2 Disable Send Packet Redirects (Scored) - id: 5547 diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index ed51f20f6..b52317ec4 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -27,7 +27,7 @@ requirements: variables: $sshd_file: /etc/ssh/sshd_config - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; + $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # Section 1.1 - Filesystem Configuration @@ -166,7 +166,7 @@ checks: condition: all rules: - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' - + # 1.1.19 nosuid on removable media partitions (not scored) - id: 7013 title: "Ensure nosuid option set on removable media partitions" @@ -233,7 +233,7 @@ checks: condition: all rules: - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' - + ############################################### # 1.4 Secure Boot Settings ############################################### diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index 3d5721f68..7b7878b3d 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -27,7 +27,7 @@ requirements: variables: $sshd_file: /etc/ssh/sshd_config - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d; + $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # Section 1.1 - Filesystem Configuration diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml index 20acb41f8..35d0e811c 100644 --- a/sca/sunos/cis_solaris11_rcl.yml +++ b/sca/sunos/cis_solaris11_rcl.yml @@ -178,7 +178,7 @@ checks: rules: - 'f:/etc/hosts.allow' - 'f:/etc/hosts.deny' - + - id: 11512 title: "Disable Telnet Service" description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access." @@ -555,7 +555,7 @@ checks: - 'f:/etc/default/passwd -> r:^whitespace\pyes' - 'f:/etc/default/passwd -> r:^dictiondbdir\p/var/passwd' - 'f:/etc/default/passwd -> r:^dictionlist\p/usr/share/lib/dict/words' - + - id: 11539 title: "Set Default umask for users" description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories." @@ -684,7 +684,7 @@ checks: - 'f:/etc/shadow -> r:xvm && !r::\p*LK\p*:' - 'f:/etc/shadow -> r:upnp && !r::NL:|:NP:' - 'f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:' - + - id: 11548 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)." From edd62424329a672211edae678326a4d087557c4a Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 14:58:51 +0200 Subject: [PATCH 052/247] Fix two rules --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 2 +- sca/windows/cis_win2012r2_domainL1_rcl.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 6700e1e8e..dc1e40b76 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -1478,7 +1478,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) <= 30' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' - id: 12112 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index e6bd11321..c005b61fe 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -41,7 +41,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) <= 60' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' # Section 2.3 - Security Options - id: 8001 From 3448bc445db7b5f6994ab30306af2e5498472f20 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 15:02:05 +0200 Subject: [PATCH 053/247] Improve rule regex --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index c005b61fe..75ab8c0a6 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -836,7 +836,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:(\d+) compare >= 16384' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 8062 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" From ef8ce399973362fde698fc8e787d5049352be40f Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 15:07:33 +0200 Subject: [PATCH 054/247] Add newline between checks --- sca/windows/acsc_office2016_rcl.yml | 65 ++++++++++++++++++++++ sca/windows/cis_win2012r2_memberL2_rcl.yml | 44 +++++++++++++++ 2 files changed, 109 insertions(+) diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016_rcl.yml index 8bcda063b..de57689d5 100644 --- a/sca/windows/acsc_office2016_rcl.yml +++ b/sca/windows/acsc_office2016_rcl.yml @@ -38,6 +38,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' + - id: 10001 title: "Ensure 'Block executable content from email client and webmail' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." @@ -47,6 +48,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' + - id: 10002 title: "Ensure 'block Office applications from creating child processes' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." @@ -56,6 +58,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' + - id: 10003 title: "Ensure 'block Office applications from creating executable content' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." @@ -65,6 +68,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' + - id: 10004 title: "Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." @@ -74,6 +78,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' + - id: 10005 title: "Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." @@ -83,6 +88,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' + - id: 10006 title: "Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." @@ -92,6 +98,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' + - id: 10007 title: "Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." @@ -101,6 +108,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' + # ACSC - Active X - id: 10008 title: "Ensure 'Disable All Active X' is set to 'Enabled'" @@ -111,6 +119,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> 1' + # ACSC - Add-ins - id: 10009 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Excel" @@ -121,6 +130,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> 1' + - id: 10010 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Excel" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." @@ -130,6 +140,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> 1' + - id: 10011 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for PowerPoint" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." @@ -139,6 +150,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> 1' + - id: 10012 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." @@ -148,6 +160,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> 1' + - id: 10013 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Word" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." @@ -157,6 +170,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> 1' + - id: 10014 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Word" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." @@ -166,6 +180,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> 1' + # ACSC - Extension Hardening - id: 10015 title: "Ensure if Extension Hardening functionality in Microsoft Excel is enabled" @@ -176,6 +191,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> 2' + # ACSC - File Type Blocking - id: 10016 title: "Ensure dBase III / IV files are blocked in Microsoft Excel" @@ -186,6 +202,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> 2' + - id: 10017 title: "Ensure Dif and Sylk files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -195,6 +212,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> 2' + - id: 10018 title: "Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -204,6 +222,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> 2' + - id: 10019 title: "Ensure Excel 2 worksheets are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -213,6 +232,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> 2' + - id: 10020 title: "Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -222,6 +242,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> 2' + - id: 10021 title: "Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -231,6 +252,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> 2' + - id: 10022 title: "Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -240,6 +262,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> 2' + - id: 10023 title: "Ensure Excel 4 workbooks are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -249,6 +272,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> 2' + - id: 10024 title: "Ensure Excel 4 worksheets are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -258,6 +282,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> 2' + - id: 10025 title: "Ensure Excel 95 workbooks are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -267,6 +292,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> 2' + - id: 10026 title: "Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -276,6 +302,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> 2' + - id: 10027 title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -285,6 +312,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> 0' + - id: 10028 title: "Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -292,6 +320,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> 2' + # CIS 2.22 - Office Converters - id: 10029 title: "Ensure 'Block Opening of Pre-Release Versions of File Formats New to PowerPoint Through the Compatibility Pack for Office and PowerPoint Converter' is set to Enabled" @@ -304,6 +333,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> 2' + # ACSC - File Type Blocking (Cont'd) - id: 10030 title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint" @@ -314,6 +344,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> 0' + - id: 10031 title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -323,6 +354,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> 0' + - id: 10032 title: "Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -331,6 +363,7 @@ checks: condition: any rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> 2' + - id: 10033 title: "Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -340,6 +373,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> 2' + - id: 10034 title: "Ensure Word 95 binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -349,6 +383,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> 2' + - id: 10035 title: "Ensure Word 97 binary documents and templates are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." @@ -358,6 +393,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> 2' + # ACSC - Hidden Markup - id: 10036 title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint" @@ -368,6 +404,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> 1' + - id: 10037 title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word" description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." @@ -377,6 +414,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> 1' + # ACSC - Office File Validation - id: 10038 title: "Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office" @@ -387,6 +425,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> 1' + - id: 10039 title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." @@ -396,6 +435,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> 1' + - id: 10040 title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." @@ -405,6 +445,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> 1' + - id: 10041 title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." @@ -414,6 +455,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> 1' + # ACSC - Protected View - id: 10042 title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel" @@ -424,6 +466,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> 0' + - id: 10043 title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -433,6 +476,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> 0' + - id: 10044 title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -442,6 +486,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> 0' + - id: 10045 title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -451,6 +496,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> 0' + - id: 10046 title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -460,6 +506,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> 0' + - id: 10047 title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -469,6 +516,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> 0' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv' + - id: 10048 title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -478,6 +526,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> 0' + - id: 10049 title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -487,6 +536,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> 0' + - id: 10050 title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -496,6 +546,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> 0' + - id: 10051 title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -505,6 +556,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> 0' + - id: 10052 title: "Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -514,6 +566,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> 0' + - id: 10053 title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." @@ -523,6 +576,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> 0' + # ACSC - Trusted Documents - id: 10054 title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel" @@ -533,6 +587,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> 1' + - id: 10055 title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." @@ -542,6 +597,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> 1' + - id: 10056 title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." @@ -551,6 +607,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> 1' + - id: 10057 title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." @@ -560,6 +617,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments -> 1' + - id: 10058 title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." @@ -569,6 +627,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> 1' + - id: 10059 title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." @@ -578,6 +637,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> 1' + # CIS 2.24 - Privacy - id: 10060 title: "Ensure 'Disable Opt-in Wizard on First Run' is set to Enabled" @@ -590,6 +650,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> 1' + - id: 10061 title: "Ensure 'Enable Customer Experience Improvement Program' is set to Disabled" description: "This policy setting controls whether users can participate in the Microsoft Office Customer Experience Improvement Program to help improve Microsoft Office. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. The recommended state for this setting is: Disabled" @@ -601,6 +662,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> 0' + - id: 10062 title: "Ensure 'Allow including screenshot with Office Feedback' is set to Disabled" description: "This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." @@ -612,6 +674,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> 0' + - id: 10063 title: "Ensure 'Send Office Feedback' is set to Disabled" description: "This policy setting manages the Office Feedback Tool (a.k.a. Send a Smile). The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." @@ -623,6 +686,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> 0' + - id: 10064 title: "Ensure 'Send personal information' is set to Disabled" description: "This policy setting controls whether users can send personal information to Office. When users choose to send information Office applications automatically send information to Office." @@ -634,6 +698,7 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> 0' + - id: 10065 title: "Ensure Set 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled" description: "This policy setting controls whether Microsoft Office Diagnostics is enabled. Office Diagnostics enables Microsoft to diagnose system problems by periodically downloading a small file to the computer. If you enable this policy setting, Office Diagnostics collects information about specific errors and the IP address of the computer. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. If you disable this policy setting, users will not receive updates from Office Diagnostics. If you do not configure this policy setting, this policy setting is not enabled, but users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run an Office application. The recommended state for this setting is: Disabled." diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 0facfe42c..27889ff4f 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -38,6 +38,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> r:^0$|^1$|^2$|^3$|^4$' + # Section 2.3.10 - Network access - id: 9501 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" @@ -51,6 +52,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + # Section 18.4 - MSS (Legacy) - id: 9502 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" @@ -64,6 +66,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' + - id: 9503 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis." @@ -76,6 +79,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' + - id: 9504 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." @@ -88,6 +92,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' + - id: 9505 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." @@ -100,6 +105,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' + # Section 18.5.9 - Link-Layer Topology Discovery - id: 9506 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" @@ -115,6 +121,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' + - id: 9507 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver." @@ -129,6 +136,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' + # Section 18.5.10 - Microsoft Peer-to-Peer Networking Services - id: 9508 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" @@ -142,6 +150,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 0' + # Section 18.5.19.2 - Parameters - id: 9509 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" @@ -154,6 +163,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' + # Section 18.5.20 - Windows Connect Now - id: 9510 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" @@ -175,6 +185,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' + - id: 9511 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards." @@ -187,6 +198,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' + # Section 18.5.21 - Windows Connection Manager - id: 9512 title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" @@ -200,6 +212,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' + # Section 18.8.22.1 - Internet Communication settings - id: 9513 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" @@ -213,6 +226,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' + - id: 9514 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool." @@ -225,6 +239,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' + - id: 9515 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs)." @@ -237,6 +252,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' + - id: 9516 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration." @@ -249,6 +265,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' + - id: 9517 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches." @@ -261,6 +278,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' + - id: 9518 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders." @@ -273,6 +291,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' + - id: 9519 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders." @@ -285,6 +304,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' + - id: 9520 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." @@ -297,6 +317,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 0' + - id: 9521 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." @@ -309,6 +330,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' + - id: 9522 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft." @@ -323,6 +345,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + # Section 18.8.26 - Locale Services - id: 9523 title: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" @@ -336,6 +359,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' + # Section 18.8.36 - Remote Procedure Call - id: 9524 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" @@ -349,6 +373,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' + # Section 18.8.44.5 - Microsoft Support Diagnostic Tool - id: 9525 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" @@ -362,6 +387,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' + # Section 18.8.44.11 - Windows Performance PerfTrack - id: 9526 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" @@ -375,6 +401,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' + # Section 18.8.46 User Profiles - id: 9527 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" @@ -388,6 +415,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' + # Section 18.8.49.1 - Time Providers - id: 9528 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" @@ -401,6 +429,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' + - id: 9529 title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" description: "This policy setting allows you to specify whether the Windows NTP Server is enabled." @@ -413,6 +442,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' + # Section 18.9.39 - Location and Sensors - id: 9530 title: "Ensure 'Turn off Windows Location Provider' is set to 'Enabled'" @@ -426,6 +456,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider -> 1' + - id: 9531 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer." @@ -438,6 +469,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' + # Section 18.9.58.3.2 - Connections - id: 9532 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" @@ -451,6 +483,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' + # Section 18.9.58.3.3 Device and Resource Redirection - id: 9533 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" @@ -464,6 +497,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' + - id: 9534 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session." @@ -476,6 +510,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' + - id: 9535 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session." @@ -488,6 +523,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' + # Section 18.9.58.3.10 - Session Time Limits - id: 9536 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" @@ -501,6 +537,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' + - id: 9537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions." @@ -513,6 +550,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' + # Section 18.9.60.1 - OCR - id: 9538 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" @@ -526,6 +564,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' + # Section 18.9.56 - Software Protection Platform - id: 9539 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" @@ -539,6 +578,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' + # Section 18.9.76.3 - MAPS - id: 9540 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" @@ -551,6 +591,7 @@ checks: condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' + # Section - 18.9.76.9 - Reporting - id: 9541 title: "Ensure 'Configure Watson events' is set to 'Disabled'" @@ -564,6 +605,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' + # Section 18.9.85 - Windows Installer - id: 9542 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" @@ -576,6 +618,7 @@ checks: condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' + # Section 18.9.97.2 - WinRM Service - id: 9543 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" @@ -588,6 +631,7 @@ checks: condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' + # Section 18.9.98 - Windows Remote Shell - id: 9544 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" From d5776ec5efac78407722d9ce48f7e041b93293d3 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 5 Jun 2019 06:15:38 -0700 Subject: [PATCH 055/247] Fix typo in MySQL policy --- sca/applications/cis_mysql5-6_enterprise_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 3e89e8a32..b8100e70a 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -294,7 +294,7 @@ checks: - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' #10 Enterprise rules -- id: 4519 + - id: 4519 title: "Ensure audit_log_connection_policy is not set to 'NONE'" description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. " rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." From d64332375c8706d22515767b2a9004fb7e3ac355 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 15:33:40 +0200 Subject: [PATCH 056/247] Set proper name for mac web_vulnerabilities file --- sca/darwin/{system_audit_rcl_mac.yml => web_vulnerabilities.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sca/darwin/{system_audit_rcl_mac.yml => web_vulnerabilities.yml} (100%) diff --git a/sca/darwin/system_audit_rcl_mac.yml b/sca/darwin/web_vulnerabilities.yml similarity index 100% rename from sca/darwin/system_audit_rcl_mac.yml rename to sca/darwin/web_vulnerabilities.yml From 08b566df4eb8675626924d6b4125e778e2b98522 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 5 Jun 2019 07:07:29 -0700 Subject: [PATCH 057/247] Fix typos in SCA policies --- sca/darwin/16/cis_apple_macOS_10.12.yml | 2 +- sca/generic/web_vulnerabilities.yml | 8 ++++---- sca/sles/11/cis_sles11_linux_rcl.yml | 8 ++++---- sca/sles/12/cis_sles12_linux_rcl.yml | 2 +- sca/windows/cis_win10_enterprise_L1_rcl.yml | 2 +- sca/windows/cis_win2012r2_domainL2_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL1_rcl.yml | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 2423bf890..fdabd5b20 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -414,4 +414,4 @@ checks: - cis: "6.3" condition: all rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$ + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml index 9da998671..bcb942822 100644 --- a/sca/generic/web_vulnerabilities.yml +++ b/sca/generic/web_vulnerabilities.yml @@ -9,7 +9,7 @@ policy: id: "web_vulnerabilities" - file: "web_vulnerabilities".yml" + file: "web_vulnerabilities.yml" name: "System audit for web-related vulnerabilities" description: "Guidance for establishing a secure configuration for web-related vulnerabilities." @@ -103,7 +103,7 @@ checks: - pci_dss: "6.5, 6.6, 11.4" condition: none rules: - - "d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:wp_version = ''4.4.2''" + - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' - id: 1010 title: "Web vulnerability - Outdated Joomla installation" @@ -111,7 +111,7 @@ checks: - pci_dss: "6.5, 6.6, 11.4" condition: none rules: - - "d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:''3.4.8''" + - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' - id: 1011 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" @@ -119,7 +119,7 @@ checks: - pci_dss: "6.5, 6.6, 11.4" condition: none rules: - - 'd:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-' + - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' # Known backdoors - id: 1012 diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index b52317ec4..2bf77be4f 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -154,8 +154,8 @@ checks: rules: - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' -# 1.1.18 nodev on removable media partitions (not scored) -- id: 7012 + # 1.1.18 nodev on removable media partitions (not scored) + - id: 7012 title: "Ensure nodev option set on removable media partitions" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." @@ -434,8 +434,8 @@ checks: rules: - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^server|^pool - - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' + - 'f:/etc/ntp.conf -> r:^server|^pool' + - 'f:/etc/sysconfig/ntpd -> r:NTPD_OPTIONS="-u ntp:ntp"' # 2.2.2 Remove X Windows (Scored) - id: 7029 diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index 7b7878b3d..2c266144d 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -454,7 +454,7 @@ checks: rules: - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^server|^pool + - 'f:/etc/ntp.conf -> r:^server|^pool' - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' # 2.2.2 Remove X Windows (Scored) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index dc1e40b76..a812352b7 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -181,7 +181,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - ç- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - id: 12012 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index d0be91239..1d60507e9 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -535,7 +535,7 @@ checks: compliance: - cis: "18.9.58.3.10.1" - cis_csc: "16.5" - references: + references: - https://workbench.cisecurity.org/benchmarks/766 condition: all rules: diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index acfc6f445..ee0a36d78 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -583,7 +583,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 9042 + - id: 9042 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." From c4f023fa9077bb369557ac5a65b0e2e1a7db7147 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 5 Jun 2019 16:09:02 +0200 Subject: [PATCH 058/247] Change id --- sca/darwin/web_vulnerabilities.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml index 76e61ccf0..17de14605 100644 --- a/sca/darwin/web_vulnerabilities.yml +++ b/sca/darwin/web_vulnerabilities.yml @@ -8,8 +8,8 @@ # Foundation policy: - id: "system_audit_rcl_mac" - file: "system_audit_rcl_mac.yml" + id: "web_vulnerabilities_mac" + file: "web_vulnerabilities.yml" name: "System audit for web-related vulnerabilities" description: "Guidance for establishing a secure configuration for web-related vulnerabilities." From 572107f8e0518e9d4a505d298950badc6ccb2174 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adri=C3=A1n=20Jes=C3=BAs=20Pe=C3=B1a=20Rodr=C3=ADguez?= Date: Wed, 5 Jun 2019 17:00:00 +0200 Subject: [PATCH 059/247] Script to map the standards in sca (#421) * Added new script to map the standards in sca * Added hipaa standard * Added nist_800_53 standard --- sca/applications/cis_apache2224_rcl.yml | 1100 +-- .../cis_mysql5-6_community_rcl.yml | 476 +- .../cis_mysql5-6_enterprise_rcl.yml | 616 +- sca/darwin/15/cis_apple_macOS_10.11.yml | 714 +- sca/darwin/16/cis_apple_macOS_10.12.yml | 650 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 632 +- sca/darwin/web_vulnerabilities.yml | 228 +- sca/debian/cis_debian_linux_rcl.yml | 1097 +-- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 2542 +++---- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 708 +- sca/generic/system_audit_pw.yml | 280 +- sca/generic/system_audit_ssh.yml | 200 +- sca/generic/web_vulnerabilities.yml | 260 +- sca/rhel/5/cis_rhel5_linux_rcl.yml | 1772 ++--- sca/rhel/6/cis_rhel6_linux_rcl.yml | 1620 ++--- sca/rhel/7/cis_rhel7_linux_rcl.yml | 1770 ++--- sca/sles/11/cis_sles11_linux_rcl.yml | 1570 +++-- sca/sles/12/cis_sles12_linux_rcl.yml | 1608 ++--- sca/sunos/cis_solaris11_rcl.yml | 1466 ++-- sca/windows/acsc_office2016_rcl.yml | 1320 ++-- sca/windows/cis_win10_enterprise_L1_rcl.yml | 6218 ++++++++--------- sca/windows/cis_win10_enterprise_L2_rcl.yml | 2348 +++---- sca/windows/cis_win2012r2_domainL1_rcl.yml | 3990 +++++------ sca/windows/cis_win2012r2_domainL2_rcl.yml | 1190 ++-- sca/windows/cis_win2012r2_memberL1_rcl.yml | 4244 +++++------ sca/windows/cis_win2012r2_memberL2_rcl.yml | 12 +- sca/windows/win_audit_rcl.yml | 211 +- 27 files changed, 19507 insertions(+), 19335 deletions(-) diff --git a/sca/applications/cis_apache2224_rcl.yml b/sca/applications/cis_apache2224_rcl.yml index de52625b9..b7ba5c83e 100644 --- a/sca/applications/cis_apache2224_rcl.yml +++ b/sca/applications/cis_apache2224_rcl.yml @@ -36,624 +36,624 @@ variables: #2.3 Disable WebDAV Modules checks: - - id: 3500 - title: "Ensure the WebDAV Modules Are Disabled" - description: "The Apache mod_dav and mod_dav_fs modules support WebDAV functionality for Apache, which is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server." - rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls." - remediation: "For source builds with static modules run the Apache ./configure script without including the mod_dav , and mod_dav_fs in the --enable-modules=configure script options. For dynamically loaded modules comment out the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file." - compliance: - - cis: "2.3" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_dav.html - - https://httpd.apache.org/docs/2.4/mod/mod_dav.html - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sdav' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sdav' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sdav' - - 'd:$mods-en -> dav.load' + - id: 3500 + title: "Ensure the WebDAV Modules Are Disabled" + description: "The Apache mod_dav and mod_dav_fs modules support WebDAV functionality for Apache, which is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server." + rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls." + remediation: "For source builds with static modules run the Apache ./configure script without including the mod_dav , and mod_dav_fs in the --enable-modules=configure script options. For dynamically loaded modules comment out the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file." + compliance: + - cis: "2.3" + - cis_csc: "9.1" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_dav.html + - https://httpd.apache.org/docs/2.4/mod/mod_dav.html + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sdav' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sdav' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sdav' + - 'd:$mods-en -> dav.load' #2.4 Disable Status Module - - id: 3501 - title: "Ensure the Status Module Is Disabled" - description: "The Apache mod_status module provides current server performance statistics." - rationale: "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files." - remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file." - compliance: - - cis: "2.4" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_status.html - - https://httpd.apache.org/docs/2.4/mod/mod_status.html - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sstatus' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sstatus' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sstatus' - - 'd:$mods-en -> status.load' + - id: 3501 + title: "Ensure the Status Module Is Disabled" + description: "The Apache mod_status module provides current server performance statistics." + rationale: "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files." + remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file." + compliance: + - cis: "2.4" + - cis_csc: "9.1" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_status.html + - https://httpd.apache.org/docs/2.4/mod/mod_status.html + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sstatus' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sstatus' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sstatus' + - 'd:$mods-en -> status.load' #2.5 Disable Autoindex Module - - id: 3502 - title: "Ensure the Autoindex Module Is Disabled" - description: "The Apache mod_autoindex module automatically generates a web page listing the contents of directories on the server, typically used so an index.html does not have to be generated." - rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed." - remediation: "For source builds with static modules, run the Apache ./configure script with the - -disable-autoindex configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_autoindex module from the httpd.conf file." - compliance: - - cis: "2.5" - - cis_csc: "18" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html - - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sautoindex' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sautoindex' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sautoindex' - - 'd:$mods-en -> autoindex.load' + - id: 3502 + title: "Ensure the Autoindex Module Is Disabled" + description: "The Apache mod_autoindex module automatically generates a web page listing the contents of directories on the server, typically used so an index.html does not have to be generated." + rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed." + remediation: "For source builds with static modules, run the Apache ./configure script with the - -disable-autoindex configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_autoindex module from the httpd.conf file." + compliance: + - cis: "2.5" + - cis_csc: "18" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html + - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sautoindex' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sautoindex' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sautoindex' + - 'd:$mods-en -> autoindex.load' #2.6 Disable Proxy Modules - - id: 3503 - title: "Ensure the Proxy Modules Are Disabled" - description: "The Apache proxy modules allow the server to act as a proxy for HTTP and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network, the proxy module should not be loaded." - rationale: "A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended." - remediation: "For source builds with static modules, run the Apache ./configure script without including the mod_proxy and all other proxy modules in the --enable- modules=configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_proxy module and all other proxy modules from the httpd.conf file." - compliance: - - cis: "2.6" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html - - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sproxy' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sproxy' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sproxy' - - 'd:$mods-en -> proxy.load' + - id: 3503 + title: "Ensure the Proxy Modules Are Disabled" + description: "The Apache proxy modules allow the server to act as a proxy for HTTP and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network, the proxy module should not be loaded." + rationale: "A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended." + remediation: "For source builds with static modules, run the Apache ./configure script without including the mod_proxy and all other proxy modules in the --enable- modules=configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_proxy module and all other proxy modules from the httpd.conf file." + compliance: + - cis: "2.6" + - cis_csc: "9.1" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html + - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sproxy' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sproxy' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sproxy' + - 'd:$mods-en -> proxy.load' #2.7 Disable User Directories Modules - - id: 3504 - title: "Ensure the User Directories Module Is Disabled" - description: "The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the directory that will be accessed." - rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network." - remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script option. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_userdir module from the httpd.conf file." - compliance: - - cis: "2.7" - - cis_csc: "18" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html - - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\suserdir' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\suserdir' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\suserdir' - - 'd:$mods-en -> userdir.load' + - id: 3504 + title: "Ensure the User Directories Module Is Disabled" + description: "The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the directory that will be accessed." + rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network." + remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script option. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_userdir module from the httpd.conf file." + compliance: + - cis: "2.7" + - cis_csc: "18" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html + - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\suserdir' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\suserdir' + - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\suserdir' + - 'd:$mods-en -> userdir.load' #2.8 Disable Info Module - - id: 3505 - title: "Ensure the Info Module Is Disabled" - description: "The Apache mod_info module provides information on the server configuration via access to a /server-info URL location." - rationale: "Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory .htaccess files. This can leak sensitive information from the configuration directives of other Apache modules." - remediation: "For source builds with static modules, run the Apache ./configure script without including mod_info in the --enable-modules= configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file." - compliance: - - cis: "2.8" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_info.html - - https://httpd.apache.org/docs/2.4/mod/mod_info.html - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sinfo' - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' - - 'd:$mods-en -> info.load' + - id: 3505 + title: "Ensure the Info Module Is Disabled" + description: "The Apache mod_info module provides information on the server configuration via access to a /server-info URL location." + rationale: "Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory .htaccess files. This can leak sensitive information from the configuration directives of other Apache modules." + remediation: "For source builds with static modules, run the Apache ./configure script without including mod_info in the --enable-modules= configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file." + compliance: + - cis: "2.8" + - cis_csc: "9.1" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_info.html + - https://httpd.apache.org/docs/2.4/mod/mod_info.html + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' + - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sinfo' + - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' + - 'd:$mods-en -> info.load' #3.2 Give the Apache User Account an Invalid Shell - - id: 3506 - title: "Ensure the Apache User Account Has an Invalid Shell" - description: "The apache account must not be used as a regular login account, so it should be assigned an invalid or nologin shell to ensure it cannot be used to log in." - rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system." - remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" - compliance: - - cis: "3.2" - - cis_csc: "16" - condition: all - rules: - - 'f:/etc/passwd -> r:/var/www && r:\.*/bin/false$|/sbin/nologin$' + - id: 3506 + title: "Ensure the Apache User Account Has an Invalid Shell" + description: "The apache account must not be used as a regular login account, so it should be assigned an invalid or nologin shell to ensure it cannot be used to log in." + rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system." + remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" + compliance: + - cis: "3.2" + - cis_csc: "16" + condition: all + rules: + - 'f:/etc/passwd -> r:/var/www && r:\.*/bin/false$|/sbin/nologin$' #3.3 Lock the Apache User Account - - id: 3507 - title: "Ensure the Apache User Account Is Locked" - description: "The user account under which Apache runs should not have a valid password, but should be locked." - rationale: "As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from su-ing to apache using the password." - remediation: "Use the passwd command to lock the apache account: # passwd -l apache" - compliance: - - cis: "3.3" - - cis_csc: "16" - condition: all - rules: - - 'f:/etc/shadow -> r:^daemon|^wwwrun|^www-data|^apache && r:\p!\.*$' + - id: 3507 + title: "Ensure the Apache User Account Is Locked" + description: "The user account under which Apache runs should not have a valid password, but should be locked." + rationale: "As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from su-ing to apache using the password." + remediation: "Use the passwd command to lock the apache account: # passwd -l apache" + compliance: + - cis: "3.3" + - cis_csc: "16" + condition: all + rules: + - 'f:/etc/shadow -> r:^daemon|^wwwrun|^www-data|^apache && r:\p!\.*$' #4.4 Restrict Override for All Directories - - id: 3508 - title: "Ensure OverRide Is Disabled for All Directories" - description: "When the server finds an .htaccess file (as specified by AccessFileName), it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, .htaccess files are completely ignored. When this directive is set to All, any directive which has the .htaccess Context is allowed in .htaccess files." - rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." - remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." - compliance: - - cis: "4.4" - - cis_csc: "14.4" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride - - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride - - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverride && !r:none$' - - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' - - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverride && r:none$' - - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' + - id: 3508 + title: "Ensure OverRide Is Disabled for All Directories" + description: "When the server finds an .htaccess file (as specified by AccessFileName), it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, .htaccess files are completely ignored. When this directive is set to All, any directive which has the .htaccess Context is allowed in .htaccess files." + rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." + remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." + compliance: + - cis: "4.4" + - cis_csc: "14.4" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride + - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride + - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverride && !r:none$' + - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' + - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverride && r:none$' + - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' #5.3 Minimize Options for Other Directories - - id: 3509 - title: "Ensure Options for Other Directories Are Minimized" - description: "The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation." - rationale: "The options for other directories and hosts should be restricted to the minimal options required. A setting of None is recommended; however, other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, Indexes." - remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." - compliance: - - cis: "5.3" - - cis_csc: "18" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_include.html - - https://httpd.apache.org/docs/2.2/mod/core.html#options - - https://httpd.apache.org/docs/2.4/mod/core.html#options - - https://httpd.apache.org/docs/2.4/mod/mod_include.html - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:options\sincludes' - - 'f:$main-conf -> !r:^# && r:options\sincludes' + - id: 3509 + title: "Ensure Options for Other Directories Are Minimized" + description: "The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation." + rationale: "The options for other directories and hosts should be restricted to the minimal options required. A setting of None is recommended; however, other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, Indexes." + remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." + compliance: + - cis: "5.3" + - cis_csc: "18" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_include.html + - https://httpd.apache.org/docs/2.2/mod/core.html#options + - https://httpd.apache.org/docs/2.4/mod/core.html#options + - https://httpd.apache.org/docs/2.4/mod/mod_include.html + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:options\sincludes' + - 'f:$main-conf -> !r:^# && r:options\sincludes' #5.4.1 Remove default index.html sites - - id: 3510 - title: "Ensure Default HTML Content Is Removed (index.html)" - description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." - rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." - remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." - compliance: - - cis: "5.4" - - cis_csc: "18.9" - condition: none - rules: - - 'd:/var/www -> index.html' - - 'd:/var/www/html -> index.html' + - id: 3510 + title: "Ensure Default HTML Content Is Removed (index.html)" + description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." + rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." + remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." + compliance: + - cis: "5.4" + - cis_csc: "18.9" + condition: none + rules: + - 'd:/var/www -> index.html' + - 'd:/var/www/html -> index.html' #5.4.2 Remove the Apache user manual - - id: 3511 - title: "Ensure Default HTML Content Is Removed (Apache user manual)" - description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." - rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." - remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." - compliance: - - cis: "5.4" - - cis_csc: "18.9" - condition: none - rules: - - 'd:/etc/httpd/conf.d -> manual.conf' - - 'd:/etc/apache2/conf-enabled -> apache2-doc.conf' + - id: 3511 + title: "Ensure Default HTML Content Is Removed (Apache user manual)" + description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." + rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." + remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." + compliance: + - cis: "5.4" + - cis_csc: "18.9" + condition: none + rules: + - 'd:/etc/httpd/conf.d -> manual.conf' + - 'd:/etc/apache2/conf-enabled -> apache2-doc.conf' #5.4.5 Verify that no Handler is enabled - - id: 3512 - title: "Ensure Default HTML Content Is Removed (Handler)" - description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." - rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." - remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." - compliance: - - cis: "5.4" - - cis_csc: "18.9" - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' - - 'f:$main-conf -> !r:^# && r:/wsethandler' + - id: 3512 + title: "Ensure Default HTML Content Is Removed (Handler)" + description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." + rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." + remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." + compliance: + - cis: "5.4" + - cis_csc: "18.9" + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' + - 'f:$main-conf -> !r:^# && r:/wsethandler' #5.5 Remove default CGI content printenv - - id: 3513 - title: "Ensure the Default CGI Content printenv Script Is Removed" - description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for apache installations is the script printenv that will print back to the requester all of the CGI environment variables, which include many server configuration details and system paths." - rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The printenv script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." - remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via the Script , ScriptAlias , ScriptAliasMatch , or ScriptInterpreterSource directives. Remove the printenv default CGI in the cgi-bin directory if it is installed." - compliance: - - cis: "5.5" - - cis_csc: "18" - condition: none - rules: - - 'd:/var/www/cgi-bin -> printenv' - - 'd:/usr/lib/cgi-bin -> printenv' + - id: 3513 + title: "Ensure the Default CGI Content printenv Script Is Removed" + description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for apache installations is the script printenv that will print back to the requester all of the CGI environment variables, which include many server configuration details and system paths." + rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The printenv script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." + remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via the Script , ScriptAlias , ScriptAliasMatch , or ScriptInterpreterSource directives. Remove the printenv default CGI in the cgi-bin directory if it is installed." + compliance: + - cis: "5.5" + - cis_csc: "18" + condition: none + rules: + - 'd:/var/www/cgi-bin -> printenv' + - 'd:/usr/lib/cgi-bin -> printenv' #5.6 Remove default CGI content test-cgi - - id: 3514 - title: "Ensure the Default CGI Content test-cgi Script Is Removed" - description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script test-cgi that will print back to the requester CGI environment variables, which includes many server configuration details." - rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The test-cgi script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." - remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. Remove the test-cgi default CGI in the cgi-bin directory if it is installed." - compliance: - - cis: "5.6" - - cis_csc: "18.9" - condition: none - rules: - - 'd:/var/www/cgi-bin -> test-cgi' - - 'd:/usr/lib/cgi-bin -> test-cgi' + - id: 3514 + title: "Ensure the Default CGI Content test-cgi Script Is Removed" + description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script test-cgi that will print back to the requester CGI environment variables, which includes many server configuration details." + rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The test-cgi script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." + remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. Remove the test-cgi default CGI in the cgi-bin directory if it is installed." + compliance: + - cis: "5.6" + - cis_csc: "18.9" + condition: none + rules: + - 'd:/var/www/cgi-bin -> test-cgi' + - 'd:/usr/lib/cgi-bin -> test-cgi' #5.7 Limit HTTP Request Method - - id: 3515 - title: "Ensure HTTP Request Methods Are Restricted" - description: "Use the Apache directive to restrict unnecessary HTTP request methods of the web server so it only accepts and processes the GET, HEAD, POST and OPTIONS HTTP request methods." - rationale: "The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods." - remediation: "Search for the directive on the document root directory, ensure that the access control order within the directive is deny, allow. Add a directive within the group of document root directives and search in other Apache configuration files in places other than de root directory." - compliance: - - cis: "5.7" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept - - https://www.ietf.org/rfc/rfc2616.txt - - https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept - condition: all - rules: - - 'f:$main-conf -> r:limitexcept && r:get && r:head && r:post && r:options' + - id: 3515 + title: "Ensure HTTP Request Methods Are Restricted" + description: "Use the Apache directive to restrict unnecessary HTTP request methods of the web server so it only accepts and processes the GET, HEAD, POST and OPTIONS HTTP request methods." + rationale: "The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods." + remediation: "Search for the directive on the document root directory, ensure that the access control order within the directive is deny, allow. Add a directive within the group of document root directives and search in other Apache configuration files in places other than de root directory." + compliance: + - cis: "5.7" + - cis_csc: "9.1" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept + - https://www.ietf.org/rfc/rfc2616.txt + - https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept + condition: all + rules: + - 'f:$main-conf -> r:limitexcept && r:get && r:head && r:post && r:options' #5.8 Disable HTTP Trace Method - - id: 3516 - title: "Ensure the HTTP TRACE Method Is Disabled" - description: "Use the Apache TraceEnable directive to disable the HTTP TRACE request method." - rationale: "The HTTP 1.1 protocol requires support for the TRACE request method, which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled." - remediation: "Locate the main Apache configuration file such as httpd.conf. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or ." - compliance: - - cis: "5.8" - - cis_csc: "9.1" - references: - - https://www.ietf.org/rfc/rfc2616.txt - - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable - - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable - condition: none - rules: - - 'f:$traceen -> !r:^# && r:traceenable\s+on\s*$' + - id: 3516 + title: "Ensure the HTTP TRACE Method Is Disabled" + description: "Use the Apache TraceEnable directive to disable the HTTP TRACE request method." + rationale: "The HTTP 1.1 protocol requires support for the TRACE request method, which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled." + remediation: "Locate the main Apache configuration file such as httpd.conf. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or ." + compliance: + - cis: "5.8" + - cis_csc: "9.1" + references: + - https://www.ietf.org/rfc/rfc2616.txt + - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable + - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable + condition: none + rules: + - 'f:$traceen -> !r:^# && r:traceenable\s+on\s*$' #5.13 Restrict Listen Directive - - id: 3519 - title: "Ensure the IP Addresses for Listening for Requests Are Specified" - description: "The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen on for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically, a Listen directive with no IP address specified or with an IP address of all zeroes should not be used." - rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an IP address or interface that was not intended for the web server." - remediation: "Find any Listen directives in the Apache configuration file with no IP address specified or with an IP address of all zeroes similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address and port." - compliance: - - cis: "5.13" - - cis_csc: "9.1" - references: - - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen - - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s(\d+)$' - - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' - - 'f:$main-conf -> !r:^# && r:listen\s(\d+)$' - - 'f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s(\d+)$' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' - - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s(\d+)$' - - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - id: 3519 + title: "Ensure the IP Addresses for Listening for Requests Are Specified" + description: "The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen on for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically, a Listen directive with no IP address specified or with an IP address of all zeroes should not be used." + rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an IP address or interface that was not intended for the web server." + remediation: "Find any Listen directives in the Apache configuration file with no IP address specified or with an IP address of all zeroes similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address and port." + compliance: + - cis: "5.13" + - cis_csc: "9.1" + references: + - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen + - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s(\d+)$' + - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - 'f:$main-conf -> !r:^# && r:listen\s(\d+)$' + - 'f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s(\d+)$' + - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s(\d+)$' + - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' + - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' #5.14 Restrict Browser Frame Options - - id: 3520 - title: "Ensure Browser Framing Is Restricted" - description: "The Header directive allows server HTTP response headers to be added, replaced, or merged. Use the directive to add a server HTTP response header to tell browsers to restrict all the web pages from being framed by other web sites." - rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site." - remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frame-Options header in the Apache configuration to have the condition always , an action of append , and a value of SAMEORIGIN , as shown: Header always append X-Frame-Options SAMEORIGIN" - compliance: - - cis: "5.14" - - cis_csc: "18" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header - - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header - - https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header - - https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx - condition: all - rules: - - 'f:$main-conf -> r:header\salways\sappend\sx-frame-options && r:sameorigin|deny' + - id: 3520 + title: "Ensure Browser Framing Is Restricted" + description: "The Header directive allows server HTTP response headers to be added, replaced, or merged. Use the directive to add a server HTTP response header to tell browsers to restrict all the web pages from being framed by other web sites." + rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site." + remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frame-Options header in the Apache configuration to have the condition always , an action of append , and a value of SAMEORIGIN , as shown: Header always append X-Frame-Options SAMEORIGIN" + compliance: + - cis: "5.14" + - cis_csc: "18" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header + - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header + - https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header + - https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx + condition: all + rules: + - 'f:$main-conf -> r:header\salways\sappend\sx-frame-options && r:sameorigin|deny' #6.1 Configure the Error Log to notice at least - - id: 3521 - title: "Ensure the Error Log Filename and Severity Level Are Configured Correctly" - description: "The LogLevel directive is used to configure the severity level for the error logs, while the ErrorLog directive configures the error log filename. The log level values are the standard syslog levels of emerg , alert , crit , error , warn , notice , info and debug . The recommended level is notice , so that all errors from the emerg level through the notice level will be logged." - rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." - remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." - compliance: - - cis: "6.1" - - cis_csc: "6.2" - references: - - https://httpd.apache.org/docs/2.2/logs.html - - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.2/mod/core.html#errorlog - - https://httpd.apache.org/docs/2.4/logs.html - - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog - condition: all - rules: - - 'f:$main-conf -> !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice' - - 'not f:$main-conf -> r:loglevel\snotice\score\p && r:info|debug' + - id: 3521 + title: "Ensure the Error Log Filename and Severity Level Are Configured Correctly" + description: "The LogLevel directive is used to configure the severity level for the error logs, while the ErrorLog directive configures the error log filename. The log level values are the standard syslog levels of emerg , alert , crit , error , warn , notice , info and debug . The recommended level is notice , so that all errors from the emerg level through the notice level will be logged." + rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." + remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." + compliance: + - cis: "6.1" + - cis_csc: "6.2" + references: + - https://httpd.apache.org/docs/2.2/logs.html + - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel + - https://httpd.apache.org/docs/2.2/mod/core.html#errorlog + - https://httpd.apache.org/docs/2.4/logs.html + - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel + - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog + condition: all + rules: + - 'f:$main-conf -> !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice' + - 'not f:$main-conf -> r:loglevel\snotice\score\p && r:info|debug' #6.2 Configure a Syslog facility for Error Log - - id: 3522 - title: "Ensure a Syslog Facility Is Configured for Error Logging" - description: "The ErrorLog directive should be configured to send web server error logs to a syslog facility so the logs can be processed and monitored along with the system logs." - rationale: "It is easy for web server error logs to be overlooked in the log monitoring process, yet application-level attacks have become the most common and are extremely important for detecting attacks early, as well as detecting non-malicious problems such as a broken link or internal errors." - remediation: "Add an ErrorLog directive if not already configured. Any appropriate syslog facility may be used in place of local1. Add a similar ErrorLog directive for each virtual host if necessary." - compliance: - - cis: "6.2" - - cis_csc: "6.6" - references: - - https://httpd.apache.org/docs/2.2/logs.html - - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.2/mod/core.html#errorlog - - https://httpd.apache.org/docs/2.4/logs.html - - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog - condition: all - rules: - - 'f:$main-conf -> r:errorlog\s+\p*syslog\p\.*\p*' + - id: 3522 + title: "Ensure a Syslog Facility Is Configured for Error Logging" + description: "The ErrorLog directive should be configured to send web server error logs to a syslog facility so the logs can be processed and monitored along with the system logs." + rationale: "It is easy for web server error logs to be overlooked in the log monitoring process, yet application-level attacks have become the most common and are extremely important for detecting attacks early, as well as detecting non-malicious problems such as a broken link or internal errors." + remediation: "Add an ErrorLog directive if not already configured. Any appropriate syslog facility may be used in place of local1. Add a similar ErrorLog directive for each virtual host if necessary." + compliance: + - cis: "6.2" + - cis_csc: "6.6" + references: + - https://httpd.apache.org/docs/2.2/logs.html + - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel + - https://httpd.apache.org/docs/2.2/mod/core.html#errorlog + - https://httpd.apache.org/docs/2.4/logs.html + - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel + - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog + condition: all + rules: + - 'f:$main-conf -> r:errorlog\s+\p*syslog\p\.*\p*' #7.6 Disable SSL Insecure Renegotiation - - id: 3523 - title: "Ensure Insecure SSL Renegotiation Is Not Enabled" - description: "The SSLInsecureRenegotiation directive was added in Apache 2.2.15 for web servers linked with OpenSSL version 0.9.8m or later, to allow the insecure renegotiation to provide backward compatibility to clients with the older unpatched SSL implementations. Enabling this directive also leaves the server vulnerable to man-in-the-middle renegotiation attack, therefore, it should not be enabled." - rationale: "The seriousness and ramification of this attack warrants that servers and clients be upgraded to support the improved SSL/TLS protocols. Therefore, the recommendation is to not enable the insecure renegotiation." - remediation: "Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present, modify the value to be off. If the directive is not present, no action is required: SSLInsecureRenegotiation off" - compliance: - - cis: "7.6" - - cis_csc: "14.2" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation - - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 - - https://azure.microsoft.com/en-us/services/multi-factor-authentication/ - condition: none - rules: - - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on' + - id: 3523 + title: "Ensure Insecure SSL Renegotiation Is Not Enabled" + description: "The SSLInsecureRenegotiation directive was added in Apache 2.2.15 for web servers linked with OpenSSL version 0.9.8m or later, to allow the insecure renegotiation to provide backward compatibility to clients with the older unpatched SSL implementations. Enabling this directive also leaves the server vulnerable to man-in-the-middle renegotiation attack, therefore, it should not be enabled." + rationale: "The seriousness and ramification of this attack warrants that servers and clients be upgraded to support the improved SSL/TLS protocols. Therefore, the recommendation is to not enable the insecure renegotiation." + remediation: "Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present, modify the value to be off. If the directive is not present, no action is required: SSLInsecureRenegotiation off" + compliance: + - cis: "7.6" + - cis_csc: "14.2" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation + - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 + - https://azure.microsoft.com/en-us/services/multi-factor-authentication/ + condition: none + rules: + - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on' #7.7 Ensure SSL Compression is not enabled - - id: 3524 - title: "Ensure SSL Compression is Not Enabled" - description: "The SSLCompression directive controls whether SSL compression is used by Apache when serving content over HTTPS. It is recommended that the SSLCompression directive be set to off." - rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator that can be used to impersonate the account associated with the authenticator." - remediation: "Verify the Apache version is 2.2.24 or later with httpd -v. Search the Apache configuration files for the SSLCompression directive. Update the directive to have a value of off." - compliance: - - cis: "7.7" - - cis_csc: "14.2" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression - - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression - - https://en.wikipedia.org/wiki/CRIME_(security_exploit) - - condition: none - rules: - - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+on' + - id: 3524 + title: "Ensure SSL Compression is Not Enabled" + description: "The SSLCompression directive controls whether SSL compression is used by Apache when serving content over HTTPS. It is recommended that the SSLCompression directive be set to off." + rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator that can be used to impersonate the account associated with the authenticator." + remediation: "Verify the Apache version is 2.2.24 or later with httpd -v. Search the Apache configuration files for the SSLCompression directive. Update the directive to have a value of off." + compliance: + - cis: "7.7" + - cis_csc: "14.2" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression + - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression + - https://en.wikipedia.org/wiki/CRIME_(security_exploit) + + condition: none + rules: + - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+on' #8.1 Set ServerToken to Prod or ProductOnly - - id: 3528 - title: "Ensure ServerTokens Provides Minimal Information" - description: "Configure the Apache ServerTokens directive to provide minimal information by setting the value to Prod or ProductOnly." - rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." - remediation: "Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" - compliance: - - cis: "8.1" - - cis_csc: "18.9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+major' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minor' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+min' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minimal' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+os' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+full' + - id: 3528 + title: "Ensure ServerTokens Provides Minimal Information" + description: "Configure the Apache ServerTokens directive to provide minimal information by setting the value to Prod or ProductOnly." + rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." + remediation: "Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" + compliance: + - cis: "8.1" + - cis_csc: "18.9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+major' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minor' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+min' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minimal' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+os' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+full' #8.2: Set ServerSignature to Off - - id: 3529 - title: "Ensure ServerSignature Is Not Enabled" - description: "Disable the server signatures, which is the generation of a signature line as a trailing footer at the bottom of server-generated documents such as error pages." - rationale: "Server signatures are helpful when the server is acting as a proxy because they help the user distinguish errors from the proxy rather than the destination server. However, in this context there is no need for the additional information." - remediation: "Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" - compliance: - - cis: "8.2" - - cis_csc: "18" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature - - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+email' - - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on' + - id: 3529 + title: "Ensure ServerSignature Is Not Enabled" + description: "Disable the server signatures, which is the generation of a signature line as a trailing footer at the bottom of server-generated documents such as error pages." + rationale: "Server signatures are helpful when the server is acting as a proxy because they help the user distinguish errors from the proxy rather than the destination server. However, in this context there is no need for the additional information." + remediation: "Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" + compliance: + - cis: "8.2" + - cis_csc: "18" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature + - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+email' + - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on' #8.3: Prevent Information Leakage via Default Apache Content - - id: 3530 - title: "Ensure All Default Apache Content Is Removed" - description: "If you want to further restrict information leakage about the web server, it is important that default content such as icons are not left on the web server." - rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." - remediation: "The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conf file. Alternatively, the icon alias directive and the directory access control configuration can be commented out." - compliance: - - cis: "8.4" - - cis_csc: "18.9" - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' - - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*' + - id: 3530 + title: "Ensure All Default Apache Content Is Removed" + description: "If you want to further restrict information leakage about the web server, it is important that default content such as icons are not left on the web server." + rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." + remediation: "The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conf file. Alternatively, the icon alias directive and the directory access control configuration can be commented out." + compliance: + - cis: "8.4" + - cis_csc: "18.9" + condition: none + rules: + - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' + - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*' #9.1:Set TimeOut to 10 or less - - id: 3531 - title: "Ensure the TimeOut Is Set Properly" - description: "The TimeOut directive controls the maximum time in seconds that Apache HTTP server will wait for an Input/Output call to complete. It is recommended that the TimeOut directive be set to 10 or less." - rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." - remediation: "Add or modify the Timeout directive in the Apache configuration files to have a value of 10 seconds or less." - compliance: - - cis: "9.1" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#timeout - - https://httpd.apache.org/docs/2.4/mod/core.html#timeout - condition: all - rules: - - 'f:$main-conf -> !r:^# && n:timeout\s+(\d+) compare <= 10' + - id: 3531 + title: "Ensure the TimeOut Is Set Properly" + description: "The TimeOut directive controls the maximum time in seconds that Apache HTTP server will wait for an Input/Output call to complete. It is recommended that the TimeOut directive be set to 10 or less." + rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." + remediation: "Add or modify the Timeout directive in the Apache configuration files to have a value of 10 seconds or less." + compliance: + - cis: "9.1" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#timeout + - https://httpd.apache.org/docs/2.4/mod/core.html#timeout + condition: all + rules: + - 'f:$main-conf -> !r:^# && n:timeout\s+(\d+) compare <= 10' #9.2:Set the KeepAlive directive to On - - id: 3532 - title: "Ensure KeepAlive Is Enabled" - description: "The KeepAlive directive controls whether Apache will reuse the same TCP connection per client to process subsequent HTTP requests from that client. It is recommended that the KeepAlive directive be set to On." - rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks." - remediation: "Add or modify the KeepAlive directive in the Apache configuration to have a value of On." - compliance: - - cis: "9.2" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive - - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive - condition: none - rules: - - 'f:$main-conf -> !r:^# && r:keepalive\s+off' + - id: 3532 + title: "Ensure KeepAlive Is Enabled" + description: "The KeepAlive directive controls whether Apache will reuse the same TCP connection per client to process subsequent HTTP requests from that client. It is recommended that the KeepAlive directive be set to On." + rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks." + remediation: "Add or modify the KeepAlive directive in the Apache configuration to have a value of On." + compliance: + - cis: "9.2" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive + - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive + condition: none + rules: + - 'f:$main-conf -> !r:^# && r:keepalive\s+off' #9.3:Set MaxKeepAliveRequests to 100 or greater - - id: 3533 - title: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed. It is recommended that the MaxKeepAliveRequests directive be set to 100 or greater." - description: "Set MaxKeepAliveRequest to 100 or greater" - rationale: "Limiting the number of requests per connection may improve a server's resiliency to DoS attacks." - remediation: "Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more." - compliance: - - cis: "9.3" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests - condition: all - rules: - - 'f:$main-conf -> n:^maxkeepaliverequests\s+(\d+) compare >= 100' + - id: 3533 + title: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed. It is recommended that the MaxKeepAliveRequests directive be set to 100 or greater." + description: "Set MaxKeepAliveRequest to 100 or greater" + rationale: "Limiting the number of requests per connection may improve a server's resiliency to DoS attacks." + remediation: "Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more." + compliance: + - cis: "9.3" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests + - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests + condition: all + rules: + - 'f:$main-conf -> n:^maxkeepaliverequests\s+(\d+) compare >= 100' #9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service - - id: 3534 - title: "Ensure the KeepAliveTimeout Is Set Properly" - description: "The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a subsequent request before closing a connection that is being kept alive." - rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." - remediation: "Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less." - compliance: - - cis: "9.4" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout - condition: all - rules: - - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare <= 15' + - id: 3534 + title: "Ensure the KeepAliveTimeout Is Set Properly" + description: "The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a subsequent request before closing a connection that is being kept alive." + rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." + remediation: "Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less." + compliance: + - cis: "9.4" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout + - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout + condition: all + rules: + - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare <= 15' #9.5 Set Timeout Limits for Request Headers - - id: 3535 - title: "Ensure Timeout Limits for Request Headers Are Set Properly" - description: "The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout, and a minimum rate." - rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." - remediation: "Load the mod_requesttimeout module in the Apache configuration. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less." - compliance: - - cis: "9.5" - - cis_csc: "9" - references: - - https://ha.ckers.org/slowloris/ - - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t - - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - condition: all - rules: - - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' - - 'd:$mods-en -> f:reqtimeout.load' - - 'f:$request-confs -> n:^\t*\s*requestreadtimeout\.+header\p(\d+) compare <= 40' + - id: 3535 + title: "Ensure Timeout Limits for Request Headers Are Set Properly" + description: "The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout, and a minimum rate." + rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." + remediation: "Load the mod_requesttimeout module in the Apache configuration. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less." + compliance: + - cis: "9.5" + - cis_csc: "9" + references: + - https://ha.ckers.org/slowloris/ + - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t + - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html + - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html + condition: all + rules: + - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' + - 'd:$mods-en -> f:reqtimeout.load' + - 'f:$request-confs -> n:^\t*\s*requestreadtimeout\.+header\p(\d+) compare <= 40' #9.6 Set Timeout Limits for Request Body - - id: 3536 - title: "Ensure Timeout Limits for the Request Body Are Set Properly" - description: "The RequestReadTimeout directive allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, a maximum timeout, and a minimum rate." - rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." - remediation: "Load the mod_requesttimeout module in the Apache configuration and add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less." - compliance: - - cis: "9.6" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - condition: all - rules: - - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' - - 'd:$mods-en -> f:reqtimeout.load' - - 'f:$request-confs -> n:\t*\s*requestreadtimeout\.+body\p(\d+) compare <= 20' + - id: 3536 + title: "Ensure Timeout Limits for the Request Body Are Set Properly" + description: "The RequestReadTimeout directive allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, a maximum timeout, and a minimum rate." + rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." + remediation: "Load the mod_requesttimeout module in the Apache configuration and add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less." + compliance: + - cis: "9.6" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html + - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html + condition: all + rules: + - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' + - 'd:$mods-en -> f:reqtimeout.load' + - 'f:$request-confs -> n:\t*\s*requestreadtimeout\.+body\p(\d+) compare <= 20' #10.1 Set the LimitRequestLine directive to 512 or less - - id: 3537 - title: "Ensure the Maximum Request Line Length Is Set Properly" - description: "The LimitRequestLine directive sets the maximum number of bytes that Apache will read for each line of an HTTP request. It is recommended that the LimitRequestLine be set to 512 or less." - rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestLine directive in the Apache configuration to have a value of 512 or less." - compliance: - - cis: "10.1" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline - - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline - condition: all - rules: - - 'f:$main-conf -> n:^limitrequestline\s+(\d+) compare <= 512' + - id: 3537 + title: "Ensure the Maximum Request Line Length Is Set Properly" + description: "The LimitRequestLine directive sets the maximum number of bytes that Apache will read for each line of an HTTP request. It is recommended that the LimitRequestLine be set to 512 or less." + rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." + remediation: "Add or modify the LimitRequestLine directive in the Apache configuration to have a value of 512 or less." + compliance: + - cis: "10.1" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline + - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestline\s+(\d+) compare <= 512' #10.2 Set the LimitRequestFields directive to 100 or less - - id: 3538 - title: "Ensure the Maximum Request Headers Per Request Is Set Properly" - description: "The LimitRequestFields directive sets the maximum limit on the number of HTTP request headers allowed per request. It is recommended that the LimitRequestFields directive be set to 100 or less." - rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of 100." - compliance: - - cis: "10.2" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields - - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields - condition: all - rules: - - 'f:$main-conf -> n:^limitrequestfields\s(\d+) compare <= 100' + - id: 3538 + title: "Ensure the Maximum Request Headers Per Request Is Set Properly" + description: "The LimitRequestFields directive sets the maximum limit on the number of HTTP request headers allowed per request. It is recommended that the LimitRequestFields directive be set to 100 or less." + rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." + remediation: "Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of 100." + compliance: + - cis: "10.2" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields + - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestfields\s(\d+) compare <= 100' #10.3 Set the LimitRequestFieldsize directive to 1024 or less - - id: 3539 - title: "Ensure the Maximum Request Header Field Size Is Set Properly" - description: "The LimitRequestFieldSize directive sets the maximum size of an HTTP request header field. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less." - rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestFieldSize directive in the Apache configuration to have a value of 1024 or less." - compliance: - - cis: "10.3" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize - - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize - condition: all - rules: - - 'f:$main-conf -> n:^limitrequestfieldsize\s+(\d+) compare <= 1024' + - id: 3539 + title: "Ensure the Maximum Request Header Field Size Is Set Properly" + description: "The LimitRequestFieldSize directive sets the maximum size of an HTTP request header field. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less." + rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." + remediation: "Add or modify the LimitRequestFieldSize directive in the Apache configuration to have a value of 1024 or less." + compliance: + - cis: "10.3" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize + - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestfieldsize\s+(\d+) compare <= 1024' #10.4 Set the LimitRequestBody directive to 102400 or less - - id: 3540 - title: "Ensure the Maximum Request Body Size Is Set Properly" - description: "The LimitRequestBody directive sets the maximum size of an HTTP request body. It is recommended that the LimitRequestBody directive be set to 102400 or less." - rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server." - compliance: - - cis: "10.4" - - cis_csc: "9" - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody - - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody - condition: all - rules: - - 'f:$main-conf -> n:^limitrequestbody\s+(\d+) compare <= 102400' + - id: 3540 + title: "Ensure the Maximum Request Body Size Is Set Properly" + description: "The LimitRequestBody directive sets the maximum size of an HTTP request body. It is recommended that the LimitRequestBody directive be set to 102400 or less." + rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." + remediation: "Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server." + compliance: + - cis: "10.4" + - cis_csc: "9" + references: + - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody + - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody + condition: all + rules: + - 'f:$main-conf -> n:^limitrequestbody\s+(\d+) compare <= 102400' diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index 38fb917ad..89a0f1fe4 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -32,263 +32,263 @@ variables: checks: #1 Operating System Level Configuration - - id: 4500 - title: "Disable MySQL Command History" - description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." - rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." - remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." - compliance: - - cis: "1.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - - https://bugs.mysql.com/bug.php?id=72158 - condition: none - rules: - - 'd:$home_dirs -> ^.mysql_history$' + - id: 4500 + title: "Disable MySQL Command History" + description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." + rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." + remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." + compliance: + - cis: "1.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html + - https://bugs.mysql.com/bug.php?id=72158 + condition: none + rules: + - 'd:$home_dirs -> ^.mysql_history$' - - id: 4501 - title: "Disable Interactive Login" - description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." - rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." - remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" - compliance: - - cis: "1.5" - condition: all - rules: - - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' + - id: 4501 + title: "Disable Interactive Login" + description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." + rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." + remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" + compliance: + - cis: "1.5" + condition: all + rules: + - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' - - id: 4502 - title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" - description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." - rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." - remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." - compliance: - - cis: "1.6" - references: - - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html - condition: none - rules: - - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' + - id: 4502 + title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" + description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." + rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." + remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." + compliance: + - cis: "1.6" + references: + - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html + condition: none + rules: + - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' #4 General - - id: 4503 - title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" - description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add." - rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." - remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." - compliance: - - cis: "4.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs - condition: none - rules: - - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' + - id: 4503 + title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" + description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add." + rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." + remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." + compliance: + - cis: "4.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs + condition: none + rules: + - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' - - id: 4504 - title: "Ensure 'local_infile is Disabled" - description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." - rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." - remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." - compliance: - - cis: "4.4" - references: - - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - - https://dev.mysql.com/doc/refman/5.6/en/load-data.html - condition: all - rules: - - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' + - id: 4504 + title: "Ensure 'local_infile is Disabled" + description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." + rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." + remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." + compliance: + - cis: "4.4" + references: + - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file + - https://dev.mysql.com/doc/refman/5.6/en/load-data.html + condition: all + rules: + - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' - - id: 4505 - title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" - description: "This option causes mysqld to start without using the privilege system." - rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." - remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" - compliance: - - cis: "4.5" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables - condition: all - rules: - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' + - id: 4505 + title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" + description: "This option causes mysqld to start without using the privilege system." + rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." + remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" + compliance: + - cis: "4.5" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables + condition: all + rules: + - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' - - id: 4506 - title: "Ensure '--skip-symbolic-links' Is Enabled" - description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " - rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." - remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." - compliance: - - cis: "4.6" - references: - - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links - condition: all - rules: - - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' + - id: 4506 + title: "Ensure '--skip-symbolic-links' Is Enabled" + description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " + rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." + remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." + compliance: + - cis: "4.6" + references: + - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links + condition: all + rules: + - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' - - id: 4507 - title: "Ensure 'secure_file_priv' is not empty" - description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." - rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " - remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." - compliance: - - cis: "4.8" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv - condition: all - rules: - - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' + - id: 4507 + title: "Ensure 'secure_file_priv' is not empty" + description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." + rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " + remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." + compliance: + - cis: "4.8" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv + condition: all + rules: + - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' - - id: 4508 - title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" - description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." - rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " - remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." - compliance: - - cis: "4.9" - condition: all - rules: - - 'f:$mysql-cnfs -> r:strict_all_tables' + - id: 4508 + title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" + description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." + rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " + remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." + compliance: + - cis: "4.9" + condition: all + rules: + - 'f:$mysql-cnfs -> r:strict_all_tables' #6 Auditing and Logging - - id: 4509 - title: "Ensure 'log_error' is not empty" - description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails" - rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." - remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." - compliance: - - cis: "6.1" - references: - - https://dev.mysql.com/doc/refman/5.6/en/error-log.html - condition: all - rules: - - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' + - id: 4509 + title: "Ensure 'log_error' is not empty" + description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails" + rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." + remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." + compliance: + - cis: "6.1" + references: + - https://dev.mysql.com/doc/refman/5.6/en/error-log.html + condition: all + rules: + - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' - - id: 4510 - title: "Ensure Log Files are not Stored on a non-system partition" - description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." - rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." - remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." - compliance: - - cis: "6.2" - references: - - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html - condition: all - rules: - - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - id: 4510 + title: "Ensure Log Files are not Stored on a non-system partition" + description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." + rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." + remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." + compliance: + - cis: "6.2" + references: + - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html + - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html + condition: all + rules: + - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - - id: 4511 - title: "Ensure 'log_warning' is set to 2" - description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." - rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." - remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." - compliance: - - cis: "6.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' + - id: 4511 + title: "Ensure 'log_warning' is set to 2" + description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." + rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." + remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." + compliance: + - cis: "6.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' - - id: 4512 - title: "Ensure 'log_raw' is set to 'OFF'" - description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " - rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." - remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" - compliance: - - cis: "6.4" - references: - - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' + - id: 4512 + title: "Ensure 'log_raw' is set to 'OFF'" + description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " + rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." + remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" + compliance: + - cis: "6.4" + references: + - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' #7 Authentication - - id: 4513 - title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" - description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" - rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." - remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." - compliance: - - cis: "7.1" - references: - - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html - - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords - - https://www.cvedetails.com/cve/CVE-2003-1480/ - condition: none - rules: - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' + - id: 4513 + title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" + description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" + rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." + remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." + compliance: + - cis: "7.1" + references: + - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html + - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html + - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords + - https://www.cvedetails.com/cve/CVE-2003-1480/ + condition: none + rules: + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' - - id: 4514 - title: "Ensure 'secure_auth' is set to 'ON'" - description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." - rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." - remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." - compliance: - - cis: "7.2" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth - condition: all - rules: - - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' + - id: 4514 + title: "Ensure 'secure_auth' is set to 'ON'" + description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." + rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." + remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." + compliance: + - cis: "7.2" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth + condition: all + rules: + - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' - - id: 4515 - title: "Ensure Passwords Are Not Stored in the Global Configuration" - description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." - rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." - remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " - compliance: - - cis: "7.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html - condition: none - rules: - - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' + - id: 4515 + title: "Ensure Passwords Are Not Stored in the Global Configuration" + description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." + rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." + remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " + compliance: + - cis: "7.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html + condition: none + rules: + - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' - - id: 4516 - title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" - description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." - rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." - remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." - compliance: - - cis: "7.4" - condition: all - rules: - - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' + - id: 4516 + title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" + description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." + rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." + remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." + compliance: + - cis: "7.4" + condition: all + rules: + - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' - - id: 4517 - title: "Ensure Password Policy is in Place" - description: "Password complexity includes password characteristics such as length, case, length, and character sets." - rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." - remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." - compliance: - - cis: "7.6" - references: - - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html - condition: none - rules: - - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' - - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' - - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' - - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' - - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' + - id: 4517 + title: "Ensure Password Policy is in Place" + description: "Password complexity includes password characteristics such as length, case, length, and character sets." + rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." + remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." + compliance: + - cis: "7.6" + references: + - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html + condition: none + rules: + - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' + - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' + - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' #9 Replication - - id: 4518 - title: "Ensure 'master_info_repositrory' is set to 'TABLE'" - description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." - rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." - remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." - compliance: - - cis: "9.2" - references: - - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository - condition: all - rules: - - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' + - id: 4518 + title: "Ensure 'master_info_repositrory' is set to 'TABLE'" + description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." + rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." + remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." + compliance: + - cis: "9.2" + references: + - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository + condition: all + rules: + - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index b8100e70a..dc83403f5 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -32,341 +32,341 @@ variables: checks: #1 Operating System Level Configuration - - id: 4500 - title: "Disable MySQL Command History" - description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." - rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." - remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." - compliance: - - cis: "1.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - - https://bugs.mysql.com/bug.php?id=72158 - condition: none - rules: - - 'd:$home_dirs -> ^.mysql_history$' + - id: 4500 + title: "Disable MySQL Command History" + description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." + rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." + remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." + compliance: + - cis: "1.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html + - https://bugs.mysql.com/bug.php?id=72158 + condition: none + rules: + - 'd:$home_dirs -> ^.mysql_history$' - - id: 4501 - title: "Disable Interactive Login" - description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." - rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." - remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" - compliance: - - cis: "1.5" - condition: all - rules: - - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' + - id: 4501 + title: "Disable Interactive Login" + description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." + rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." + remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" + compliance: + - cis: "1.5" + condition: all + rules: + - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' - - id: 4502 - title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" - description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." - rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." - remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." - compliance: - - cis: "1.6" - references: - - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html - condition: none - rules: - - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' + - id: 4502 + title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" + description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." + rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." + remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." + compliance: + - cis: "1.6" + references: + - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html + condition: none + rules: + - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' #4 General - - id: 4503 - title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" - description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add." - rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." - remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." - compliance: - - cis: "4.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs - condition: none - rules: - - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' + - id: 4503 + title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" + description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add." + rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." + remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." + compliance: + - cis: "4.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs + condition: none + rules: + - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' - - id: 4504 - title: "Ensure 'local_infile is Disabled" - description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." - rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." - remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." - compliance: - - cis: "4.4" - references: - - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - - https://dev.mysql.com/doc/refman/5.6/en/load-data.html - condition: all - rules: - - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' + - id: 4504 + title: "Ensure 'local_infile is Disabled" + description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." + rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." + remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." + compliance: + - cis: "4.4" + references: + - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file + - https://dev.mysql.com/doc/refman/5.6/en/load-data.html + condition: all + rules: + - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' - - id: 4505 - title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" - description: "This option causes mysqld to start without using the privilege system." - rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." - remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" - compliance: - - cis: "4.5" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables - condition: all - rules: - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' + - id: 4505 + title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" + description: "This option causes mysqld to start without using the privilege system." + rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." + remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" + compliance: + - cis: "4.5" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables + condition: all + rules: + - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' - - id: 4506 - title: "Ensure '--skip-symbolic-links' Is Enabled" - description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " - rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." - remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." - compliance: - - cis: "4.6" - references: - - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links - condition: all - rules: - - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' + - id: 4506 + title: "Ensure '--skip-symbolic-links' Is Enabled" + description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " + rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." + remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." + compliance: + - cis: "4.6" + references: + - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links + condition: all + rules: + - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' - - id: 4507 - title: "Ensure 'secure_file_priv' is not empty" - description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." - rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " - remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." - compliance: - - cis: "4.8" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv - condition: all - rules: - - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' + - id: 4507 + title: "Ensure 'secure_file_priv' is not empty" + description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." + rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " + remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." + compliance: + - cis: "4.8" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv + condition: all + rules: + - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' - - id: 4508 - title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" - description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." - rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " - remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." - compliance: - - cis: "4.9" - condition: all - rules: - - 'f:$mysql-cnfs -> r:strict_all_tables' + - id: 4508 + title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" + description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." + rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " + remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." + compliance: + - cis: "4.9" + condition: all + rules: + - 'f:$mysql-cnfs -> r:strict_all_tables' #6 Auditing and Logging - - id: 4509 - title: "Ensure 'log_error' is not empty" - description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails" - rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." - remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." - compliance: - - cis: "6.1" - references: - - https://dev.mysql.com/doc/refman/5.6/en/error-log.html - condition: all - rules: - - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' + - id: 4509 + title: "Ensure 'log_error' is not empty" + description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails" + rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." + remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." + compliance: + - cis: "6.1" + references: + - https://dev.mysql.com/doc/refman/5.6/en/error-log.html + condition: all + rules: + - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' - - id: 4510 - title: "Ensure Log Files are not Stored on a non-system partition" - description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." - rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." - remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." - compliance: - - cis: "6.2" - references: - - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html - condition: all - rules: - - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - id: 4510 + title: "Ensure Log Files are not Stored on a non-system partition" + description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." + rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." + remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." + compliance: + - cis: "6.2" + references: + - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html + - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html + condition: all + rules: + - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - - id: 4511 - title: "Ensure 'log_warning' is set to 2" - description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." - rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." - remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." - compliance: - - cis: "6.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' + - id: 4511 + title: "Ensure 'log_warning' is set to 2" + description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." + rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." + remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." + compliance: + - cis: "6.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' - - id: 4512 - title: "Ensure 'log_raw' is set to 'OFF'" - description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " - rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." - remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" - compliance: - - cis: "6.4" - references: - - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' + - id: 4512 + title: "Ensure 'log_raw' is set to 'OFF'" + description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " + rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." + remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" + compliance: + - cis: "6.4" + references: + - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' #7 Authentication - - id: 4513 - title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" - description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" - rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." - remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." - compliance: - - cis: "7.1" - references: - - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html - - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords - - https://www.cvedetails.com/cve/CVE-2003-1480/ - condition: none - rules: - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' + - id: 4513 + title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" + description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" + rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." + remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." + compliance: + - cis: "7.1" + references: + - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html + - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html + - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_old_passwords + - https://www.cvedetails.com/cve/CVE-2003-1480/ + condition: none + rules: + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' + - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' - - id: 4514 - title: "Ensure 'secure_auth' is set to 'ON'" - description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." - rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." - remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." - compliance: - - cis: "7.2" - references: - - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth - condition: all - rules: - - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' + - id: 4514 + title: "Ensure 'secure_auth' is set to 'ON'" + description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." + rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." + remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." + compliance: + - cis: "7.2" + references: + - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth + condition: all + rules: + - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' - - id: 4515 - title: "Ensure Passwords Are Not Stored in the Global Configuration" - description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." - rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." - remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " - compliance: - - cis: "7.3" - references: - - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html - condition: none - rules: - - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' + - id: 4515 + title: "Ensure Passwords Are Not Stored in the Global Configuration" + description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." + rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." + remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " + compliance: + - cis: "7.3" + references: + - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html + condition: none + rules: + - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' - - id: 4516 - title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" - description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." - rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." - remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." - compliance: - - cis: "7.4" - condition: all - rules: - - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' + - id: 4516 + title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" + description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." + rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." + remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." + compliance: + - cis: "7.4" + condition: all + rules: + - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' - - id: 4517 - title: "Ensure Password Policy is in Place" - description: "Password complexity includes password characteristics such as length, case, length, and character sets." - rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." - remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." - compliance: - - cis: "7.6" - references: - - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html - condition: none - rules: - - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' - - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' - - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' - - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' - - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' + - id: 4517 + title: "Ensure Password Policy is in Place" + description: "Password complexity includes password characteristics such as length, case, length, and character sets." + rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." + remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." + compliance: + - cis: "7.6" + references: + - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html + condition: none + rules: + - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' + - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' + - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' + - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' #9 Replication - - id: 4518 - title: "Ensure 'master_info_repositrory' is set to 'TABLE'" - description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." - rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." - remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." - compliance: - - cis: "9.2" - references: - - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository - condition: all - rules: - - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' + - id: 4518 + title: "Ensure 'master_info_repositrory' is set to 'TABLE'" + description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." + rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." + remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." + compliance: + - cis: "9.2" + references: + - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository + condition: all + rules: + - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' #10 Enterprise rules - - id: 4519 - title: "Ensure audit_log_connection_policy is not set to 'NONE'" - description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. " - rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." - remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." - compliance: - - cis: "6.5" - condition: none - rules: - - 'f:$mysql-cnfs -> !r:^# && r::audit_log_connection_policy\s*=\s*none' + - id: 4519 + title: "Ensure audit_log_connection_policy is not set to 'NONE'" + description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. " + rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." + remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." + compliance: + - cis: "6.5" + condition: none + rules: + - 'f:$mysql-cnfs -> !r:^# && r::audit_log_connection_policy\s*=\s*none' - - id: 4520 - title: "Ensure audit_log_exclude_account is set to NULL" - description: "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log." - rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." - remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." - compliance: - - cis: "6.6" - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$' + - id: 4520 + title: "Ensure audit_log_exclude_account is set to NULL" + description: "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log." + rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." + remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." + compliance: + - cis: "6.6" + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$' - - id: 4521 - title: "Ensure audit_log_include_accounts is set to NULL" - description: "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log." - rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." - remediation: "Set audit_log_include_accounts=NULL in my.cnf." - compliance: - - cis: "6.7" - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$' + - id: 4521 + title: "Ensure audit_log_include_accounts is set to NULL" + description: "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log." + rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." + remediation: "Set audit_log_include_accounts=NULL in my.cnf." + compliance: + - cis: "6.7" + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$' - - id: 4522 - title: "Ensure audit_log_policy is set to log logins and connections" - description: "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled. It must be set to log logins and connections." - rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." - remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" - compliance: - - cis: "6.9" - condition: any - rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_policy=ALL' + - id: 4522 + title: "Ensure audit_log_policy is set to log logins and connections" + description: "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled. It must be set to log logins and connections." + rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." + remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" + compliance: + - cis: "6.9" + condition: any + rules: + - 'f:$mysql-cnfs -> !r:^# && r:audit_log_policy=ALL' - - id: 4523 - title: "Ensure audit_log_statement_policy is set to ALL" - description: "This setting controls whether statements are written to the audit log." - rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." - remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." - compliance: - - cis: "6.10" - condition: all - rules: - - 'f:$mysql-cnfs -> r:audit_log_statement_policy\s*all$' + - id: 4523 + title: "Ensure audit_log_statement_policy is set to ALL" + description: "This setting controls whether statements are written to the audit log." + rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." + remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." + compliance: + - cis: "6.10" + condition: all + rules: + - 'f:$mysql-cnfs -> r:audit_log_statement_policy\s*all$' - - id: 4524 - title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" - description: "The audit_log_strategy must be set to SYNCHRONOUS or SEMISYNCHRONOUS." - rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." - remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." - compliance: - - cis: "6.11" - condition: all - rules: - - 'f:$mysql-cnfs -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous' + - id: 4524 + title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" + description: "The audit_log_strategy must be set to SYNCHRONOUS or SEMISYNCHRONOUS." + rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." + remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." + compliance: + - cis: "6.11" + condition: all + rules: + - 'f:$mysql-cnfs -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous' - - id: 4525 - title: "Make sure the audit plugin can't be unloaded" - description: "Set audit_log to FORCE_PLUS_PERMANENT." - rationale: "This makes disables unloading on the plugin." - remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." - compliance: - - cis: "6.12" - condition: all - rules: - - 'f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent' + - id: 4525 + title: "Make sure the audit plugin can't be unloaded" + description: "Set audit_log to FORCE_PLUS_PERMANENT." + rationale: "This makes disables unloading on the plugin." + remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." + compliance: + - cis: "6.12" + condition: all + rules: + - 'f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent' diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index f45a4235f..92e77ec97 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -29,426 +29,426 @@ requirements: checks: # 1.1 Verify all Apple provided software is current (Scored) - - id: 3000 - title: "Verify all Apple provided software is current (Scored)" - description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." - rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." - remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" - compliance: - - cis: "1.1" - condition: all - rules: - - 'c:softwareupdate -l -> r:No new software available' + - id: 3000 + title: "Verify all Apple provided software is current (Scored)" + description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." + rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." + remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" + compliance: + - cis: "1.1" + condition: all + rules: + - 'c:softwareupdate -l -> r:No new software available' # 1.2 Enable Auto Update (Scored) - - id: 3001 - title: "Enable Auto Update (Scored)" - description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." - rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." - remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" - compliance: - - cis: "1.2" - references: - - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + - id: 3001 + title: "Enable Auto Update (Scored)" + description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." + rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" + compliance: + - cis: "1.2" + references: + - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ + - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' # 1.3 Enable app update installs (Scored) - - id: 3002 - title: "Enable app update installs (Scored)" - description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." - compliance: - - cis: "1.3" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + - id: 3002 + title: "Enable app update installs (Scored)" + description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." + compliance: + - cis: "1.3" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' # 1.4 Enable system data files and security update installs (Scored) - - id: 3003 - title: "Enable system data files and security update installs (Scored)" - description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" - compliance: - - cis: "1.4" - references: - - https://www.thesafemac.com/tag/xprotect/ - - https://support.apple.com/en-us/HT202491 - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + - id: 3003 + title: "Enable system data files and security update installs (Scored)" + description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" + compliance: + - cis: "1.4" + references: + - https://www.thesafemac.com/tag/xprotect/ + - https://support.apple.com/en-us/HT202491 + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' # 1.5 Enable OS X update installs (Scored) - - id: 3004 - title: "Enable OS X update installs (Scored)" - description: "Ensure that OS X updates are installed after they are available from Apple. This setting enables OS X updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" - compliance: - - cis: "1.5" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' + - id: 3004 + title: "Enable OS X update installs (Scored)" + description: "Ensure that OS X updates are installed after they are available from Apple. This setting enables OS X updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" + compliance: + - cis: "1.5" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' # 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) - - id: 3005 - title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" - description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." - rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." - remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." - compliance: - - cis: "2.1.2" - condition: all - rules: - - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' + - id: 3005 + title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" + description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." + rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." + remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." + compliance: + - cis: "2.1.2" + condition: all + rules: + - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' # 2.2.1 Enable "Set time and date automatically" (Not Scored) - - id: 3006 - title: "Enable \"Set time and date automatically\" (Not Scored)" - description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Apple's automatic time update solution will enable an NTP server that is not controlled by the Application Firewall. Turning on \"Set time and date automatically\" allows other computers to connect to set their time and allows for exploit attempts against ntpd. It also allows for more accurate network detection and OS fingerprinting." - rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." - remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" - compliance: - - cis: "2.2.1" - condition: all - rules: - - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' + - id: 3006 + title: "Enable \"Set time and date automatically\" (Not Scored)" + description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Apple's automatic time update solution will enable an NTP server that is not controlled by the Application Firewall. Turning on \"Set time and date automatically\" allows other computers to connect to set their time and allows for exploit attempts against ntpd. It also allows for more accurate network detection and OS fingerprinting." + rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." + remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" + compliance: + - cis: "2.2.1" + condition: all + rules: + - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.2.3 Restrict NTP server to loopback interface (Scored) - - id: 3007 - title: "Restrict NTP server to loopback interface (Scored)" - description: "The Apple System Preference setting to \"Set date and time automatically\" enables both an NTP client that can synchronize the time from known time server(s) and an open listening NTP server that can be used by any other computer that can connect to port 123 on the time syncing computer. This open listening service can allow for both exploits of future NTP vulnerabilities and allow for open ports that can be used for fingerprinting to target exploits. Access to this port should be restricted. Editing the /etc/ntp-restrict.conf file by adding a control on the loopback interface limits external access." - rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." - remediation: "1. Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo" - compliance: - - cis: "2.2.3" - condition: all - rules: - - 'f:/etc/ntp-restrict.conf -> r:restrict lo' + - id: 3007 + title: "Restrict NTP server to loopback interface (Scored)" + description: "The Apple System Preference setting to \"Set date and time automatically\" enables both an NTP client that can synchronize the time from known time server(s) and an open listening NTP server that can be used by any other computer that can connect to port 123 on the time syncing computer. This open listening service can allow for both exploits of future NTP vulnerabilities and allow for open ports that can be used for fingerprinting to target exploits. Access to this port should be restricted. Editing the /etc/ntp-restrict.conf file by adding a control on the loopback interface limits external access." + rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." + remediation: "1. Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo" + compliance: + - cis: "2.2.3" + condition: all + rules: + - 'f:/etc/ntp-restrict.conf -> r:restrict lo' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 3008 - title: "Disable Remote Apple Events (Scored)" - description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." - rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." - remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" - compliance: - - cis: "2.4.1" - condition: all - rules: - - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' + - id: 3008 + title: "Disable Remote Apple Events (Scored)" + description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." + rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." + remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" + compliance: + - cis: "2.4.1" + condition: all + rules: + - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 3009 - title: "Disable Printer Sharing (Scored)" - description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." - rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." - remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" - compliance: - - cis: "2.4.4" - condition: none - rules: - - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' + - id: 3009 + title: "Disable Printer Sharing (Scored)" + description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." + rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" + compliance: + - cis: "2.4.4" + condition: none + rules: + - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 3010 - title: "Disable Remote Login (Scored)" - description: "Remote Login allows an interactive terminal connection to a computer." - rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." - remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" - compliance: - - cis: "2.4.5" - condition: all - rules: - - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' + - id: 3010 + title: "Disable Remote Login (Scored)" + description: "Remote Login allows an interactive terminal connection to a computer." + rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." + remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" + compliance: + - cis: "2.4.5" + condition: all + rules: + - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 3011 - title: "Disable File Sharing (Scored)" - description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" - rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." - remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" - compliance: - - cis: "2.4.8" - condition: none - rules: - - 'c:launchctl list -> r:AppleFileServer' + - id: 3011 + title: "Disable File Sharing (Scored)" + description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" + rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." + remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" + compliance: + - cis: "2.4.8" + condition: none + rules: + - 'c:launchctl list -> r:AppleFileServer' # 2.5.1 Disable "Wake for network access" (Scored) - - id: 3012 - title: "Disable \"Wake for network access\" (Scored)" - description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode" - rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." - remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." - compliance: - - cis: "2.5.1" - condition: none - rules: - - 'c:pmset -c -g -> r:womp && !r:0' - - 'c:pmset -b -g -> r:womp && !r:0' + - id: 3012 + title: "Disable \"Wake for network access\" (Scored)" + description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode" + rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." + remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." + compliance: + - cis: "2.5.1" + condition: none + rules: + - 'c:pmset -c -g -> r:womp && !r:0' + - 'c:pmset -b -g -> r:womp && !r:0' # 2.6.1 Enable FileVault (Scored) - - id: 3013 - title: "Enable FileVault (Scored)" - description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." - rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." - remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" - compliance: - - cis: "2.6.1" - condition: all - rules: - - 'c:diskutil cs list -> r:Encryption Status && r:Unlocked' - - 'c:diskutil cs list -> r:Encryption Type && r:AES-XTS' + - id: 3013 + title: "Enable FileVault (Scored)" + description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." + rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" + compliance: + - cis: "2.6.1" + condition: all + rules: + - 'c:diskutil cs list -> r:Encryption Status && r:Unlocked' + - 'c:diskutil cs list -> r:Encryption Type && r:AES-XTS' # 2.6.2 Enable Gatekeeper (Scored) - - id: 3014 - title: "Enable Gatekeeper (Scored)" - description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." - rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." - remediation: "Run the following command in Terminal: sudo spctl --master-enable" - compliance: - - cis: "2.6.2" - condition: all - rules: - - 'c:spctl --status -> r:assessments enabled' + - id: 3014 + title: "Enable Gatekeeper (Scored)" + description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." + rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." + remediation: "Run the following command in Terminal: sudo spctl --master-enable" + compliance: + - cis: "2.6.2" + condition: all + rules: + - 'c:spctl --status -> r:assessments enabled' # 2.6.3 Enable Firewall (Scored) - - id: 3015 - title: "Enable Firewall (Scored)" - description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." - rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." - remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" - compliance: - - cis: "2.6.3" - references: - - https://support.apple.com/en-us/HT201642 - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' + - id: 3015 + title: "Enable Firewall (Scored)" + description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." + rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" + compliance: + - cis: "2.6.3" + references: + - https://support.apple.com/en-us/HT201642 + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 3016 - title: "Enable Firewall Stealth Mode (Scored)" - description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." - rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." - remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" - compliance: - - cis: "2.6.4" - references: - - https://support.apple.com/en-us/HT201642 - condition: all - rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + - id: 3016 + title: "Enable Firewall Stealth Mode (Scored)" + description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." + rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." + remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" + compliance: + - cis: "2.6.4" + references: + - https://support.apple.com/en-us/HT201642 + condition: all + rules: + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 3017 - title: "Enable Secure Keyboard Entry in terminal.app (Scored)" - description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." - rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." - remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" - compliance: - - cis: "2.10" - condition: all - rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + - id: 3017 + title: "Enable Secure Keyboard Entry in terminal.app (Scored)" + description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." + rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." + remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" + compliance: + - cis: "2.10" + condition: all + rules: + - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 3018 - title: "Java 6 is not the default Java runtime (Scored)" - description: "Apple had made Java part of the core Operating System for OS X. Apple is no longer providing Java updates for OS X and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" - rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." - remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used." - compliance: - - cis: "2.11" - condition: none - rules: - - 'c:java -version -> r:1.6.0' + - id: 3018 + title: "Java 6 is not the default Java runtime (Scored)" + description: "Apple had made Java part of the core Operating System for OS X. Apple is no longer providing Java updates for OS X and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" + rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." + remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used." + compliance: + - cis: "2.11" + condition: none + rules: + - 'c:java -version -> r:1.6.0' # 3.2 Enable security auditing (Scored) - - id: 3019 - title: "Enable security auditing (Scored)" - description: "OSX's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." - rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." - remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" - compliance: - - cis: "3.2" - condition: all - rules: - - 'c:launchctl list -> r:com.apple.auditd' + - id: 3019 + title: "Enable security auditing (Scored)" + description: "OSX's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." + rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." + remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" + compliance: + - cis: "3.2" + condition: all + rules: + - 'c:launchctl list -> r:com.apple.auditd' # 3.3 Configure Security Auditing Flags (Scored) - - id: 3020 - title: "Configure Security Auditing Flags (Scored)" - description: "Auditing is the capture and maintenance of information about security-related events." - rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." - remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." - compliance: - - cis: "3.3" - condition: all - rules: - - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' + - id: 3020 + title: "Configure Security Auditing Flags (Scored)" + description: "Auditing is the capture and maintenance of information about security-related events." + rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." + remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." + compliance: + - cis: "3.3" + condition: all + rules: + - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 3021 - title: "Disable Bonjour advertising service (Scored)" - description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on Mac OS X is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." - rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." - remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" - compliance: - - cis: "4.1" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + - id: 3021 + title: "Disable Bonjour advertising service (Scored)" + description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on Mac OS X is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." + rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" + compliance: + - cis: "4.1" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' # 4.4 Ensure http server is not running (Scored) - - id: 3022 - title: "Ensure http server is not running (Scored)" - description: "Mac OS X used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." - rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." - remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" - compliance: - - cis: "4.4" - condition: none - rules: - - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' - - 'p:httpd' - - 'p:/usr/sbin/httpd' - - 'p:/usr/sbin/httpd -D FOREGROUND' + - id: 3022 + title: "Ensure http server is not running (Scored)" + description: "Mac OS X used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." + rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" + compliance: + - cis: "4.4" + condition: none + rules: + - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' + - 'p:httpd' + - 'p:/usr/sbin/httpd' + - 'p:/usr/sbin/httpd -D FOREGROUND' # 4.5 Ensure ftp server is not running (Scored) - - id: 3023 - title: "Ensure ftp server is not running (Scored)" - description: "Mac OS X used to have a graphical front-end to the embedded ftp server in the Operating System. Ftp sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an Ftp server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The Ftp server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Ftp servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" - rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." - remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" - compliance: - - cis: "4.5" - condition: none - rules: - - 'c:launchctl list -> r:ftp' + - id: 3023 + title: "Ensure ftp server is not running (Scored)" + description: "Mac OS X used to have a graphical front-end to the embedded ftp server in the Operating System. Ftp sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an Ftp server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The Ftp server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Ftp servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" + rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" + compliance: + - cis: "4.5" + condition: none + rules: + - 'c:launchctl list -> r:ftp' # 4.6 Ensure nfs server is not running (Scored) - - id: 3024 - title: "Ensure nfs server is not running (Scored)" - description: "Mac OS X can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." - rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." - remediation: "Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" - compliance: - - cis: "4.6" - condition: none - rules: - - 'p:nfsd' - - 'f:/etc/exports' + - id: 3024 + title: "Ensure nfs server is not running (Scored)" + description: "Mac OS X can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." + rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." + remediation: "Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" + compliance: + - cis: "4.6" + condition: none + rules: + - 'p:nfsd' + - 'f:/etc/exports' # 5.7 Do not enable the "root" account (Scored) - - id: 3025 - title: "Do not enable the \"root\" account (Scored)" - description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. In the UNIX/Linux world, the system administrator commonly uses the root account to perform administrative functions." - rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." - remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." - compliance: - - cis: "5.7" - condition: all - rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + - id: 3025 + title: "Do not enable the \"root\" account (Scored)" + description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. In the UNIX/Linux world, the system administrator commonly uses the root account to perform administrative functions." + rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." + remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." + compliance: + - cis: "5.7" + condition: all + rules: + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' # 5.8 Disable automatic login (Scored) - - id: 3026 - title: "Disable automatic login (Scored)" - description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." - rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." - remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" - compliance: - - cis: "5.8" - condition: none - rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' + - id: 3026 + title: "Disable automatic login (Scored)" + description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." + rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." + remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" + compliance: + - cis: "5.8" + condition: none + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' # 5.9 Require a password to wake the computer from sleep or screen saver (Scored) - - id: 3027 - title: "Require a password to wake the computer from sleep or screen saver (Scored)" - description: "Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use." - rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." - remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." - compliance: - - cis: "5.9" - condition: - rules: - - 'c:defaults read com.apple.screensaver askForPassword -> r:^1$' + - id: 3027 + title: "Require a password to wake the computer from sleep or screen saver (Scored)" + description: "Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use." + rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." + remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." + compliance: + - cis: "5.9" + condition: + rules: + - 'c:defaults read com.apple.screensaver askForPassword -> r:^1$' # 5.11 Disable ability to login to another user's active and locked session (Scored) - - id: 3028 - title: "Disable ability to login to another user's active and locked session (Scored)" - description: "OSX has a privilege that can be granted to any user that will allow that user to unlock active user's sessions." - rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." - remediation: "1. Run the following command in Terminal: sudo vi /etc/pam.d/screensaver 2. Locate \"account required pam_group.so no_warn group=admin,wheel fail_safe\" 3. Remove \"admin,\" 4. Save" - compliance: - - cis: "5.11" - condition: none - rules: - - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel fail_safe' + - id: 3028 + title: "Disable ability to login to another user's active and locked session (Scored)" + description: "OSX has a privilege that can be granted to any user that will allow that user to unlock active user's sessions." + rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." + remediation: "1. Run the following command in Terminal: sudo vi /etc/pam.d/screensaver 2. Locate \"account required pam_group.so no_warn group=admin,wheel fail_safe\" 3. Remove \"admin,\" 4. Save" + compliance: + - cis: "5.11" + condition: none + rules: + - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel fail_safe' # 5.18 System Integrity Protection status (Scored) - - id: 3029 - title: "System Integrity Protection status (Scored)" - description: "System Integrity Protection is a new security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." - rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." - remediation: "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." - compliance: - - cis: "5.18" - condition: all - rules: - - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + - id: 3029 + title: "System Integrity Protection status (Scored)" + description: "System Integrity Protection is a new security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." + rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." + remediation: "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." + compliance: + - cis: "5.18" + condition: all + rules: + - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 3030 - title: "Disable guest account login (Scored)" - description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." - rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." - remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" - compliance: - - cis: "6.1.3" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + - id: 3030 + title: "Disable guest account login (Scored)" + description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." + rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." + remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" + compliance: + - cis: "6.1.3" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' # 6.1.5 Remove Guest home folder (Scored) - - id: 3031 - title: "Remove Guest home folder (Scored)" - description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." - rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." - remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" - compliance: - - cis: "6.1.5" - condition: none - rules: - - 'd:/Users/Guest' + - id: 3031 + title: "Remove Guest home folder (Scored)" + description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." + rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." + remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" + compliance: + - cis: "6.1.5" + condition: none + rules: + - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 3032 - title: "Turn on filename extensions (Scored)" - description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." - rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." - remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" - compliance: - - cis: "6.2" - condition: all - rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + - id: 3032 + title: "Turn on filename extensions (Scored)" + description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." + rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." + remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" + compliance: + - cis: "6.2" + condition: all + rules: + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 3033 - title: "Disable the automatic run of safe files in Safari (Scored)" - description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." - rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." - remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" - compliance: - - cis: "6.3" - condition: all - rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' + - id: 3033 + title: "Disable the automatic run of safe files in Safari (Scored)" + description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." + rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." + remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" + compliance: + - cis: "6.3" + condition: all + rules: + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index fdabd5b20..6278624a4 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -29,389 +29,389 @@ requirements: checks: # 1.1 Verify all Apple provided software is current (Scored) - - id: 13500 - title: "Verify all Apple provided software is current (Scored)" - description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." - rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." - remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" - compliance: - - cis: "1.1" - condition: all - rules: - - 'c:softwareupdate -l -> r:No new software available' + - id: 13500 + title: "Verify all Apple provided software is current (Scored)" + description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." + rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." + remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" + compliance: + - cis: "1.1" + condition: all + rules: + - 'c:softwareupdate -l -> r:No new software available' # 1.2 Enable Auto Update (Scored) - - id: 13501 - title: "Enable Auto Update (Scored)" - description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." - rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." - remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" - compliance: - - cis: "1.2" - references: - - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + - id: 13501 + title: "Enable Auto Update (Scored)" + description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." + rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" + compliance: + - cis: "1.2" + references: + - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ + - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' # 1.3 Enable app update installs (Scored) - - id: 13502 - title: "Enable app update installs (Scored)" - description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." - compliance: - - cis: "1.3" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + - id: 13502 + title: "Enable app update installs (Scored)" + description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." + compliance: + - cis: "1.3" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' # 1.4 Enable system data files and security update installs (Scored) - - id: 13503 - title: "Enable system data files and security update installs (Scored)" - description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" - compliance: - - cis: "1.4" - references: - - https://www.thesafemac.com/tag/xprotect/ - - https://support.apple.com/en-us/HT202491 - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + - id: 13503 + title: "Enable system data files and security update installs (Scored)" + description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" + compliance: + - cis: "1.4" + references: + - https://www.thesafemac.com/tag/xprotect/ + - https://support.apple.com/en-us/HT202491 + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' # 1.5 Enable macOS update installs (Scored) - - id: 13504 - title: "Enable macOS update installs (Scored)" - description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" - compliance: - - cis: "1.5" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' + - id: 13504 + title: "Enable macOS update installs (Scored)" + description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" + compliance: + - cis: "1.5" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' # 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) - - id: 13505 - title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" - description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." - rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." - remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." - compliance: - - cis: "2.1.2" - condition: all - rules: - - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' + - id: 13505 + title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" + description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." + rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." + remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." + compliance: + - cis: "2.1.2" + condition: all + rules: + - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' # 2.2.1 Enable "Set time and date automatically" (Scored) - - id: 13506 - title: "Enable \"Set time and date automatically\" (Scored)" - description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space." - rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." - remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" - compliance: - - cis: "2.2.1" - condition: all - rules: - - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' + - id: 13506 + title: "Enable \"Set time and date automatically\" (Scored)" + description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space." + rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." + remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" + compliance: + - cis: "2.2.1" + condition: all + rules: + - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 13507 - title: "Disable Remote Apple Events (Scored)" - description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." - rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." - remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" - compliance: - - cis: "2.4.1" - condition: all - rules: - - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' + - id: 13507 + title: "Disable Remote Apple Events (Scored)" + description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." + rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." + remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" + compliance: + - cis: "2.4.1" + condition: all + rules: + - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 13508 - title: "Disable Printer Sharing (Scored)" - description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." - rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." - remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" - compliance: - - cis: "2.4.4" - condition: none - rules: - - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' + - id: 13508 + title: "Disable Printer Sharing (Scored)" + description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." + rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" + compliance: + - cis: "2.4.4" + condition: none + rules: + - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 13509 - title: "Disable Remote Login (Scored)" - description: "Remote Login allows an interactive terminal connection to a computer." - rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." - remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" - compliance: - - cis: "2.4.5" - condition: all - rules: - - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' + - id: 13509 + title: "Disable Remote Login (Scored)" + description: "Remote Login allows an interactive terminal connection to a computer." + rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." + remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" + compliance: + - cis: "2.4.5" + condition: all + rules: + - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 13510 - title: "Disable File Sharing (Scored)" - description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" - rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." - remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" - compliance: - - cis: "2.4.8" - condition: none - rules: - - 'c:launchctl list -> r:AppleFileServer' + - id: 13510 + title: "Disable File Sharing (Scored)" + description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" + rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." + remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" + compliance: + - cis: "2.4.8" + condition: none + rules: + - 'c:launchctl list -> r:AppleFileServer' # 2.5.1 Disable "Wake for network access" (Scored) - - id: 13511 - title: "Disable \"Wake for network access\" (Scored)" - description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." - rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." - remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." - compliance: - - cis: "2.5.1" - condition: none - rules: - - 'c:pmset -g -> :womp && !r:0' + - id: 13511 + title: "Disable \"Wake for network access\" (Scored)" + description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." + rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." + remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." + compliance: + - cis: "2.5.1" + condition: none + rules: + - 'c:pmset -g -> :womp && !r:0' # 2.6.1.1 Enable FileVault (Scored) - - id: 13512 - title: "Enable FileVault (Scored)" - description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." - rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." - remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" - compliance: - - cis: "2.6.1.1" - condition: all - rules: - - 'c:fdesetup status -> r:FileVault is\s*\t*On' + - id: 13512 + title: "Enable FileVault (Scored)" + description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." + rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" + compliance: + - cis: "2.6.1.1" + condition: all + rules: + - 'c:fdesetup status -> r:FileVault is\s*\t*On' # 2.6.2 Enable Gatekeeper (Scored) - - id: 13513 - title: "Enable Gatekeeper (Scored)" - description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." - rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." - remediation: "Run the following command in Terminal: sudo spctl --master-enable" - compliance: - - cis: "2.6.2" - condition: all - rules: - - 'c:spctl --status -> r:assessments enabled' + - id: 13513 + title: "Enable Gatekeeper (Scored)" + description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." + rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." + remediation: "Run the following command in Terminal: sudo spctl --master-enable" + compliance: + - cis: "2.6.2" + condition: all + rules: + - 'c:spctl --status -> r:assessments enabled' # 2.6.3 Enable Firewall (Scored) - - id: 13514 - title: "Enable Firewall (Scored)" - description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." - rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." - remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" - compliance: - - cis: "2.6.3" - references: - - https://support.apple.com/en-us/HT201642 - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' + - id: 13514 + title: "Enable Firewall (Scored)" + description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." + rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" + compliance: + - cis: "2.6.3" + references: + - https://support.apple.com/en-us/HT201642 + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 13515 - title: "Enable Firewall Stealth Mode (Scored)" - description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." - rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." - remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" - compliance: - - cis: "2.6.4" - references: - - https://support.apple.com/en-us/HT201642 - condition: all - rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + - id: 13515 + title: "Enable Firewall Stealth Mode (Scored)" + description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." + rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." + remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" + compliance: + - cis: "2.6.4" + references: + - https://support.apple.com/en-us/HT201642 + condition: all + rules: + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 13516 - title: "Enable Secure Keyboard Entry in terminal.app (Scored)" - description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." - rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." - remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" - compliance: - - cis: "2.10" - condition: all - rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + - id: 13516 + title: "Enable Secure Keyboard Entry in terminal.app (Scored)" + description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." + rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." + remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" + compliance: + - cis: "2.10" + condition: all + rules: + - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 13517 - title: "Java 6 is not the default Java runtime (Scored)" - description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" - rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." - remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." - compliance: - - cis: "2.11" - condition: none - rules: - - 'c:java -version -> r:1.6.0' + - id: 13517 + title: "Java 6 is not the default Java runtime (Scored)" + description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" + rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." + remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." + compliance: + - cis: "2.11" + condition: none + rules: + - 'c:java -version -> r:1.6.0' # 3.1 Enable security auditing (Scored) - - id: 13518 - title: "Enable security auditing (Scored)" - description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." - rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." - remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" - compliance: - - cis: "3.1" - condition: all - rules: - - 'c:launchctl list -> r:com.apple.auditd' + - id: 13518 + title: "Enable security auditing (Scored)" + description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." + rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." + remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" + compliance: + - cis: "3.1" + condition: all + rules: + - 'c:launchctl list -> r:com.apple.auditd' # 3.2 Configure Security Auditing Flags (Scored) - - id: 13519 - title: "Configure Security Auditing Flags (Scored)" - description: "Auditing is the capture and maintenance of information about security-related events." - rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." - remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." - compliance: - - cis: "3.2" - condition: all - rules: - - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' + - id: 13519 + title: "Configure Security Auditing Flags (Scored)" + description: "Auditing is the capture and maintenance of information about security-related events." + rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." + remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." + compliance: + - cis: "3.2" + condition: all + rules: + - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 13520 - title: "Disable Bonjour advertising service (Scored)" - description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." - rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." - remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" - compliance: - - cis: "4.1" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + - id: 13520 + title: "Disable Bonjour advertising service (Scored)" + description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." + rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" + compliance: + - cis: "4.1" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' # 4.4 Ensure http server is not running (Scored) - - id: 13521 - title: "Ensure http server is not running (Scored)" - description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." - rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." - remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" - compliance: - - cis: "4.4" - condition: none - rules: - - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' - - 'p:httpd' - - 'p:/usr/sbin/httpd' - - 'p:/usr/sbin/httpd -D FOREGROUND' + - id: 13521 + title: "Ensure http server is not running (Scored)" + description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." + rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" + compliance: + - cis: "4.4" + condition: none + rules: + - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' + - 'p:httpd' + - 'p:/usr/sbin/httpd' + - 'p:/usr/sbin/httpd -D FOREGROUND' # 4.5 Ensure FTP server is not running (Scored) - - id: 13522 - title: "Ensure FTP server is not running (Scored)" - description: "macOS used to have a graphical front-end to the embedded FTP server in the Operating System. FTP sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an FTP server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The FTP server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. FTP servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" - rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." - remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" - compliance: - - cis: "4.5" - condition: none - rules: - - 'c:launchctl list -> r:ftp' + - id: 13522 + title: "Ensure FTP server is not running (Scored)" + description: "macOS used to have a graphical front-end to the embedded FTP server in the Operating System. FTP sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an FTP server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The FTP server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. FTP servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" + rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" + compliance: + - cis: "4.5" + condition: none + rules: + - 'c:launchctl list -> r:ftp' # 4.6 Ensure nfs server is not running (Scored) - - id: 13523 - title: "Ensure nfs server is not running (Scored)" - description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." - rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." - remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" - compliance: - - cis: "4.6" - condition: none - rules: - - 'p:nfsd' - - 'f:/etc/exports' + - id: 13523 + title: "Ensure nfs server is not running (Scored)" + description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." + rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." + remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" + compliance: + - cis: "4.6" + condition: none + rules: + - 'p:nfsd' + - 'f:/etc/exports' # 5.8 Do not enable the "root" account (Scored) - - id: 13524 - title: "Do not enable the \"root\" account (Scored)" - description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." - rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." - remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." - compliance: - - cis: "5.8" - condition: all - rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + - id: 13524 + title: "Do not enable the \"root\" account (Scored)" + description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." + rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." + remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." + compliance: + - cis: "5.8" + condition: all + rules: + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' # 5.9 Disable automatic login (Scored) - - id: 13525 - title: "Disable automatic login (Scored)" - description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." - rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." - remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" - compliance: - - cis: "5.9" - condition: none - rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' + - id: 13525 + title: "Disable automatic login (Scored)" + description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." + rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." + remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" + compliance: + - cis: "5.9" + condition: none + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' # 5.20 System Integrity Protection status (Scored) - - id: 13526 - title: "System Integrity Protection status (Scored)" - description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." - rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." - remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." - compliance: - - cis: "5.20" - condition: all - rules: - - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + - id: 13526 + title: "System Integrity Protection status (Scored)" + description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." + rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." + remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." + compliance: + - cis: "5.20" + condition: all + rules: + - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 13527 - title: "Disable guest account login (Scored)" - description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." - rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." - remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" - compliance: - - cis: "6.1.3" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + - id: 13527 + title: "Disable guest account login (Scored)" + description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." + rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." + remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" + compliance: + - cis: "6.1.3" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' # 6.1.5 Remove Guest home folder (Scored) - - id: 13528 - title: "Remove Guest home folder (Scored)" - description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." - rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." - remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" - compliance: - - cis: "6.1.5" - condition: none - rules: - - 'd:/Users/Guest' + - id: 13528 + title: "Remove Guest home folder (Scored)" + description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." + rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." + remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" + compliance: + - cis: "6.1.5" + condition: none + rules: + - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 13529 - title: "Turn on filename extensions (Scored)" - description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." - rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." - remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" - compliance: - - cis: "6.2" - condition: all - rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + - id: 13529 + title: "Turn on filename extensions (Scored)" + description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." + rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." + remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" + compliance: + - cis: "6.2" + condition: all + rules: + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 13530 - title: "Disable the automatic run of safe files in Safari (Scored)" - description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." - rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." - remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" - compliance: - - cis: "6.3" - condition: all - rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' + - id: 13530 + title: "Disable the automatic run of safe files in Safari (Scored)" + description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." + rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." + remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" + compliance: + - cis: "6.3" + condition: all + rules: + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 779c5193e..412d6e345 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -29,378 +29,378 @@ requirements: checks: # 1.1 Verify all Apple provided software is current (Scored) - - id: 14000 - title: "Verify all Apple provided software is current (Scored)" - description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." - rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." - remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" - compliance: - - cis: "1.1" - condition: all - rules: - - 'c:softwareupdate -l -> r:No new software available' + - id: 14000 + title: "Verify all Apple provided software is current (Scored)" + description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." + rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." + remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" + compliance: + - cis: "1.1" + condition: all + rules: + - 'c:softwareupdate -l -> r:No new software available' # 1.2 Enable Auto Update (Scored) - - id: 14001 - title: "Enable Auto Update (Scored)" - description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." - rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." - remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" - compliance: - - cis: "1.2" - references: - - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + - id: 14001 + title: "Enable Auto Update (Scored)" + description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." + rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" + compliance: + - cis: "1.2" + references: + - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ + - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' # 1.3 Enable app update installs (Scored) - - id: 14002 - title: "Enable app update installs (Scored)" - description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." - compliance: - - cis: "1.3" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + - id: 14002 + title: "Enable app update installs (Scored)" + description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." + compliance: + - cis: "1.3" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' # 1.4 Enable system data files and security update installs (Scored) - - id: 14003 - title: "Enable system data files and security update installs (Scored)" - description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" - compliance: - - cis: "1.4" - references: - - https://www.thesafemac.com/tag/xprotect/ - - https://support.apple.com/en-us/HT202491 - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + - id: 14003 + title: "Enable system data files and security update installs (Scored)" + description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" + compliance: + - cis: "1.4" + references: + - https://www.thesafemac.com/tag/xprotect/ + - https://support.apple.com/en-us/HT202491 + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' # 1.5 Enable macOS update installs (Scored) - - id: 14004 - title: "Enable macOS update installs (Scored)" - description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." - rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" - remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" - compliance: - - cis: "1.5" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' + - id: 14004 + title: "Enable macOS update installs (Scored)" + description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." + rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" + remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" + compliance: + - cis: "1.5" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' # 2.2.1 Enable "Set time and date automatically" (Scored) - - id: 14005 - title: "Enable \"Set time and date automatically\" (Scored)" - description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries." - rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." - remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" - compliance: - - cis: "2.2.1" - condition: all - rules: - - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' + - id: 14005 + title: "Enable \"Set time and date automatically\" (Scored)" + description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries." + rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." + remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" + compliance: + - cis: "2.2.1" + condition: all + rules: + - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 14006 - title: "Disable Remote Apple Events (Scored)" - description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." - rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." - remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" - compliance: - - cis: "2.4.1" - condition: all - rules: - - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' + - id: 14006 + title: "Disable Remote Apple Events (Scored)" + description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." + rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." + remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" + compliance: + - cis: "2.4.1" + condition: all + rules: + - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 14007 - title: "Disable Printer Sharing (Scored)" - description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." - rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." - remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" - compliance: - - cis: "2.4.4" - condition: none - rules: - - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' + - id: 14007 + title: "Disable Printer Sharing (Scored)" + description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." + rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." + remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" + compliance: + - cis: "2.4.4" + condition: none + rules: + - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 14008 - title: "Disable Remote Login (Scored)" - description: "Remote Login allows an interactive terminal connection to a computer." - rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." - remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" - compliance: - - cis: "2.4.5" - condition: all - rules: - - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' + - id: 14008 + title: "Disable Remote Login (Scored)" + description: "Remote Login allows an interactive terminal connection to a computer." + rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." + remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" + compliance: + - cis: "2.4.5" + condition: all + rules: + - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 14009 - title: "Disable File Sharing (Scored)" - description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" - rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." - remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" - compliance: - - cis: "2.4.8" - condition: none - rules: - - 'c:launchctl list -> r:AppleFileServer' + - id: 14009 + title: "Disable File Sharing (Scored)" + description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" + rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." + remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" + compliance: + - cis: "2.4.8" + condition: none + rules: + - 'c:launchctl list -> r:AppleFileServer' # 2.5.1 Disable "Wake for network access" (Scored) - - id: 14010 - title: "Disable \"Wake for network access\" (Scored)" - description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." - rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." - remediation: "Run the following command in Terminal: sudo pmset -a womp 0" - compliance: - - cis: "2.5.1" - condition: none - rules: - - 'c:pmset -g -> r:womp && !r:0' + - id: 14010 + title: "Disable \"Wake for network access\" (Scored)" + description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." + rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." + remediation: "Run the following command in Terminal: sudo pmset -a womp 0" + compliance: + - cis: "2.5.1" + condition: none + rules: + - 'c:pmset -g -> r:womp && !r:0' # 2.6.1.1 Enable FileVault (Scored) - - id: 14011 - title: "Enable FileVault (Scored)" - description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." - rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." - remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" - compliance: - - cis: "2.6.1.1" - condition: all - rules: - - 'c:fdesetup status -> r:FileVault is\s*\t*On' + - id: 14011 + title: "Enable FileVault (Scored)" + description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." + rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." + remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" + compliance: + - cis: "2.6.1.1" + condition: all + rules: + - 'c:fdesetup status -> r:FileVault is\s*\t*On' # 2.6.2 Enable Gatekeeper (Scored) - - id: 14012 - title: "Enable Gatekeeper (Scored)" - description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." - rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." - remediation: "Run the following command in Terminal: sudo spctl --master-enable" - compliance: - - cis: "2.6.2" - condition: all - rules: - - 'c:spctl --status -> r:assessments enabled' + - id: 14012 + title: "Enable Gatekeeper (Scored)" + description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." + rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." + remediation: "Run the following command in Terminal: sudo spctl --master-enable" + compliance: + - cis: "2.6.2" + condition: all + rules: + - 'c:spctl --status -> r:assessments enabled' # 2.6.3 Enable Firewall (Scored) - - id: 14013 - title: "Enable Firewall (Scored)" - description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." - rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." - remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services " - compliance: - - cis: "2.6.3" - references: - - https://support.apple.com/en-us/HT201642 - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' + - id: 14013 + title: "Enable Firewall (Scored)" + description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." + rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services " + compliance: + - cis: "2.6.3" + references: + - https://support.apple.com/en-us/HT201642 + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 14014 - title: "Enable Firewall Stealth Mode (Scored)" - description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." - rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." - remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" - compliance: - - cis: "2.6.4" - references: - - https://support.apple.com/en-us/HT201642 - condition: all - rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + - id: 14014 + title: "Enable Firewall Stealth Mode (Scored)" + description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." + rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." + remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" + compliance: + - cis: "2.6.4" + references: + - https://support.apple.com/en-us/HT201642 + condition: all + rules: + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 14015 - title: "Enable Secure Keyboard Entry in terminal.app (Scored)" - description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." - rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." - remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" - compliance: - - cis: "2.10" - condition: all - rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + - id: 14015 + title: "Enable Secure Keyboard Entry in terminal.app (Scored)" + description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." + rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." + remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" + compliance: + - cis: "2.10" + condition: all + rules: + - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 14016 - title: "Java 6 is not the default Java runtime (Scored)" - description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" - rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." - remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming MacOS versions so any applications that still require Java 6 will likely soon be unavailable." - compliance: - - cis: "2.11" - condition: none - rules: - - 'c:java -version -> r:1.6.0' + - id: 14016 + title: "Java 6 is not the default Java runtime (Scored)" + description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" + rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." + remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming MacOS versions so any applications that still require Java 6 will likely soon be unavailable." + compliance: + - cis: "2.11" + condition: none + rules: + - 'c:java -version -> r:1.6.0' # 2.13 Ensure EFI version is valid and being regularly checked (Scored) - - id: 14017 - title: "Ensure EFI version is valid and being regularly checked (Scored)" - description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days." - rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." - remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." - compliance: - - cis: "2.13" - condition: all - rules: - - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> Primary allowlist version match found. No changes detected in primary hashes' - - 'c:launchctl list -> r:-\s*\t*0\s*\t*com.apple.driver.eficheck' + - id: 14017 + title: "Ensure EFI version is valid and being regularly checked (Scored)" + description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days." + rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." + remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." + compliance: + - cis: "2.13" + condition: all + rules: + - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> Primary allowlist version match found. No changes detected in primary hashes' + - 'c:launchctl list -> r:-\s*\t*0\s*\t*com.apple.driver.eficheck' # 3.1 Enable security auditing (Scored) - - id: 14018 - title: "Enable security auditing (Scored)" - description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." - rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." - remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" - compliance: - - cis: "3.1" - condition: all - rules: - - 'c:launchctl list -> r:com.apple.auditd' + - id: 14018 + title: "Enable security auditing (Scored)" + description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." + rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." + remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" + compliance: + - cis: "3.1" + condition: all + rules: + - 'c:launchctl list -> r:com.apple.auditd' # 3.2 Configure Security Auditing Flags (Scored) - - id: 14019 - title: "Configure Security Auditing Flags (Scored)" - description: "Auditing is the capture and maintenance of information about security-related events." - rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." - remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." - compliance: - - cis: "3.2" - condition: all - rules: - - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' + - id: 14019 + title: "Configure Security Auditing Flags (Scored)" + description: "Auditing is the capture and maintenance of information about security-related events." + rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." + remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." + compliance: + - cis: "3.2" + condition: all + rules: + - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 14020 - title: "Disable Bonjour advertising service (Scored)" - description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." - rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." - remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" - compliance: - - cis: "4.1" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + - id: 14020 + title: "Disable Bonjour advertising service (Scored)" + description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." + rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." + remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" + compliance: + - cis: "4.1" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' # 4.4 Ensure http server is not running (Scored) - - id: 14021 - title: "Ensure http server is not running (Scored)" - description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." - rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." - remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" - compliance: - - cis: "4.4" - condition: none - rules: - - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' - - 'p:httpd' - - 'p:/usr/sbin/httpd' - - 'p:/usr/sbin/httpd -D FOREGROUND' + - id: 14021 + title: "Ensure http server is not running (Scored)" + description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." + rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." + remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" + compliance: + - cis: "4.4" + condition: none + rules: + - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' + - 'p:httpd' + - 'p:/usr/sbin/httpd' + - 'p:/usr/sbin/httpd -D FOREGROUND' # 4.5 Ensure nfs server is not running (Scored) - - id: 14022 - title: "Ensure nfs server is not running (Scored)" - description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." - rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." - remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" - compliance: - - cis: "4.5" - condition: none - rules: - - 'p:nfsd' - - 'f:/etc/exports' + - id: 14022 + title: "Ensure nfs server is not running (Scored)" + description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." + rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." + remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" + compliance: + - cis: "4.5" + condition: none + rules: + - 'p:nfsd' + - 'f:/etc/exports' # 5.11 Do not enable the "root" account (Scored) - - id: 14023 - title: "Do not enable the \"root\" account (Scored)" - description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." - rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." - remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." - compliance: - - cis: "5.11" - condition: all - rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + - id: 14023 + title: "Do not enable the \"root\" account (Scored)" + description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." + rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." + remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." + compliance: + - cis: "5.11" + condition: all + rules: + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' # 5.12 Disable automatic login (Scored) - - id: 14024 - title: "Disable automatic login (Scored)" - description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." - rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." - remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" - compliance: - - cis: "5.12" - condition: none - rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' + - id: 14024 + title: "Disable automatic login (Scored)" + description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." + rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." + remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" + compliance: + - cis: "5.12" + condition: none + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' # 5.23 System Integrity Protection status (Scored) - - id: 14025 - title: "System Integrity Protection status (Scored)" - description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." - rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." - remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." - compliance: - - cis: "5.23" - condition: all - rules: - - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + - id: 14025 + title: "System Integrity Protection status (Scored)" + description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." + rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." + remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." + compliance: + - cis: "5.23" + condition: all + rules: + - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 14026 - title: "Disable guest account login (Scored)" - description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." - rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." - remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" - compliance: - - cis: "6.1.3" - condition: all - rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + - id: 14026 + title: "Disable guest account login (Scored)" + description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." + rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." + remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" + compliance: + - cis: "6.1.3" + condition: all + rules: + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' # 6.1.5 Remove Guest home folder (Scored) - - id: 14027 - title: "Remove Guest home folder (Scored)" - description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." - rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." - remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" - compliance: - - cis: "6.1.5" - condition: none - rules: - - 'd:/Users/Guest' + - id: 14027 + title: "Remove Guest home folder (Scored)" + description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." + rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." + remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" + compliance: + - cis: "6.1.5" + condition: none + rules: + - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 14028 - title: "Turn on filename extensions (Scored)" - description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." - rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." - remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" - compliance: - - cis: "6.2" - condition: all - rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + - id: 14028 + title: "Turn on filename extensions (Scored)" + description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." + rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." + remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" + compliance: + - cis: "6.2" + condition: all + rules: + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 14029 - title: "Disable the automatic run of safe files in Safari (Scored)" - description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." - rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." - remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" - compliance: - - cis: "6.3" - condition: all - rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' + - id: 14029 + title: "Disable the automatic run of safe files in Safari (Scored)" + description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." + rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." + remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" + compliance: + - cis: "6.3" + condition: all + rules: + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml index 76e61ccf0..2429d02ab 100644 --- a/sca/darwin/web_vulnerabilities.yml +++ b/sca/darwin/web_vulnerabilities.yml @@ -20,114 +20,126 @@ variables: # PHP checks checks: - - id: 2000 - title: "PHP - Register globals are enabled" - condition: any - rules: - - 'f:$php.ini -> r:^register_globals = On' - - id: 2001 - title: "PHP - Expose PHP is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^expose_php = On' - - id: 2002 - title: "PHP - Allow URL fopen is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^allow_url_fopen = On' - - id: 2003 - title: "PHP - Displaying of errors is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^display_errors = On' + - id: 2000 + title: "PHP - Register globals are enabled" + condition: any + rules: + - 'f:$php.ini -> r:^register_globals = On' + - id: 2001 + title: "PHP - Expose PHP is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^expose_php = On' + - id: 2002 + title: "PHP - Allow URL fopen is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^allow_url_fopen = On' + - id: 2003 + title: "PHP - Displaying of errors is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^display_errors = On' # WEB checks - - id: 2004 - title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^.yop$' - - id: 2005 - title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^id$' - - id: 2006 - title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^.ssh$' - - id: 2007 - title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^...$' - - id: 2008 - title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^.shell$' + - id: 2004 + title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> ^.yop$' + - id: 2005 + title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> ^id$' + - id: 2006 + title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> ^.ssh$' + - id: 2007 + title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> ^...$' + - id: 2008 + title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> ^.shell$' # Outdated Web applications - - id: 2009 - title: "Web vulnerability - Outdated WordPress installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' - - id: 2010 - title: "Web vulnerability - Outdated Joomla installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' - - id: 2011 - title: "Web vulnerability - Outdated osCommerce (v2.2) installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" + - id: 2009 + title: "Web vulnerability - Outdated WordPress installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' + - id: 2010 + title: "Web vulnerability - Outdated Joomla installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' + - id: 2011 + title: "Web vulnerability - Outdated osCommerce (v2.2) installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" # Known backdoors - - id: 2012 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' - - id: 2013 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' - - id: 2014 - title: "Web vulnerability - .htaccess file compromised" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' - - id: 2015 - title: "Web vulnerability - .htaccess file compromised - auto append" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' + - id: 2012 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' + - id: 2013 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: any + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' + - id: 2014 + title: "Web vulnerability - .htaccess file compromised" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' + - id: 2015 + title: "Web vulnerability - .htaccess file compromised - auto append" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index 768943a60..fb71cd2e3 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -30,563 +30,580 @@ requirements: checks: # Section 1.1 - Filesystem Configuration - - id: 5000 - title: "Ensure /tmp is configured" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." - remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." - compliance: - - cis_csc: "5.1" - - cis: "1.1.2" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' - - - id: 5001 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." - remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." - compliance: - - cis_csc: "5.1" - - cis: "1.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' - - - id: 5002 - title: "Ensure separate partition exists for /opt" - description: "The /opt directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /opt directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /opt. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.6" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/opt' - - 'f:/etc/fstab -> !r:^# && r:/opt' - - - id: 5003 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.6" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' - - - id: 5004 - title: "Ensure separate partition exists for /var/tmp" - description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.7" - condition: all - rules: - - 'f:/etc/fstab -> r:/var/tmp' - - - id: 5005 - title: "Ensure nodev option set on /var/tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" - compliance: - - cis_csc: "5.1" - - cis: "1.1.8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var/tmp && r:nodev' - - - id: 5006 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" - compliance: - - cis_csc: "5.1" - - cis: "1.1.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && r:nodev' - - - id: 5007 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.14" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' - - - id: 5008 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.15" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' - - - id: 5009 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.16" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' - - - id: 5010 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis_csc: "5.1" - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' - - - id: 5011 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis_csc: "5.1" - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + - id: 5000 + title: "Ensure /tmp is configured" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." + remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." + compliance: + - cis_csc: "5.1" + - cis: "1.1.2" + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + + - id: 5001 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." + compliance: + - cis_csc: "5.1" + - cis: "1.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + + - id: 5002 + title: "Ensure separate partition exists for /opt" + description: "The /opt directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /opt directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /opt. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: "5.1" + - cis: "1.1.6" + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/opt' + - 'f:/etc/fstab -> !r:^# && r:/opt' + + - id: 5003 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: "5.1" + - cis: "1.1.6" + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' + + - id: 5004 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: "5.1" + - cis: "1.1.7" + condition: all + rules: + - 'f:/etc/fstab -> r:/var/tmp' + + - id: 5005 + title: "Ensure nodev option set on /var/tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" + compliance: + - cis_csc: "5.1" + - cis: "1.1.8" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var/tmp && r:nodev' + + - id: 5006 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + compliance: + - cis_csc: "5.1" + - cis: "1.1.14" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && r:nodev' + + - id: 5007 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." + compliance: + - cis_csc: "5.1" + - cis: "1.1.14" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + + - id: 5008 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." + compliance: + - cis_csc: "5.1" + - cis: "1.1.15" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + + - id: 5009 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." + compliance: + - cis_csc: "5.1" + - cis: "1.1.16" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + + - id: 5010 + title: "Ensure nodev option set on removable media partitions" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis_csc: "5.1" + - cis: "1.1.18" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + + - id: 5011 + title: "Ensure nosuid option set on removable media partitions" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis_csc: "5.1" + - cis: "1.1.19" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' # Section 1.4 - Secure boot settings - - id: 5012 - title: "Ensure bootloader password is set (GRUB)" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2, add user and password to the grub configuration file and update the grub2 configuration." - compliance: - - cis_csc: "5.1" - - cis: "1.4.2" - - pci_dss: "2.2.4" - references: - - https://help.ubuntu.com/community/Grub2/Passwords - condition: all - rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password' - - - id: 5013 - title: "Ensure bootloader password is set (LILO)" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2, add user and password to the grub configuration file and update the grub2 configuration." - compliance: - - cis_csc: "5.1" - - cis: "1.4.2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/lilo.conf -> !r:^# && r:restricted' - - 'f:/etc/lilo.conf -> !r:^# && r:password=' + - id: 5012 + title: "Ensure bootloader password is set (GRUB)" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2, add user and password to the grub configuration file and update the grub2 configuration." + compliance: + - cis_csc: "5.1" + - cis: "1.4.2" + - pci_dss: "2.2.4" + references: + - https://help.ubuntu.com/community/Grub2/Passwords + condition: all + rules: + - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + + - id: 5013 + title: "Ensure bootloader password is set (LILO)" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2, add user and password to the grub configuration file and update the grub2 configuration." + compliance: + - cis_csc: "5.1" + - cis: "1.4.2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/lilo.conf -> !r:^# && r:restricted' + - 'f:/etc/lilo.conf -> !r:^# && r:password=' # Section 1.7 - Warning banners - - id: 5014 - title: "Ensure GDM login banner is configured" - description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." - remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" - compliance: - - cis_csc: "5.1" - - cis: "1.7.2" - - pci_dss: "2.2.2" - condition: all - rules: - - 'f:/etc/inittab -> !r:^# && r:id:5' + - id: 5014 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: "5.1" + - cis: "1.7.2" + - pci_dss: "2.2.2" + condition: all + rules: + - 'f:/etc/inittab -> !r:^# && r:id:5' # Section 2 - Filesystem Configuration - Debian 7 - - id: 5015 - title: "Add nodev Option to /run/shm Partition" - description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" - compliance: - - cis_csc: "5.1" - - cis: "2.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/run/shm && r:nodev' - - - id: 5016 - title: "Add nosuid Option to /run/shm Partition" - description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." - compliance: - - cis_csc: "5.1" - - cis: "2.15" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:nosuid' - - - id: 5017 - title: "Add noexec Option to /run/shm Partition" - description: "Set noexec on the shared memory partition to prevent programs from executing from there." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." - compliance: - - cis_csc: "5.1" - - cis: "2.16" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:noexec' + - id: 5015 + title: "Add nodev Option to /run/shm Partition" + description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" + compliance: + - cis_csc: "5.1" + - cis: "2.14" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/run/shm && r:nodev' + + - id: 5016 + title: "Add nosuid Option to /run/shm Partition" + description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." + compliance: + - cis_csc: "5.1" + - cis: "2.15" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:nosuid' + + - id: 5017 + title: "Add noexec Option to /run/shm Partition" + description: "Set noexec on the shared memory partition to prevent programs from executing from there." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." + compliance: + - cis_csc: "5.1" + - cis: "2.16" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:noexec' # Section 2.1 - Inetd services - - id: 5018 - title: "Ensure inetd is not installed" - description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." - rationale: "If there are no inetd services required, it is recommended that the daemon be removed." - remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" - compliance: - - cis_csc: "9.2" - - cis: "2.1.2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:inetd' - - 'f:/etc/inetd.conf -> !r:^# && r:wait' + - id: 5018 + title: "Ensure inetd is not installed" + description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no inetd services required, it is recommended that the daemon be removed." + remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" + compliance: + - cis_csc: "9.2" + - cis: "2.1.2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'p:inetd' + - 'f:/etc/inetd.conf -> !r:^# && r:wait' # Section 2.2 - Special purpose services - - id: 5019 - title: "Ensure FTP Server is not enabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.9" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:/ftp' - - - id: 5020 - title: "Ensure FTP Server is not enabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.9" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:tftp' - - - id: 5021 - title: "Ensure IMAP and POP3 server is not enabled (IMAP)" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:imap' - - - id: 5022 - title: "Ensure IMAP and POP3 server is not enabled (POP3)" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:pop' - - - id: 5023 - title: "Ensure Samba is not enabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable smbd: # systemctl disable smbd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.12" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/samba' - - - id: 5024 - title: "Ensure NFS and RPC are not enabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" - compliance: - - cis_csc: "9.2" - - cis: "2.2.7" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/nfs-common' - - 'f:/etc/init.d/nfs-user-server' - - 'f:/etc/init.d/nfs-kernel-server' - - - id: 5025 - title: "Ensure NIS Server is not enabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable nis: # systemctl disable nis" - compliance: - - cis_csc: "9.2" - - cis: "2.2.17" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/nis' - - - id: 5026 - title: "Ensure HTTP server is not enabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable apache2: # systemctl disable apache2" - compliance: - - cis_csc: "9.2" - - cis: "2.2.10" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/apache' - - 'f:/etc/init.d/apache2' - - - id: 5027 - title: "Ensure DNS Server is not enabled" - description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable named: # systemctl disable bind9" - compliance: - - cis_csc: "9.2" - - cis: "2.2.8" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/bind' - - - id: 5028 - title: "Ensure HTTP Proxy Server is not enabled" - description: "Squid is a standard proxy server used in many distributions and environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable squid: # systemctl disable squid" - compliance: - - cis_csc: "9.2" - - cis: "2.2.13" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/squid' + - id: 5019 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" + compliance: + - cis_csc: "9.2" + - cis: "2.2.9" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:/ftp' + + - id: 5020 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" + compliance: + - cis_csc: "9.2" + - cis: "2.2.9" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:tftp' + + - id: 5021 + title: "Ensure IMAP and POP3 server is not enabled (IMAP)" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: "9.2" + - cis: "2.2.11" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:imap' + + - id: 5022 + title: "Ensure IMAP and POP3 server is not enabled (POP3)" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: "9.2" + - cis: "2.2.11" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:pop' + + - id: 5023 + title: "Ensure Samba is not enabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable smbd: # systemctl disable smbd" + compliance: + - cis_csc: "9.2" + - cis: "2.2.12" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/init.d/samba' + + - id: 5024 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" + compliance: + - cis_csc: "9.2" + - cis: "2.2.7" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/init.d/nfs-common' + - 'f:/etc/init.d/nfs-user-server' + - 'f:/etc/init.d/nfs-kernel-server' + + - id: 5025 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: "9.2" + - cis: "2.2.17" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/init.d/nis' + + - id: 5026 + title: "Ensure HTTP server is not enabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable apache2: # systemctl disable apache2" + compliance: + - cis_csc: "9.2" + - cis: "2.2.10" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/init.d/apache' + - 'f:/etc/init.d/apache2' + + - id: 5027 + title: "Ensure DNS Server is not enabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable named: # systemctl disable bind9" + compliance: + - cis_csc: "9.2" + - cis: "2.2.8" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/init.d/bind' + + - id: 5028 + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable squid: # systemctl disable squid" + compliance: + - cis_csc: "9.2" + - cis: "2.2.13" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/init.d/squid' # Section 2.3 - Service clients - - id: 5029 - title: "Ensure rsh client is not installed" - description: "The rsh package contains the client commands for the rsh services." - rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." - remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" - compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:shell|login' - - - id: 5030 - title: "Ensure telnet client is not installed" - description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." - remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" - compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.4" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:telnet' + - id: 5029 + title: "Ensure rsh client is not installed" + description: "The rsh package contains the client commands for the rsh services." + rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." + remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" + compliance: + - cis_csc: "2.6, 4.5" + - cis: "2.3.2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:shell|login' + + - id: 5030 + title: "Ensure telnet client is not installed" + description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." + remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" + compliance: + - cis_csc: "2.6, 4.5" + - cis: "2.3.4" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:telnet' # Section 3.1 - Network Parameters (Host Only) - - id: 5031 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.1.1" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 5032 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.1.1" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - id: 5031 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" + compliance: + - cis_csc: "5.1" + - cis: "3.1.1" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + + - id: 5032 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" + compliance: + - cis_csc: "5.1" + - cis: "3.1.1" + condition: all + rules: + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' # Section 3.2 - Network Parameters (Host and Router) - - id: 5033 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.2.1" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' - - - id: 5034 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" - compliance: - - cis_csc: "5.1" - - cis: "3.2.5" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - id: 5033 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" + compliance: + - cis_csc: "5.1" + - cis: "3.2.1" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + + - id: 5034 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" + compliance: + - cis_csc: "5.1" + - cis: "3.2.5" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' # Section 5.2 - SSH Server Configuration - - id: 5035 - title: "Ensure SSH Protocol is set to 2" - description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis_csc: "14.4" - - cis: "5.2.4" - - pci_dss: "4.1" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' - - - id: 5036 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis_csc: "9.2" - - cis: "5.2.8" - - pci_dss: "4.1" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+no' - - - id: 5037 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis_csc: "16.3" - - cis: "5.2.9" - - pci_dss: "4.1" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' - - - id: 5038 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis_csc: "4.3" - - cis: "5.2.10" - - pci_dss: "4.1" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' - - - id: 5039 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis_csc: "16.3" - - cis: "5.2.11" - - pci_dss: "4.1" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - id: 5035 + title: "Ensure SSH Protocol is set to 2" + description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis_csc: "14.4" + - cis: "5.2.4" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + + - id: 5036 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis_csc: "9.2" + - cis: "5.2.8" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+no' + + - id: 5037 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis_csc: "16.3" + - cis: "5.2.9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' + + - id: 5038 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis_csc: "4.3" + - cis: "5.2.10" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' + + - id: 5039 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis_csc: "16.3" + - cis: "5.2.11" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' # Section 6.2 - User and Group Settings - - id: 5040 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " - compliance: - - cis_csc: "4.4" - - cis: "6.2.1" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 5041 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis_csc: "5.1" - - cis: "6.2.5" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - id: 5040 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " + compliance: + - cis_csc: "4.4" + - cis: "6.2.1" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 5041 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis_csc: "5.1" + - cis: "6.2.5" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index ca709d198..3de106ea5 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -28,1297 +28,1297 @@ requirements: - 'f:/proc/sys/kernel/ostype -> Linux' variables: - $rc_dirs: /etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d - $rsyslog_files: /etc/rsyslog.conf,/etc/rsyslog.d/* - $profiledfiles: /etc/profile.d/* - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ + $rc_dirs: /etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d + $rsyslog_files: /etc/rsyslog.conf,/etc/rsyslog.d/* + $profiledfiles: /etc/profile.d/* + $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ checks: # 2 Filesystem Configuration - - id: 10500 - title: "Create Separate Partition for /tmp" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "2.1" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp' - - - id: 10501 - title: "Set nodev option for /tmp Partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" - compliance: - - cis: "2.2" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nodev' - - - id: 10502 - title: "Set nosuid option for /tmp Partition" - description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" - compliance: - - cis: "2.3" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nosuid' - - - id: 10503 - title: "Set noexec option for /tmp Partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" - compliance: - - cis: "2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*noexec' - - - id: 10504 - title: " Create Separate Partition for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "2.5" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var' - - - id: 10505 - title: "Bind Mount the /var/tmp directory to /tmp" - description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." - rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." - remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" - compliance: - - cis: "2.6" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0' - - - id: 10506 - title: "Create Separate Partition for /var/log" - description: "The /var/log directory is used by system services to store log data." - rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "2.7" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log' - - - id: 10507 - title: "Create Separate Partition for /var/log/audit" - description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." - rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "2.8" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log/audit' - - - id: 10508 - title: "Create Separate Partition for /home" - description: "The /home directory is used to support disk storage needs of local users." - rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "2.9" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home' - - - id: 10509 - title: "Add nodev Option to /home" - description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" - compliance: - - cis: "2.10" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home\s+\w+\s+\.*nodev' - - - id: 10510 - title: "Add nodev Option to Removable Media Partitions" - description: "Set nodev on removable media to prevent character and block special devices that are present on the removable media from being treated as device files." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add \"nodev\" to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "2.11" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*nodev' - - - id: 10511 - title: "Add noexec Option to Removable Media Partitions" - description: "Set noexec on removable media to prevent programs from executing from the removable media." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "2.12" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*noexec' - - - id: 10512 - title: "Add nosuid Option to Removable Media Partitions" - description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "2.13" - condition: all - rules: - - 'f:/etc/fstab -> r:/media\.*\s+\w+\s+\.*nosuid' - - - id: 10513 - title: "Add nodev Option to /run/shm Partition" - description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" - compliance: - - cis: "2.14" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nodev' - - - id: 10514 - title: "Add nosuid Option to /run/shm Partition" - description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" - compliance: - - cis: "2.15" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nosuid' - - - id: 10515 - title: "Add noexec Option to /run/shm Partition" - description: "Set noexec on the shared memory partition to prevent programs from executing from there." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" - compliance: - - cis: "2.16" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*noexec' - - - id: 10516 - title: "Disable Automounting" - description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." - rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." - remediation: "Disable autofs: # update-rc.d autofs disable" - compliance: - - cis: "2.25" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:autofsc' + - id: 10500 + title: "Create Separate Partition for /tmp" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp' + + - id: 10501 + title: "Set nodev option for /tmp Partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" + compliance: + - cis: "2.2" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nodev' + + - id: 10502 + title: "Set nosuid option for /tmp Partition" + description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" + compliance: + - cis: "2.3" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nosuid' + + - id: 10503 + title: "Set noexec option for /tmp Partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" + compliance: + - cis: "2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*noexec' + + - id: 10504 + title: " Create Separate Partition for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.5" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var' + + - id: 10505 + title: "Bind Mount the /var/tmp directory to /tmp" + description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." + rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." + remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" + compliance: + - cis: "2.6" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0' + + - id: 10506 + title: "Create Separate Partition for /var/log" + description: "The /var/log directory is used by system services to store log data." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.7" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log' + + - id: 10507 + title: "Create Separate Partition for /var/log/audit" + description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.8" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log/audit' + + - id: 10508 + title: "Create Separate Partition for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.9" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home' + + - id: 10509 + title: "Add nodev Option to /home" + description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + compliance: + - cis: "2.10" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home\s+\w+\s+\.*nodev' + + - id: 10510 + title: "Add nodev Option to Removable Media Partitions" + description: "Set nodev on removable media to prevent character and block special devices that are present on the removable media from being treated as device files." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add \"nodev\" to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "2.11" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*nodev' + + - id: 10511 + title: "Add noexec Option to Removable Media Partitions" + description: "Set noexec on removable media to prevent programs from executing from the removable media." + rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "2.12" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*noexec' + + - id: 10512 + title: "Add nosuid Option to Removable Media Partitions" + description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "2.13" + condition: all + rules: + - 'f:/etc/fstab -> r:/media\.*\s+\w+\s+\.*nosuid' + + - id: 10513 + title: "Add nodev Option to /run/shm Partition" + description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" + compliance: + - cis: "2.14" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nodev' + + - id: 10514 + title: "Add nosuid Option to /run/shm Partition" + description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" + compliance: + - cis: "2.15" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nosuid' + + - id: 10515 + title: "Add noexec Option to /run/shm Partition" + description: "Set noexec on the shared memory partition to prevent programs from executing from there." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" + compliance: + - cis: "2.16" + condition: all + rules: + - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*noexec' + + - id: 10516 + title: "Disable Automounting" + description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." + rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." + remediation: "Disable autofs: # update-rc.d autofs disable" + compliance: + - cis: "2.25" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:autofsc' # 3 Secure Boot Settings - - id: 10517 - title: "Set Boot Loader Password" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" - compliance: - - cis: "3.3" - condition: all - rules: - - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' - - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - - - id: 10518 - title: "Require Authentication for Single-User Mode" - description: "Setting a password for the root user will force authentication in single user mode." - rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." - remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" - compliance: - - cis: "3.4" - condition: all - rules: - - 'f:/etc/shadow -> r:^root:\$' + - id: 10517 + title: "Set Boot Loader Password" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" + compliance: + - cis: "3.3" + condition: all + rules: + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' + + - id: 10518 + title: "Require Authentication for Single-User Mode" + description: "Setting a password for the root user will force authentication in single user mode." + rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." + remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" + compliance: + - cis: "3.4" + condition: all + rules: + - 'f:/etc/shadow -> r:^root:\$' # 4 Additional Process Hardening - - id: 10519 - title: "Restrict Core Dumps" - description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." - rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" - compliance: - - cis: "4.1" - condition: all - rules: - - 'f:/etc/security/limits.conf -> !r:^* hard core 0' - - 'f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0' - - - id: 10520 - title: "Enable Randomized Virtual Memory Region Placement" - description: "Set the system flag to force randomized virtual memory region placement." - rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" - compliance: - - cis: "4.3" - condition: all - rules: - - 'f:/etc/sysctl.conf -> r:^kernel.randomize_va_space = 2' + - id: 10519 + title: "Restrict Core Dumps" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" + compliance: + - cis: "4.1" + condition: all + rules: + - 'f:/etc/security/limits.conf -> !r:^* hard core 0' + - 'f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0' + + - id: 10520 + title: "Enable Randomized Virtual Memory Region Placement" + description: "Set the system flag to force randomized virtual memory region placement." + rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" + compliance: + - cis: "4.3" + condition: all + rules: + - 'f:/etc/sysctl.conf -> r:^kernel.randomize_va_space = 2' # 5 OS Services - - id: 10521 - title: "Ensure NIS is not installed" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." - remediation: "Uninstall the nis package: # apt-get purge nis" - compliance: - - cis: "5.1.1" - condition: none - rules: - - 'f:/etc/init.d/nis' - - - id: 10522 - title: "Ensure rsh server is disabled" - description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." - rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." - remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" - compliance: - - cis: "5.1.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:shell|login|exec' - - - id: 10523 - title: "Ensure talk server is disabled" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" - compliance: - - cis: "5.1.4" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:talk|ntalk' - - - id: 10524 - title: "Ensure telnet server is disabled" - description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." - remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" - compliance: - - cis: "5.1.6" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:telnet' - - - id: 10525 - title: "Ensure tftp-server is disabled" - description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." - rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." - remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" - compliance: - - cis: "5.1.7" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:tftp' - - - id: 10526 - title: "Ensure xinetd is disabled" - description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." - rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." - remediation: "Disable xinetd: # update-rc.d xinetd disable" - compliance: - - cis: "5.1.8" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:xinetd' - - - id: 10527 - title: "Ensure chargen is disabled" - description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" - compliance: - - cis: "5.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:chargen' - - - id: 10528 - title: "Ensure daytime is disabled" - description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" - compliance: - - cis: "5.3" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:daytime' - - - id: 10529 - title: "Ensure echo is disabled" - description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" - compliance: - - cis: "5.4" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:echo' - - - id: 10530 - title: "Ensure discard is disabled" - description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" - compliance: - - cis: "5.5" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:discard' - - - id: 10531 - title: "Ensure time is disabled" - description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" - compliance: - - cis: "5.6" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:time' + - id: 10521 + title: "Ensure NIS is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Uninstall the nis package: # apt-get purge nis" + compliance: + - cis: "5.1.1" + condition: none + rules: + - 'f:/etc/init.d/nis' + + - id: 10522 + title: "Ensure rsh server is disabled" + description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." + rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." + remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" + compliance: + - cis: "5.1.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:shell|login|exec' + + - id: 10523 + title: "Ensure talk server is disabled" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" + compliance: + - cis: "5.1.4" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:talk|ntalk' + + - id: 10524 + title: "Ensure telnet server is disabled" + description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." + remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" + compliance: + - cis: "5.1.6" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:telnet' + + - id: 10525 + title: "Ensure tftp-server is disabled" + description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." + rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." + remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" + compliance: + - cis: "5.1.7" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:tftp' + + - id: 10526 + title: "Ensure xinetd is disabled" + description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." + rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." + remediation: "Disable xinetd: # update-rc.d xinetd disable" + compliance: + - cis: "5.1.8" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:xinetd' + + - id: 10527 + title: "Ensure chargen is disabled" + description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" + compliance: + - cis: "5.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:chargen' + + - id: 10528 + title: "Ensure daytime is disabled" + description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" + compliance: + - cis: "5.3" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:daytime' + + - id: 10529 + title: "Ensure echo is disabled" + description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" + compliance: + - cis: "5.4" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:echo' + + - id: 10530 + title: "Ensure discard is disabled" + description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" + compliance: + - cis: "5.5" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:discard' + + - id: 10531 + title: "Ensure time is disabled" + description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" + compliance: + - cis: "5.6" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:time' # 6 Special Purpose Services - - id: 10532 - title: "Ensure Avahi Server is disabled" - description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." - rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." - remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" - compliance: - - cis: "6.2" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:avahi-daemon' - - - id: 10533 - title: "Ensure print server is disabled" - description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." - rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." - remediation: "Disable cups: # update-rc.d cups disable" - compliance: - - cis: "6.3" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:cups' - - 'd:$rc_dirs -> S -> r:cups-browsed' - - - id: 10534 - title: "Ensure DHCP Server is disabled" - description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." - rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." - remediation: "Disable isc-dhcp-server: # update-rc.d isc-dhcp-server disable" - compliance: - - cis: "6.4" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:disc-dhcp-server' - - - id: 10535 - title: "Configure Network Time Protocol (NTP)" - description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." - rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." - remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." - compliance: - - cis: "6.5" - references: - - http://www.ntp.org/ - condition: all - rules: - - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^server\s\.+' - - - id: 10536 - title: "Ensure LDAP is disabled" - description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." - rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." - remediation: "Uninstall the slapd package: # apt-get purge slapd" - compliance: - - cis: "6.6" - references: - - http://www.openldap.org - condition: none - rules: - - 'd:/etc/init.d -> r:ldap' - - - id: 10537 - title: "Ensure NFS and RPC are disabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" - compliance: - - cis: "6.7" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:rpcbind' - - 'd:$rc_dirs -> S -> r:nfs-kernel-server' - - - id: 10538 - title: "Ensure DNS Server is disabled" - description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Disable bind9: # update-rc.d bind9 disable" - compliance: - - cis: "6.8" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:bind9' - - - id: 10539 - title: "Ensure FTP Server is disabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Disable vsftpd: # update-rc.d vsftpd disable" - compliance: - - cis: "6.9" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:vsftpd' - - - id: 10540 - title: "Ensure HTTP Server is disabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Disable apache2: # update-rc.d apache2 disable" - compliance: - - cis: "6.10" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:apache2' - - - id: 10541 - title: "Ensure IMAP and POP server is disabled" - description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." - remediation: "Disable dovecot: # update-rc.d dovecot disable" - compliance: - - cis: "6.11" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:dovecot' - - - id: 10542 - title: "Ensure Samba is disabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." - remediation: "Disable samba: # update-rc.d samba disable" - compliance: - - cis: "6.12" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:samba' - - - id: 10543 - title: "Ensure HTTP Proxy Server is disabled" - description: "Squid is a standard proxy server used in many distributions and environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." - remediation: "Disable squid3: # update-rc.d squid3 disable" - compliance: - - cis: "6.13" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:squid3' - - - id: 10544 - title: "Ensure SNMP Server is disabled" - description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." - rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." - remediation: "Disable snmpd: # update-rc.d snmpd disable" - compliance: - - cis: "6.14" - condition: none - rules: - - 'd:$rc_dirs -> S -> r:snmpd' - - - id: 10545 - title: "Configure Mail Transfer Agent for Local-Only Mode" - description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." - rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." - remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" - compliance: - - cis: "6.15" - condition: all - rules: - - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' - - - id: 10546 - title: "Ensure rsync service is disabled" - description: "The rsyncd service can be used to synchronize files between systems over network links." - rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." - remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" - compliance: - - cis: "6.16" - condition: all - rules: - - 'f:/etc/default/rsync -> !r:^# && r:^RSYNC_ENABLE=false' + - id: 10532 + title: "Ensure Avahi Server is disabled" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." + rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." + remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" + compliance: + - cis: "6.2" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:avahi-daemon' + + - id: 10533 + title: "Ensure print server is disabled" + description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." + rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." + remediation: "Disable cups: # update-rc.d cups disable" + compliance: + - cis: "6.3" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:cups' + - 'd:$rc_dirs -> S -> r:cups-browsed' + + - id: 10534 + title: "Ensure DHCP Server is disabled" + description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." + rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." + remediation: "Disable isc-dhcp-server: # update-rc.d isc-dhcp-server disable" + compliance: + - cis: "6.4" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:disc-dhcp-server' + + - id: 10535 + title: "Configure Network Time Protocol (NTP)" + description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." + rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." + remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." + compliance: + - cis: "6.5" + references: + - http://www.ntp.org/ + condition: all + rules: + - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server\s\.+' + + - id: 10536 + title: "Ensure LDAP is disabled" + description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." + rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." + remediation: "Uninstall the slapd package: # apt-get purge slapd" + compliance: + - cis: "6.6" + references: + - http://www.openldap.org + condition: none + rules: + - 'd:/etc/init.d -> r:ldap' + + - id: 10537 + title: "Ensure NFS and RPC are disabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" + compliance: + - cis: "6.7" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:rpcbind' + - 'd:$rc_dirs -> S -> r:nfs-kernel-server' + + - id: 10538 + title: "Ensure DNS Server is disabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Disable bind9: # update-rc.d bind9 disable" + compliance: + - cis: "6.8" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:bind9' + + - id: 10539 + title: "Ensure FTP Server is disabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Disable vsftpd: # update-rc.d vsftpd disable" + compliance: + - cis: "6.9" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:vsftpd' + + - id: 10540 + title: "Ensure HTTP Server is disabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Disable apache2: # update-rc.d apache2 disable" + compliance: + - cis: "6.10" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:apache2' + + - id: 10541 + title: "Ensure IMAP and POP server is disabled" + description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." + remediation: "Disable dovecot: # update-rc.d dovecot disable" + compliance: + - cis: "6.11" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:dovecot' + + - id: 10542 + title: "Ensure Samba is disabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "Disable samba: # update-rc.d samba disable" + compliance: + - cis: "6.12" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:samba' + + - id: 10543 + title: "Ensure HTTP Proxy Server is disabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "Disable squid3: # update-rc.d squid3 disable" + compliance: + - cis: "6.13" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:squid3' + + - id: 10544 + title: "Ensure SNMP Server is disabled" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." + remediation: "Disable snmpd: # update-rc.d snmpd disable" + compliance: + - cis: "6.14" + condition: none + rules: + - 'd:$rc_dirs -> S -> r:snmpd' + + - id: 10545 + title: "Configure Mail Transfer Agent for Local-Only Mode" + description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." + rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." + remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" + compliance: + - cis: "6.15" + condition: all + rules: + - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' + + - id: 10546 + title: "Ensure rsync service is disabled" + description: "The rsyncd service can be used to synchronize files between systems over network links." + rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." + remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" + compliance: + - cis: "6.16" + condition: all + rules: + - 'f:/etc/default/rsync -> !r:^# && r:^RSYNC_ENABLE=false' # 7 Network Configuration and Firewall - - id: 10547 - title: "Disable IP Forwarding" - description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." - rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.1.1" - condition: all - rules: - - 'f:/etc/sysctl.conf -> !r:^\s*\t*# && r:net.ipv4.ip_forward=0' - - - id: 10548 - title: "Disable Send Packet Redirects" - description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." - rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.1.2" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.send_redirects -> 0' - - 'c:sysctl net.ipv4.conf.default.send_redirects -> 0' - - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.send_redirects\s*=\s*0' - - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.send_redirects\s*=\s*0' - - - id: 10549 - title: "Disable Source Routed Packet Acceptance" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.1" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.accept_source_route -> 0' - - 'c:sysctl net.ipv4.conf.default.accept_source_route -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_source_route=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_source_route=0' - - - id: 10550 - title: "Disable ICMP Redirect Acceptance" - description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." - rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." - remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.2" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.accept_redirects -> 0' - - 'c:sysctl net.ipv4.conf.default.accept_redirects -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_redirects=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_redirects=0' - - - id: 10551 - title: "Disable Secure ICMP Redirect Acceptance" - description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." - rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." - remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.3" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.secure_redirects -> 0' - - 'c:sysctl net.ipv4.conf.default.secure_redirects -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.secure_redirects=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.secure_redirects=0' - - - id: 10552 - title: "Log Suspicious Packets" - description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." - rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." - remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.4" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.log_martians -> 1' - - 'c:sysctl net.ipv4.conf.default.log_martians -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.log_martians=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.log_martians=1' - - - id: 10553 - title: "Enable Ignore Broadcast Requests" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.5" - condition: all - rules: - - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts=1' - - - id: 10554 - title: "Enable Bad Error Message Protection" - description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." - rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.6" - condition: all - rules: - - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses=1' - - - id: 10555 - title: "Enable RFC-recommended Source Route Validation" - description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." - rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." - remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.7" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.rp_filter -> 1' - - 'c:sysctl net.ipv4.conf.default.rp_filter -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.rp_filter=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.rp_filter=1' - - - id: 10556 - title: "Enable TCP SYN Cookies" - description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." - rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." - remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "7.2.8" - condition: all - rules: - - 'c:sysctl net.ipv4.tcp_syncookies -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.tcp_syncookies=1' - - - id: 10557 - title: "Disable IPv6 Router Advertisements" - description: "This setting disables the systems ability to accept router advertisements" - rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." - remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "7.3.1" - condition: all - rules: - - 'c:sysctl net.ipv6.conf.all.accept_ra -> 0' - - 'c:sysctl net.ipv6.conf.default.accept_ra -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_ra=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_ra=0' - - - id: 10558 - title: "Disable IPv6 Redirect Acceptance" - description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." - rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." - remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "7.3.2" - condition: all - rules: - - 'c:sysctl net.ipv6.conf.all.accept_redirects -> 0' - - 'c:sysctl net.ipv6.conf.default.accept_redirects -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_redirects=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_redirects=0' - - - id: 10559 - title: "Disable IPv6" - description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." - rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." - remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" - compliance: - - cis: "7.3.3" - condition: all - rules: - - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> 1' - - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> 1' - - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6=1' - - - id: 10560 - title: "Create /etc/hosts.allow" - description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." - rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." - remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." - compliance: - - cis: "7.4.2" - condition: all - rules: - - 'f:/etc/hosts.allow' - - 'f:/etc/hosts.allow -> r:^ALL:\.*' - - - id: 10561 - title: "Create /etc/hosts.deny" - description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." - rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." - remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" - compliance: - - cis: "7.4.4" - condition: all - rules: - - 'f:/etc/hosts.deny' - - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - - id: 10562 - title: "Disable DCCP" - description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." - rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." - remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" - compliance: - - cis: "7.5.1" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install dccp /bin/true' - - - id: 10563 - title: "Disable SCTP" - description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." - rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." - remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" - compliance: - - cis: "7.5.2" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install sctp /bin/true' - - - id: 10564 - title: "Disable RDS" - description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." - rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." - remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" - compliance: - - cis: "7.5.3" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install rds /bin/true' - - - id: 10565 - title: "Disable TIPC" - description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." - rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." - remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" - compliance: - - cis: "7.5.4" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install tipc /bin/true' - - - id: 10566 - title: "Ensure Firewall is active" - description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules. Other methods are available which may be in use in your environment and may conflict with these steps." - rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." - remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" - compliance: - - cis: "7.7" - condition: all - rules: - - 'f:/etc/rc2.d/S01iptables-persistent' - - 'f:/etc/rc3.d/S01iptables-persistent' - - 'f:/etc/rc4.d/S01iptables-persistent' - - 'f:/etc/rc5.d/S01iptables-persistent' + - id: 10547 + title: "Disable IP Forwarding" + description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." + rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.1.1" + condition: all + rules: + - 'f:/etc/sysctl.conf -> !r:^\s*\t*# && r:net.ipv4.ip_forward=0' + + - id: 10548 + title: "Disable Send Packet Redirects" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.1.2" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.send_redirects -> 0' + - 'c:sysctl net.ipv4.conf.default.send_redirects -> 0' + - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.send_redirects\s*=\s*0' + - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.send_redirects\s*=\s*0' + + - id: 10549 + title: "Disable Source Routed Packet Acceptance" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.1" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> 0' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_source_route=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_source_route=0' + + - id: 10550 + title: "Disable ICMP Redirect Acceptance" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.2" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_redirects -> 0' + - 'c:sysctl net.ipv4.conf.default.accept_redirects -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_redirects=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_redirects=0' + + - id: 10551 + title: "Disable Secure ICMP Redirect Acceptance" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.3" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.secure_redirects -> 0' + - 'c:sysctl net.ipv4.conf.default.secure_redirects -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.secure_redirects=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.secure_redirects=0' + + - id: 10552 + title: "Log Suspicious Packets" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." + remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.4" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.log_martians -> 1' + - 'c:sysctl net.ipv4.conf.default.log_martians -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.log_martians=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.log_martians=1' + + - id: 10553 + title: "Enable Ignore Broadcast Requests" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.5" + condition: all + rules: + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts=1' + + - id: 10554 + title: "Enable Bad Error Message Protection" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.6" + condition: all + rules: + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses=1' + + - id: 10555 + title: "Enable RFC-recommended Source Route Validation" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." + rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." + remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.7" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.rp_filter -> 1' + - 'c:sysctl net.ipv4.conf.default.rp_filter -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.rp_filter=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.rp_filter=1' + + - id: 10556 + title: "Enable TCP SYN Cookies" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.8" + condition: all + rules: + - 'c:sysctl net.ipv4.tcp_syncookies -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv4.tcp_syncookies=1' + + - id: 10557 + title: "Disable IPv6 Router Advertisements" + description: "This setting disables the systems ability to accept router advertisements" + rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." + remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "7.3.1" + condition: all + rules: + - 'c:sysctl net.ipv6.conf.all.accept_ra -> 0' + - 'c:sysctl net.ipv6.conf.default.accept_ra -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_ra=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_ra=0' + + - id: 10558 + title: "Disable IPv6 Redirect Acceptance" + description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." + rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." + remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "7.3.2" + condition: all + rules: + - 'c:sysctl net.ipv6.conf.all.accept_redirects -> 0' + - 'c:sysctl net.ipv6.conf.default.accept_redirects -> 0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_redirects=0' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_redirects=0' + + - id: 10559 + title: "Disable IPv6" + description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." + rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." + remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" + compliance: + - cis: "7.3.3" + condition: all + rules: + - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> 1' + - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> 1' + - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> 1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6=1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6=1' + + - id: 10560 + title: "Create /etc/hosts.allow" + description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." + rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." + remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." + compliance: + - cis: "7.4.2" + condition: all + rules: + - 'f:/etc/hosts.allow' + - 'f:/etc/hosts.allow -> r:^ALL:\.*' + + - id: 10561 + title: "Create /etc/hosts.deny" + description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." + rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." + remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" + compliance: + - cis: "7.4.4" + condition: all + rules: + - 'f:/etc/hosts.deny' + - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' + + - id: 10562 + title: "Disable DCCP" + description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." + rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." + remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.1" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install dccp /bin/true' + + - id: 10563 + title: "Disable SCTP" + description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.2" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install sctp /bin/true' + + - id: 10564 + title: "Disable RDS" + description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.3" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install rds /bin/true' + + - id: 10565 + title: "Disable TIPC" + description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.4" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install tipc /bin/true' + + - id: 10566 + title: "Ensure Firewall is active" + description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules. Other methods are available which may be in use in your environment and may conflict with these steps." + rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." + remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" + compliance: + - cis: "7.7" + condition: all + rules: + - 'f:/etc/rc2.d/S01iptables-persistent' + - 'f:/etc/rc3.d/S01iptables-persistent' + - 'f:/etc/rc4.d/S01iptables-persistent' + - 'f:/etc/rc5.d/S01iptables-persistent' # 8 Logging and Auditing - - id: 10567 - title: "Ensure the rsyslog Service is activated" - description: "Once the rsyslog package is installed it needs to be activated." - rationale: "If the rsyslog service is not activated the system will not have a syslog service running." - remediation: "Enable rsyslog: # update-rc.d rsyslog enable" - compliance: - - cis: "8.2.2" - condition: all - rules: - - 'f:/etc/rc2.d/S01rsyslog' - - 'f:/etc/rc3.d/S01rsyslog' - - 'f:/etc/rc4.d/S01rsyslog' - - 'f:/etc/rc5.d/S01rsyslog' - - - id: 10568 - title: "Configure /etc/rsyslog.conf" - description: "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." - rationale: "A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)." - remediation: "Edit the following lines in the /etc/rsyslog.conf or /etc/rsyslog.d/* file as appropriate for your environment: *.emerg :omusrmsg:* mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none -/var/log/messages local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages Execute the following command to restart rsyslogd # pkill -HUP rsyslogd" - compliance: - - cis: "8.2.3" - references: - - rsyslog.conf(5) man page - condition: all - rules: - - 'f:$rsyslog_files -> r:^*.emerg\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.info\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.warning\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.err\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^news.crit\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^news.err\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^news.notice\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^*.=warning;*.=err\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^*.crit\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^*.*;mail.none;news.none\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local0,local1.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local2,local3.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local4,local5.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local6,local7.*\s*\t*\s*\S' - - - id: 10569 - title: "Configure rsyslog to Send Logs to a Remote Log Host" - description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." - rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" - remediation: "Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host). *.* @@loghost.example.com # Execute the following command to restart rsyslogd # pkill -HUP rsyslogd Note: The double \"at\" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol." - compliance: - - cis: "8.2.5" - references: - - rsyslog.conf(5) man page - condition: all - rules: - - 'f:/etc/rsyslog.conf -> r:^*.* @@\w+.\w+.\w+' - - - id: 10570 - title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" - description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." - rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." - remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so $InputTCPServerRun 514 Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd" - compliance: - - cis: "8.2.6" - references: - - rsyslog.conf(8) man page - condition: all - rules: - - 'f:$rsyslog_files -> r:^\$ModLoad imtcp.so' - - 'f:$rsyslog_files -> r:^\$InputTCPServerRun 514' - - - id: 10571 - title: "Configure logrotate" - description: "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog." - rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files." - remediation: "Edit the /etc/logrotate.d/rsyslog file to include appropriate system logs according to your site policy." - compliance: - - cis: "8.4" - condition: all - rules: - - 'f:/etc/logrotate.d/rsyslog' - - 'f:/etc/logrotate.d/rsyslog -> r:\S+' + - id: 10567 + title: "Ensure the rsyslog Service is activated" + description: "Once the rsyslog package is installed it needs to be activated." + rationale: "If the rsyslog service is not activated the system will not have a syslog service running." + remediation: "Enable rsyslog: # update-rc.d rsyslog enable" + compliance: + - cis: "8.2.2" + condition: all + rules: + - 'f:/etc/rc2.d/S01rsyslog' + - 'f:/etc/rc3.d/S01rsyslog' + - 'f:/etc/rc4.d/S01rsyslog' + - 'f:/etc/rc5.d/S01rsyslog' + + - id: 10568 + title: "Configure /etc/rsyslog.conf" + description: "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." + rationale: "A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)." + remediation: "Edit the following lines in the /etc/rsyslog.conf or /etc/rsyslog.d/* file as appropriate for your environment: *.emerg :omusrmsg:* mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none -/var/log/messages local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages Execute the following command to restart rsyslogd # pkill -HUP rsyslogd" + compliance: + - cis: "8.2.3" + references: + - rsyslog.conf(5) man page + condition: all + rules: + - 'f:$rsyslog_files -> r:^*.emerg\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.info\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.warning\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^mail.err\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^news.crit\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^news.err\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^news.notice\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^*.=warning;*.=err\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^*.crit\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^*.*;mail.none;news.none\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local0,local1.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local2,local3.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local4,local5.*\s*\t*\s*\S' + - 'f:$rsyslog_files -> r:^local6,local7.*\s*\t*\s*\S' + + - id: 10569 + title: "Configure rsyslog to Send Logs to a Remote Log Host" + description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." + rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" + remediation: "Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host). *.* @@loghost.example.com # Execute the following command to restart rsyslogd # pkill -HUP rsyslogd Note: The double \"at\" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol." + compliance: + - cis: "8.2.5" + references: + - rsyslog.conf(5) man page + condition: all + rules: + - 'f:/etc/rsyslog.conf -> r:^*.* @@\w+.\w+.\w+' + + - id: 10570 + title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" + description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." + rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." + remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so $InputTCPServerRun 514 Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd" + compliance: + - cis: "8.2.6" + references: + - rsyslog.conf(8) man page + condition: all + rules: + - 'f:$rsyslog_files -> r:^\$ModLoad imtcp.so' + - 'f:$rsyslog_files -> r:^\$InputTCPServerRun 514' + + - id: 10571 + title: "Configure logrotate" + description: "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog." + rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files." + remediation: "Edit the /etc/logrotate.d/rsyslog file to include appropriate system logs according to your site policy." + compliance: + - cis: "8.4" + condition: all + rules: + - 'f:/etc/logrotate.d/rsyslog' + - 'f:/etc/logrotate.d/rsyslog -> r:\S+' # 9 System Access, Authentication and Authorization - - id: 10572 - title: "Enable cron Daemon" - description: "The cron daemon is used to execute batch jobs on the system." - rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." - remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" - compliance: - - cis: "9.1.1" - condition: all - rules: - - 'f:/etc/rc2.d/S15anacron' - - 'f:/etc/rc2.d/S15cron' - - 'f:/etc/rc3.d/S15anacron' - - 'f:/etc/rc3.d/S15cron' - - 'f:/etc/rc4.d/S15anacron' - - 'f:/etc/rc4.d/S15cron' - - 'f:/etc/rc5.d/S15anacron' - - 'f:/etc/rc5.d/S15cron' - - - id: 10573 - title: "Restrict at/cron to Authorized Users" - description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." - rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." - remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" - compliance: - - cis: "9.1.8" - condition: all - rules: - - 'f:/etc/cron.allow' - - 'f:/etc/at.allow' - - 'not f:/etc/cron.deny' - - 'not f:/etc/at.deny' - - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-\d00' - - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-\d00' - - - id: 10574 - title: "Set Password Creation Requirement Parameters Using pam_cracklib" - description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Install the libpam-cracklib package: # apt-get install libpam-cracklib Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" - compliance: - - cis: "9.2.1" - condition: all - rules: - - 'f:/etc/pam.d/common-password -> r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+' - - - id: 10575 - title: " Set Lockout for Failed Password Attempts" - description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." - rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." - remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." - compliance: - - cis: "9.2.2" - condition: all - rules: - - 'f:/etc/pam.d/login -> r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+' - - - id: 10576 - title: "Limit Password Reuse" - description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." - rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." - remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." - compliance: - - cis: "9.2.3" - condition: all - rules: - - 'f:/etc/pam.d/common-password -> r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d' - - - id: 10577 - title: "Set SSH Protocol to 2" - description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis: "9.3.1" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*Protocol\s*\t*2' - - - id: 10578 - title: "Set LogLevel to INFO" - description: "The INFO parameter specifices that record login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" - compliance: - - cis: "9.3.2" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s+INFO' - - - id: 10579 - title: "Disable SSH X11 Forwarding" - description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." - rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" - compliance: - - cis: "9.3.4" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' - - - id: 10580 - title: "Set SSH MaxAuthTries to 4 or Less" - description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." - rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" - compliance: - - cis: "9.3.5" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' - - - id: 10581 - title: "Set SSH IgnoreRhosts to Yes" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis: "9.3.6" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^IgnoreRhosts\s+yes' - - - id: 10582 - title: "Set SSH HostbasedAuthentication to No" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis: "9.3.7" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^HostbasedAuthentication\s+no' - - - id: 10583 - title: "Disable SSH Root Login" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." - rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis: "9.3.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s+no' - - - id: 10584 - title: "Set SSH PermitEmptyPasswords to No" - description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis: "9.3.9" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitEmptyPasswords\s+no' - - - id: 10585 - title: "Do Not Allow Users to Set Environment Options" - description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." - rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" - compliance: - - cis: "9.3.10" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitUserEnvironment\s+no' - - - id: 10586 - title: "Set Idle Timeout Interval for User Login" - description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." - rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" - compliance: - - cis: "9.3.12" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> n:^ClientAliveInterval\s+(\d+) compare <= 300' - - 'f:/etc/ssh/sshd_config -> r:^ClientAliveCountMax\s+0' - - - id: 10587 - title: "Limit Access via SSH" - description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." - rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." - remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " - compliance: - - cis: "9.3.13" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' - - - id: 10588 - title: "Set SSH Banner" - description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." - rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" - compliance: - - cis: "9.3.14" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^Banner /etc/issue.net' - - - id: 10589 - title: "Restrict Access to the su Command" - description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." - rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." - remediation: "Add the following line to the /etc/pam.d/su file. auth required pam_wheel.so use_uid Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." - compliance: - - cis: "9.5" - condition: all - rules: - - 'f:/etc/pam.d/su -> r:auth required pam_wheel.so use_uid' + - id: 10572 + title: "Enable cron Daemon" + description: "The cron daemon is used to execute batch jobs on the system." + rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." + remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" + compliance: + - cis: "9.1.1" + condition: all + rules: + - 'f:/etc/rc2.d/S15anacron' + - 'f:/etc/rc2.d/S15cron' + - 'f:/etc/rc3.d/S15anacron' + - 'f:/etc/rc3.d/S15cron' + - 'f:/etc/rc4.d/S15anacron' + - 'f:/etc/rc4.d/S15cron' + - 'f:/etc/rc5.d/S15anacron' + - 'f:/etc/rc5.d/S15cron' + + - id: 10573 + title: "Restrict at/cron to Authorized Users" + description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." + rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." + remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" + compliance: + - cis: "9.1.8" + condition: all + rules: + - 'f:/etc/cron.allow' + - 'f:/etc/at.allow' + - 'not f:/etc/cron.deny' + - 'not f:/etc/at.deny' + - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-\d00' + - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-\d00' + + - id: 10574 + title: "Set Password Creation Requirement Parameters Using pam_cracklib" + description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Install the libpam-cracklib package: # apt-get install libpam-cracklib Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" + compliance: + - cis: "9.2.1" + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+' + + - id: 10575 + title: " Set Lockout for Failed Password Attempts" + description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." + rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." + remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." + compliance: + - cis: "9.2.2" + condition: all + rules: + - 'f:/etc/pam.d/login -> r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+' + + - id: 10576 + title: "Limit Password Reuse" + description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." + rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." + remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." + compliance: + - cis: "9.2.3" + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d' + + - id: 10577 + title: "Set SSH Protocol to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "9.3.1" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*Protocol\s*\t*2' + + - id: 10578 + title: "Set LogLevel to INFO" + description: "The INFO parameter specifices that record login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "9.3.2" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s+INFO' + + - id: 10579 + title: "Disable SSH X11 Forwarding" + description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." + rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" + compliance: + - cis: "9.3.4" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' + + - id: 10580 + title: "Set SSH MaxAuthTries to 4 or Less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "9.3.5" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' + + - id: 10581 + title: "Set SSH IgnoreRhosts to Yes" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "9.3.6" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^IgnoreRhosts\s+yes' + + - id: 10582 + title: "Set SSH HostbasedAuthentication to No" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "9.3.7" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^HostbasedAuthentication\s+no' + + - id: 10583 + title: "Disable SSH Root Login" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." + rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "9.3.8" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s+no' + + - id: 10584 + title: "Set SSH PermitEmptyPasswords to No" + description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "9.3.9" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^PermitEmptyPasswords\s+no' + + - id: 10585 + title: "Do Not Allow Users to Set Environment Options" + description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." + rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" + compliance: + - cis: "9.3.10" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^PermitUserEnvironment\s+no' + + - id: 10586 + title: "Set Idle Timeout Interval for User Login" + description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." + rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" + compliance: + - cis: "9.3.12" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> n:^ClientAliveInterval\s+(\d+) compare <= 300' + - 'f:/etc/ssh/sshd_config -> r:^ClientAliveCountMax\s+0' + + - id: 10587 + title: "Limit Access via SSH" + description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." + rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." + remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " + compliance: + - cis: "9.3.13" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' + + - id: 10588 + title: "Set SSH Banner" + description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." + rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" + compliance: + - cis: "9.3.14" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^Banner /etc/issue.net' + + - id: 10589 + title: "Restrict Access to the su Command" + description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." + rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." + remediation: "Add the following line to the /etc/pam.d/su file. auth required pam_wheel.so use_uid Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." + compliance: + - cis: "9.5" + condition: all + rules: + - 'f:/etc/pam.d/su -> r:auth required pam_wheel.so use_uid' # 10 User Accounts and Environment - - id: 10590 - title: "Set Password Expiration Days" - description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." - rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." - remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " - compliance: - - cis: "10.1.1" - condition: all - rules: - - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s+(\d+) compare <= 90' - - - id: 10591 - title: "Set Password Change Minimum Number of Days" - description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." - rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." - remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " - compliance: - - cis: "10.1.2" - condition: all - rules: - - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s+(\d+) compare <= 7' - - - id: 10592 - title: "Set Password Expiring Warning Days" - description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." - rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." - remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " - compliance: - - cis: "10.1.3" - condition: all - rules: - - 'f:/etc/login.defs -> n:^PASS_WARN_DAYS\s+(\d+) compare <= 7' - - - id: 10593 - title: "Set Default Group for root Account" - description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." - rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." - remediation: "# usermod -g 0 root" - compliance: - - cis: "10.3" - condition: all - rules: - - 'f:/etc/passwd -> r:^root:\w+:\w+:0:' - - - id: 10594 - title: "Set Default umask for Users" - description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." - rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." - remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" - compliance: - - cis: "10.4" - condition: all - rules: - - 'f:$profiledfiles -> r:^umask 077' - - 'f:/etc/bash.bashrc -> r:^umask 077' - - - id: 10595 - title: "Lock Inactive User Accounts" - description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." - rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." - remediation: "# useradd -D -f 35" - compliance: - - cis: "10.5" - condition: all - rules: - - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' + - id: 10590 + title: "Set Password Expiration Days" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." + rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." + remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " + compliance: + - cis: "10.1.1" + condition: all + rules: + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s+(\d+) compare <= 90' + + - id: 10591 + title: "Set Password Change Minimum Number of Days" + description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." + rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." + remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " + compliance: + - cis: "10.1.2" + condition: all + rules: + - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s+(\d+) compare <= 7' + + - id: 10592 + title: "Set Password Expiring Warning Days" + description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." + rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." + remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " + compliance: + - cis: "10.1.3" + condition: all + rules: + - 'f:/etc/login.defs -> n:^PASS_WARN_DAYS\s+(\d+) compare <= 7' + + - id: 10593 + title: "Set Default Group for root Account" + description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." + rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." + remediation: "# usermod -g 0 root" + compliance: + - cis: "10.3" + condition: all + rules: + - 'f:/etc/passwd -> r:^root:\w+:\w+:0:' + + - id: 10594 + title: "Set Default umask for Users" + description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." + rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." + remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" + compliance: + - cis: "10.4" + condition: all + rules: + - 'f:$profiledfiles -> r:^umask 077' + - 'f:/etc/bash.bashrc -> r:^umask 077' + + - id: 10595 + title: "Lock Inactive User Accounts" + description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." + rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." + remediation: "# useradd -D -f 35" + compliance: + - cis: "10.5" + condition: all + rules: + - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' # 11 Warning Banners - - id: 10596 - title: "Set Warning Banner for Standard Login Services" - description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." - remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" - compliance: - - cis: "11.1" - condition: all - rules: - - 'f:/etc/motd' - - 'f:/etc/issue' - - 'f:/etc/issue.net' - - - id: 10597 - title: "Remove OS Information from Login Warning Banners" - description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." - rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." - remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." - compliance: - - cis: "11.2" - condition: none - rules: - - 'f:/etc/motd -> r:debian|gnu|linux' + - id: 10596 + title: "Set Warning Banner for Standard Login Services" + description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." + remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" + compliance: + - cis: "11.1" + condition: all + rules: + - 'f:/etc/motd' + - 'f:/etc/issue' + - 'f:/etc/issue.net' + + - id: 10597 + title: "Remove OS Information from Login Warning Banners" + description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." + rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." + remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." + compliance: + - cis: "11.2" + condition: none + rules: + - 'f:/etc/motd -> r:debian|gnu|linux' # 13 Review User and Group Settings - - id: 10598 - title: "Ensure Password Fields are Not Empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." - compliance: - - cis: "13.1" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 10599 - title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" - description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." - rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." - remediation: "Delete these entries if they exist." - compliance: - - cis: "13.2" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && r:^+:' - - - id: 10600 - title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" - description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." - rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." - remediation: "Delete these entries if they exist." - compliance: - - cis: "13.3" - condition: none - rules: - - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 10601 - title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" - description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." - rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." - remediation: "Delete these entries if they exist." - compliance: - - cis: "13.4" - condition: none - rules: - - 'f:/etc/group -> !r:^# && r:^+:' - - - id: 10602 - title: "Verify No UID 0 Accounts Exist Other Than root" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." - remediation: "Delete any other entries that are displayed." - compliance: - - cis: "13.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - - - id: 10603 - title: "Check for Presence of User .rhosts Files" - description: "While no .rhosts files are shipped by default, users can easily create them." - rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." - remediation: "If any users have .rhosts files determine why they have them." - compliance: - - cis: "13.10" - condition: none - rules: - - 'd:$home_dirs -> r:^.rhosts$' - - - id: 10604 - title: "Check for Presence of User .netrc Files" - description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." - rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." - compliance: - - cis: "13.18" - condition: none - rules: - - 'd:$home_dirs -> r:^.netrc$' - - - id: 10605 - title: "Check for Presence of User .forward Files" - description: "The .forward file specifies an email address to forward the user's mail to." - rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." - compliance: - - cis: "13.19" - condition: none - rules: - - 'd:$home_dirs -> r:^.forward$' - - - id: 10606 - title: "Ensure shadow group is empty" - description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." - rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." - remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." - compliance: - - cis: "13.20" - condition: none - rules: - - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' + - id: 10598 + title: "Ensure Password Fields are Not Empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + compliance: + - cis: "13.1" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 10599 + title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Delete these entries if they exist." + compliance: + - cis: "13.2" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && r:^+:' + + - id: 10600 + title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Delete these entries if they exist." + compliance: + - cis: "13.3" + condition: none + rules: + - 'f:/etc/shadow -> !r:^# && r:^+:' + - id: 10601 + title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Delete these entries if they exist." + compliance: + - cis: "13.4" + condition: none + rules: + - 'f:/etc/group -> !r:^# && r:^+:' + + - id: 10602 + title: "Verify No UID 0 Accounts Exist Other Than root" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." + remediation: "Delete any other entries that are displayed." + compliance: + - cis: "13.5" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + + - id: 10603 + title: "Check for Presence of User .rhosts Files" + description: "While no .rhosts files are shipped by default, users can easily create them." + rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." + remediation: "If any users have .rhosts files determine why they have them." + compliance: + - cis: "13.10" + condition: none + rules: + - 'd:$home_dirs -> r:^.rhosts$' + + - id: 10604 + title: "Check for Presence of User .netrc Files" + description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." + rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." + compliance: + - cis: "13.18" + condition: none + rules: + - 'd:$home_dirs -> r:^.netrc$' + + - id: 10605 + title: "Check for Presence of User .forward Files" + description: "The .forward file specifies an email address to forward the user's mail to." + rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." + compliance: + - cis: "13.19" + condition: none + rules: + - 'd:$home_dirs -> r:^.forward$' + + - id: 10606 + title: "Ensure shadow group is empty" + description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." + rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." + remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." + compliance: + - cis: "13.20" + condition: none + rules: + - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index a93b40e98..9efea8838 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -29,387 +29,387 @@ requirements: checks: # 2 Filesystem Configuration - - id: 11000 - title: "Disable Mounting of cramfs Filesystems" - description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" - compliance: - - cis: "2.18" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install cramfs /bin/true' + - id: 11000 + title: "Disable Mounting of cramfs Filesystems" + description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" + compliance: + - cis: "2.18" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install cramfs /bin/true' - - id: 11001 - title: "Disable Mounting of freevxfs Filesystems" - description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" - compliance: - - cis: "2.19" - condition: all - rules: - - f:/etc/modprobe.d/CIS.conf - - f:/etc/modprobe.d/CIS.conf -> r:^install freevxfs /bin/true + - id: 11001 + title: "Disable Mounting of freevxfs Filesystems" + description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" + compliance: + - cis: "2.19" + condition: all + rules: + - f:/etc/modprobe.d/CIS.conf + - f:/etc/modprobe.d/CIS.conf -> r:^install freevxfs /bin/true - - id: 11002 - title: "Disable Mounting of jffs2 Filesystems" - description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" - compliance: - - cis: "2.20" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install jffs2 /bin/true' + - id: 11002 + title: "Disable Mounting of jffs2 Filesystems" + description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" + compliance: + - cis: "2.20" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install jffs2 /bin/true' - - id: 11003 - title: "Disable Mounting of hfs Filesystems" - description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" - compliance: - - cis: "2.21" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfs /bin/true' + - id: 11003 + title: "Disable Mounting of hfs Filesystems" + description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" + compliance: + - cis: "2.21" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfs /bin/true' - - id: 11004 - title: "Disable Mounting of hfsplus Filesystems" - description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" - compliance: - - cis: "2.22" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfsplus /bin/true' + - id: 11004 + title: "Disable Mounting of hfsplus Filesystems" + description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" + compliance: + - cis: "2.22" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfsplus /bin/true' - - id: 11005 - title: "Disable Mounting of squashfs Filesystems" - description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" - compliance: - - cis: "2.23" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install squashfs /bin/true' + - id: 11005 + title: "Disable Mounting of squashfs Filesystems" + description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" + compliance: + - cis: "2.23" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install squashfs /bin/true' - - id: 11006 - title: "Disable Mounting of udf Filesystems" - description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" - compliance: - - cis: "2.24" - condition: all - rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install udf /bin/true' + - id: 11006 + title: "Disable Mounting of udf Filesystems" + description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" + compliance: + - cis: "2.24" + condition: all + rules: + - 'f:/etc/modprobe.d/CIS.conf' + - 'f:/etc/modprobe.d/CIS.conf -> r:^install udf /bin/true' # 4 Additional Process Hardening - - id: 11007 - title: "Activate AppArmor" - description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model." - rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." - remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." - compliance: - - cis: "4.5" - condition: all - rules: - - 'f:/etc/default/grub -> r:apparmor=1 && r:security=apparmor' + - id: 11007 + title: "Activate AppArmor" + description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model." + rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." + remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." + compliance: + - cis: "4.5" + condition: all + rules: + - 'f:/etc/default/grub -> r:apparmor=1 && r:security=apparmor' # 8.1 Configure System Accounting (auditd) - - id: 11008 - title: "Configure Audit Log Storage Size" - description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." - rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." - remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." - compliance: - - cis: "8.1.1.1" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/auditd.conf' - - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' + - id: 11008 + title: "Configure Audit Log Storage Size" + description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." + rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." + remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." + compliance: + - cis: "8.1.1.1" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' - - id: 11009 - title: "Disable System on Audit Log Full" - description: "The auditd daemon can be configured to halt the system when the audit logs are full." - rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." - remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" - compliance: - - cis: "8.1.1.2" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/auditd.conf' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' - - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*ignore|syslog|suspend|single|halt' - - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single' + - id: 11009 + title: "Disable System on Audit Log Full" + description: "The auditd daemon can be configured to halt the system when the audit logs are full." + rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." + remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" + compliance: + - cis: "8.1.1.2" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' + - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*ignore|syslog|suspend|single|halt' + - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single' - - id: 11010 - title: "Keep All Auditing Information" - description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." - rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." - remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" - compliance: - - cis: "8.1.1.3" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/auditd.conf' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' - - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*ignore|syslog|suspend|rotate' + - id: 11010 + title: "Keep All Auditing Information" + description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." + rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." + remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" + compliance: + - cis: "8.1.1.3" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' + - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*ignore|syslog|suspend|rotate' - - id: 11011 - title: "Enable Auditing for Processes That Start Prior to auditd" - description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." - rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." - remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" - compliance: - - cis: "8.1.3" - condition: all - rules: - - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' + - id: 11011 + title: "Enable Auditing for Processes That Start Prior to auditd" + description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." + rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." + remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" + compliance: + - cis: "8.1.3" + condition: all + rules: + - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' - - id: 11012 - title: "Record Events That Modify Date and Time Information" - description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" - rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" - compliance: - - cis: "8.1.4" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S clock_settime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S clock_settime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime -p wa -k time-change' + - id: 11012 + title: "Record Events That Modify Date and Time Information" + description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" + rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.4" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S clock_settime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S clock_settime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime -p wa -k time-change' - - id: 11013 - title: "Record Events That Modify User/Group Information" - description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." - rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" - compliance: - - cis: "8.1.5" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/group -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/passwd -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/gshadow -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd -p wa -k identity' + - id: 11013 + title: "Record Events That Modify User/Group Information" + description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." + rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.5" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/group -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/passwd -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/gshadow -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd -p wa -k identity' - - id: 11014 - title: "Record Events That Modify the System's Network Environment" - description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." - rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" - compliance: - - cis: "8.1.6" - condition: all - rules: - - 'f:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/network -p wa -k system-locale' + - id: 11014 + title: "Record Events That Modify the System's Network Environment" + description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." + rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.6" + condition: all + rules: + - 'f:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/network -p wa -k system-locale' - - id: 11015 - title: "Record Events That Modify the System's Mandatory Access Controls" - description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." - rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." - remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" - compliance: - - cis: "8.1.7" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ -p wa -k MAC-policy' + - id: 11015 + title: "Record Events That Modify the System's Mandatory Access Controls" + description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." + rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." + remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.7" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ -p wa -k MAC-policy' - - id: 11016 - title: "Collect Login and Logout Events" - description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" - rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" - compliance: - - cis: "8.1.8" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/faillog -p wa -k logins' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog -p wa -k logins' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog -p wa -k logins' + - id: 11016 + title: "Collect Login and Logout Events" + description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" + rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.8" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/faillog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog -p wa -k logins' - - id: 11017 - title: "Collect Session Initiation Information" - description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" - rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" - compliance: - - cis: "8.1.9" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/run/utmp -p wa -k session' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp -p wa -k session' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp -p wa -k session' + - id: 11017 + title: "Collect Session Initiation Information" + description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" + rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" + compliance: + - cis: "8.1.9" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/run/utmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp -p wa -k session' - - id: 11018 - title: "Collect Discretionary Access Control Permission Modification Events" - description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" - rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" - compliance: - - cis: "8.1.10" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - id: 11018 + title: "Collect Discretionary Access Control Permission Modification Events" + description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" + rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.10" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - id: 11019 - title: "Collect Unsuccessful Unauthorized Access Attempts to Files" - description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" - rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" - compliance: - - cis: "8.1.11" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + - id: 11019 + title: "Collect Unsuccessful Unauthorized Access Attempts to Files" + description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" + rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.11" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - - id: 11020 - title: "Collect Successful File System Mounts" - description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" - rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" - compliance: - - cis: "8.1.13" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - id: 11020 + title: "Collect Successful File System Mounts" + description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" + rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.13" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' - - id: 11021 - title: "Collect File Deletion Events by User" - description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." - rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." - remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" - compliance: - - cis: "8.1.14" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + - id: 11021 + title: "Collect File Deletion Events by User" + description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." + rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." + remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.14" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' - - id: 11022 - title: "Collect Changes to System Administration Scope (sudoers)" - description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" - rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" - compliance: - - cis: "8.1.15" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers -p wa -k scope' + - id: 11022 + title: "Collect Changes to System Administration Scope (sudoers)" + description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" + rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.15" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers -p wa -k scope' - - id: 11023 - title: "Collect System Administrator Actions (sudolog)" - description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." - rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" - compliance: - - cis: "8.1.16" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log -p wa -k actions' + - id: 11023 + title: "Collect System Administrator Actions (sudolog)" + description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." + rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" + compliance: + - cis: "8.1.16" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log -p wa -k actions' - - id: 11024 - title: "Collect Kernel Module Loading and Unloading" - description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." - rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" - compliance: - - cis: "8.1.17" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/insmod -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|^-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' + - id: 11024 + title: "Collect Kernel Module Loading and Unloading" + description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." + rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" + compliance: + - cis: "8.1.17" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/insmod -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|^-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' - - id: 11025 - title: "Make the Audit Configuration Immutable" - description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" - rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" - compliance: - - cis: "8.1.18" - condition: all - rules: - - 'd:/etc/audit' - - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-e 2$' + - id: 11025 + title: "Make the Audit Configuration Immutable" + description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" + rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" + compliance: + - cis: "8.1.18" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-e 2$' # 8.3 Advanced Intrusion Detection Environment (AIDE) - - id: 11026 - title: "Install AIDE" - description: "In some installations, AIDE is not installed automatically" - rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." - remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." - compliance: - - cis: "8.3.1" - condition: all - rules: - - 'f:/usr/sbin/aideinit' + - id: 11026 + title: "Install AIDE" + description: "In some installations, AIDE is not installed automatically" + rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." + remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." + compliance: + - cis: "8.3.1" + condition: all + rules: + - 'f:/usr/sbin/aideinit' - - id: 11027 - title: "Implement Periodic Execution of File Integrity" - description: "Implement periodic file checking, in compliance with site policy" - rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." - remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." - compliance: - - cis: "8.3.2" - condition: all - rules: - - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide --check' + - id: 11027 + title: "Implement Periodic Execution of File Integrity" + description: "Implement periodic file checking, in compliance with site policy" + rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." + remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." + compliance: + - cis: "8.3.2" + condition: all + rules: + - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide --check' diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml index c8ed6f4bc..d9c4e553e 100644 --- a/sca/generic/system_audit_pw.yml +++ b/sca/generic/system_audit_pw.yml @@ -30,156 +30,156 @@ requirements: - 'f:/etc/shadow' variables: - $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd + $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd checks: # 5.3 Configure PAM - - id: 13000 - title: "Ensure password creation requirements are configured" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: all - rules: - - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' - - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + - id: 13000 + title: "Ensure password creation requirements are configured" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' + - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' - - id: 13001 - title: "Ensure passwords are longer than 13 characters" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' - - 'f:/etc/security/pwquality.conf -> n:minlen=(\d+) compare >= 14' + - id: 13001 + title: "Ensure passwords are longer than 13 characters" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' + - 'f:/etc/security/pwquality.conf -> n:minlen=(\d+) compare >= 14' - - id: 13002 - title: "Ensure passwords contain at least one digit" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^dcredit=\p*\d' + - id: 13002 + title: "Ensure passwords contain at least one digit" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^dcredit=\p*\d' - - id: 13003 - title: "Ensure passwords contain at least one lowercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' + - id: 13003 + title: "Ensure passwords contain at least one lowercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' - - id: 13004 - title: "Ensure passwords contain at least one uppercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' + - id: 13004 + title: "Ensure passwords contain at least one uppercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' - - id: 13005 - title: "Ensure passwords contain at least one uppercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^ucredit=\p*\d' + - id: 13005 + title: "Ensure passwords contain at least one uppercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^ucredit=\p*\d' - - id: 13006 - title: "Ensure passwords contain at least one special character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^ocredit=\p*\d' + - id: 13006 + title: "Ensure passwords contain at least one special character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit=\p*\d' + - 'f:/etc/security/pwquality.conf -> r:^ocredit=\p*\d' - - id: 13007 - title: "Ensure password hashing algorithm is SHA-256 or higher" - description: "Password hashing should use a cryptographically secure algorithm such as SHA-256 or SHA-512 instead of MD5." - rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." - remediation: "Edit the /etc/pam.d/common-password file or /etc/pam.d/password-auth and /etc/pam.d/system-auth files (depending on the Linux distribution used) to include the sha512 option for pam_unix.so." - compliance: - - cis: "5.3.4" - - cis_csc: "16.4, 16.14" - references: - - https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun - - https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html - condition: any - rules: - - 'f:/etc/security/policy.conf -> r:^CRYPT_DEFAULT=\d && !r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__' - - 'f:$pam_d_files -> n:^password\.+pam_unix.so\.+sha(\d+) compare >= 256' - - 'f:/etc/login.defs -> r:^ENCRYPT_METHOD\s+ && n:SHA(\d+) compare >= 256' + - id: 13007 + title: "Ensure password hashing algorithm is SHA-256 or higher" + description: "Password hashing should use a cryptographically secure algorithm such as SHA-256 or SHA-512 instead of MD5." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." + remediation: "Edit the /etc/pam.d/common-password file or /etc/pam.d/password-auth and /etc/pam.d/system-auth files (depending on the Linux distribution used) to include the sha512 option for pam_unix.so." + compliance: + - cis: "5.3.4" + - cis_csc: "16.4, 16.14" + references: + - https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun + - https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html + condition: any + rules: + - 'f:/etc/security/policy.conf -> r:^CRYPT_DEFAULT=\d && !r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__' + - 'f:$pam_d_files -> n:^password\.+pam_unix.so\.+sha(\d+) compare >= 256' + - 'f:/etc/login.defs -> r:^ENCRYPT_METHOD\s+ && n:SHA(\d+) compare >= 256' - - id: 13008 - title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" - description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." - rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." - remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256." - references: - - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ - - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' + - id: 13008 + title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" + description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." + remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256." + references: + - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ + - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' # 5.4 User accounts and Environment - - id: 13009 - title: "Ensure password expiration is 365 days or less" - description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." - rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." - remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." - compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" - references: - - https://www.thegeekdiary.com/understanding-etclogin-defs-file - condition: any - rules: - - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' - - 'f:/etc/login.defs -> n:PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' + - id: 13009 + title: "Ensure password expiration is 365 days or less" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." + rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." + compliance: + - cis: "5.4.1.1" + - cis_csc: "4.4, 16" + references: + - https://www.thegeekdiary.com/understanding-etclogin-defs-file + condition: any + rules: + - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' + - 'f:/etc/login.defs -> n:PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index 167a3da6d..6dfc61f4e 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -23,113 +23,115 @@ requirements: - 'f:/etc/ssh/sshd_config' variables: - $sshd_file: /etc/ssh/sshd_config + $sshd_file: /etc/ssh/sshd_config checks: - - id: 1500 - title: "SSH Hardening - 1: Port should not be 22" - description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." - rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." - remediation: "Change the Port option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' + - id: 1500 + title: "SSH Hardening - 1: Port should not be 22" + description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." + rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." + remediation: "Change the Port option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' - - id: 1501 - title: "SSH Hardening - 2: Protocol should not be 1" - description: "The SSH protocol should not be 1." - rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." - remediation: "Change the Protocol option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' + - id: 1501 + title: "SSH Hardening - 2: Protocol should not be 1" + description: "The SSH protocol should not be 1." + rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." + remediation: "Change the Protocol option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' - - id: 1502 - title: "SSH Hardening - 3: Root account should not be able to log in" - description: "The option PermitRootLogin should be set to no." - rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." - remediation: "Change the PermitRootLogin option value in the sshd_config file." - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' + - id: 1502 + title: "SSH Hardening - 3: Root account should not be able to log in" + description: "The option PermitRootLogin should be set to no." + rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." + remediation: "Change the PermitRootLogin option value in the sshd_config file." + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' - - id: 1503 - title: "SSH Hardening - 4: No Public Key authentication" - description: "The option PubkeyAuthentication should be set yes." - rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." - remediation: "Change the PubkeyAuthentication option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' + - id: 1503 + title: "SSH Hardening - 4: No Public Key authentication" + description: "The option PubkeyAuthentication should be set yes." + rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." + remediation: "Change the PubkeyAuthentication option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' - - id: 1504 - title: "SSH Hardening - 5: Password Authentication should be disabled" - description: "The option PasswordAuthentication should be set to no." - rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." - remediation: "Change the PasswordAuthentication option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' + - id: 1504 + title: "SSH Hardening - 5: Password Authentication should be disabled" + description: "The option PasswordAuthentication should be set to no." + rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." + remediation: "Change the PasswordAuthentication option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' - - id: 1505 - title: "SSH Hardening - 6: Empty passwords should not be allowed" - description: "The option PermitEmptyPasswords should be set to no." - rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." - remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+yes' + - id: 1505 + title: "SSH Hardening - 6: Empty passwords should not be allowed" + description: "The option PermitEmptyPasswords should be set to no." + rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." + remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+yes' - - id: 1506 - title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" - description: "The option IgnoreRhosts should be set to yes." - rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." - remediation: "Change the IgnoreRhosts option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+no' + - id: 1506 + title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" + description: "The option IgnoreRhosts should be set to yes." + rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." + remediation: "Change the IgnoreRhosts option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+no' - - id: 1507 - title: "SSH Hardening - 8: Grace Time should be 30 or less." - description: "The option LoginGraceTime should be set to 30 or less." - rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." - remediation: "Change the LoginGraceTime option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+) compare <= 30' + - id: 1507 + title: "SSH Hardening - 8: Grace Time should be 30 or less." + description: "The option LoginGraceTime should be set to 30 or less." + rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." + remediation: "Change the LoginGraceTime option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+) compare <= 30' - - id: 1508 - title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" - description: "The option MaxAuthTries should be set to 4 or less." - rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." - remediation: "Change the MaxAuthTries option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' + - id: 1508 + title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" + description: "The option MaxAuthTries should be set to 4 or less." + rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." + remediation: "Change the MaxAuthTries option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' - - id: 1509 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - id: 1509 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml index bcb942822..3890c089e 100644 --- a/sca/generic/web_vulnerabilities.yml +++ b/sca/generic/web_vulnerabilities.yml @@ -27,133 +27,145 @@ requirements: # PHP checks checks: - - id: 1000 - title: "PHP - Register globals are enabled" - condition: all - rules: - - 'f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^register_globals\s*\t*=\s*\t*On|register_globals\s*\t*=\s*\t*on' - - - id: 1001 - title: "PHP - Expose PHP is enabled" - condition: all - rules: - - 'f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^expose_php\s*\t*=\s*\t*On|^expose_php\s*\t*=\s*\t*on' - - - id: 1002 - title: "PHP - Allow URL fopen is enabled" - condition: all - rules: - - 'f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*On|^allow_url_fopen\s*\t*=\s*\t*on' - - - id: 1003 - title: "PHP - Displaying of errors is enabled" - condition: all - rules: - - 'f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^display_errors\s*\t*=\s*\t*On|^display_errors\s*\t*=\s*\t*on' + - id: 1000 + title: "PHP - Register globals are enabled" + condition: all + rules: + - 'f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^register_globals\s*\t*=\s*\t*On|register_globals\s*\t*=\s*\t*on' + + - id: 1001 + title: "PHP - Expose PHP is enabled" + condition: all + rules: + - 'f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^expose_php\s*\t*=\s*\t*On|^expose_php\s*\t*=\s*\t*on' + + - id: 1002 + title: "PHP - Allow URL fopen is enabled" + condition: all + rules: + - 'f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*On|^allow_url_fopen\s*\t*=\s*\t*on' + + - id: 1003 + title: "PHP - Displaying of errors is enabled" + condition: all + rules: + - 'f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off' + - 'not f:$php.ini -> r:^display_errors\s*\t*=\s*\t*On|^display_errors\s*\t*=\s*\t*on' # WEB checks - - id: 1004 - title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^.yop$' - - - id: 1005 - title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^id$' - - - id: 1006 - title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^.ssh$' - - - id: 1007 - title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^...$' - - - id: 1008 - title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^.shell$' + - id: 1004 + title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^.yop$' + + - id: 1005 + title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^id$' + + - id: 1006 + title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^.ssh$' + + - id: 1007 + title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^...$' + + - id: 1008 + title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^.shell$' # Outdated Web applications - - id: 1009 - title: "Web vulnerability - Outdated WordPress installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' - - - id: 1010 - title: "Web vulnerability - Outdated Joomla installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' - - - id: 1011 - title: "Web vulnerability - Outdated osCommerce (v2.2) installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' + - id: 1009 + title: "Web vulnerability - Outdated WordPress installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' + + - id: 1010 + title: "Web vulnerability - Outdated Joomla installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' + + - id: 1011 + title: "Web vulnerability - Outdated osCommerce (v2.2) installation" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' # Known backdoors - - id: 1012 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' - - - id: 1013 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - condition: none - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' - - - id: 1014 - title: "Web vulnerability - .htaccess file compromised" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: none - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' - - - id: 1015 - title: "Web vulnerability - .htaccess file compromised - auto append" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: none - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' + - id: 1012 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' + + - id: 1013 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + condition: none + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' + + - id: 1014 + title: "Web vulnerability - .htaccess file compromised" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: none + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' + + - id: 1015 + title: "Web vulnerability - .htaccess file compromised - auto append" + compliance: + - pci_dss: "6.5, 6.6, 11.4" + - nist_800_53: "SA.11, IA.10" + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: none + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 8e6492b8d..f5d06510e 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -23,11 +23,11 @@ requirements: description: "Requirements for running the SCA scan against RHEL 5." condition: any rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 5' - - 'f:/etc/redhat-release -> r:^CentOS && r:release 5' - - 'f:/etc/redhat-release -> r:^Cloud && r:release 5' - - 'f:/etc/redhat-release -> r:^Oracle && r:release 5' - - 'f:/etc/redhat-release -> r:^Better && r:release 5' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 5' + - 'f:/etc/redhat-release -> r:^CentOS && r:release 5' + - 'f:/etc/redhat-release -> r:^Cloud && r:release 5' + - 'f:/etc/redhat-release -> r:^Oracle && r:release 5' + - 'f:/etc/redhat-release -> r:^Better && r:release 5' variables: $sshd_file: /etc/ssh/sshd_config @@ -35,446 +35,447 @@ variables: checks: # 1.1.1 /tmp: partition - - id: 5500 - title: "Create Separate Partition for /tmp" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." - remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /tmp . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "1.1.1" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - - CCE-14161-4 - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - id: 5500 + title: "Create Separate Partition for /tmp" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." + remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /tmp . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.1" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + - CCE-14161-4 + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' # 1.1.2 /tmp: nodev - - id: 5501 - title: "Set nodev option for /tmp Partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /tmp" - compliance: - - cis: "1.1.2" - - pci_dss: "2.2.4" - references: - - CCE-14412-1 - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - id: 5501 + title: "Set nodev option for /tmp Partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /tmp" + compliance: + - cis: "1.1.2" + - pci_dss: "2.2.4" + references: + - CCE-14412-1 + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' # 1.1.3 /tmp: nosuid - - id: 5502 - title: "Set nosuid option for /tmp Partition" - description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp ." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)." - compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" - references: - - CCE-14940-1 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - id: 5502 + title: "Set nosuid option for /tmp Partition" + description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp ." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)." + compliance: + - cis: "1.1.3" + - pci_dss: "2.2.4" + references: + - CCE-14940-1 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' # 1.1.4 /tmp: noexec - - id: 5503 - title: "Set noexec option for /tmp Partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). # mount -o remount,noexec /tmp" - compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" - references: - - CCE-14412-1 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - id: 5503 + title: "Set noexec option for /tmp Partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). # mount -o remount,noexec /tmp" + compliance: + - cis: "1.1.4" + - pci_dss: "2.2.4" + references: + - CCE-14412-1 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' # 1.1.5 Build considerations - Partition scheme. - - id: 5504 - title: "Create Separate Partition for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "1.1.5" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - - CCE-14777-7 - condition: all - rules: - - 'd:/var' - - 'f:/etc/fstab -> !r^# && r:/var' + - id: 5504 + title: "Create Separate Partition for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.5" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + - CCE-14777-7 + condition: all + rules: + - 'd:/var' + - 'f:/etc/fstab -> !r^# && r:/var' # 1.1.6 bind mount /var/tmp to /tmp - - id: 5505 - title: "Bind Mount the /var/tmp directory to /tmp" - description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same /tmp is protected." - rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." - remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" - compliance: - - cis: "1.1.6" - references: - - CCE-14584-7 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' + - id: 5505 + title: "Bind Mount the /var/tmp directory to /tmp" + description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same /tmp is protected." + rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." + remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" + compliance: + - cis: "1.1.6" + references: + - CCE-14584-7 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' # 1.1.7 /var/log: partition - - id: 5506 - title: "Create Separate Partition for /var/log" - description: "The /var/log directory is used by system services to store log data ." - rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "1.1.7" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - - CCE-14011-1 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - id: 5506 + title: "Create Separate Partition for /var/log" + description: "The /var/log directory is used by system services to store log data ." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.7" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + - CCE-14011-1 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log' # 1.1.8 /var/log/audit: partition - - id: 5507 - title: "Create Separate Partition for /var/log/audit" - description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." - rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." - remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log/audit . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "1.1.8" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - - CCE-14171-3 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - id: 5507 + title: "Create Separate Partition for /var/log/audit" + description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." + remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log/audit . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.8" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + - CCE-14171-3 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' # 1.1.9 /home: partition - - id: 5508 - title: "Create Separate Partition for /home" - description: "The /home directory is used to support disk storage needs of local users." - rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "1.1.9" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - - CCE-14559-9 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - id: 5508 + title: "Create Separate Partition for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.9" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + - CCE-14559-9 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home' # 1.1.10 /home: nodev - - id: 5509 - title: "Add nodev Option to /home" - description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /home" - compliance: - - cis: "1.1.10" - - pci_dss: "2.2.4" - references: - - CCE-4249-9 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + - id: 5509 + title: "Add nodev Option to /home" + description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /home" + compliance: + - cis: "1.1.10" + - pci_dss: "2.2.4" + references: + - CCE-4249-9 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' # 1.1.11 nodev on removable media partitions (not scored) - - id: 5510 - title: "Add nodev Option to Removable Media Partitions" - description: "Set nodev on removable media to prevent character and block special devices that are present on the removable be treated as these device files." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the / etc/fstab file and add 'nodev' to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + - id: 5510 + title: "Add nodev Option to Removable Media Partitions" + description: "Set nodev on removable media to prevent character and block special devices that are present on the removable be treated as these device files." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the / etc/fstab file and add 'nodev' to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' # 1.1.13 nosuid on removable media partitions (not scored) - - id: 5511 - title: "Add nosuid Option to Removable Media Partitions" - description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.13" - - pci_dss: "2.2.4" - references: - - CCE-4042-8 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + - id: 5511 + title: "Add nosuid Option to Removable Media Partitions" + description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.13" + - pci_dss: "2.2.4" + references: + - CCE-4042-8 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' # 1.1.12 noexec on removable media partitions (not scored) - - id: 5512 - title: "Add noexec Option to Removable Media Partitions" - description: "Set noexec on removable media to prevent programs from executing from the removable media." - rationale: "Setting this option on a file system prevents users from executing programs from the removable. This deters users from being to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.12" - - pci_dss: "2.2.4" - references: - - CCE-4275-4 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - id: 5512 + title: "Add noexec Option to Removable Media Partitions" + description: "Set noexec on removable media to prevent programs from executing from the removable media." + rationale: "Setting this option on a file system prevents users from executing programs from the removable. This deters users from being to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.12" + - pci_dss: "2.2.4" + references: + - CCE-4275-4 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' # 1.1.14 /dev/shm: nodev - - id: 5513 - title: "Add nodev Option to /dev/shm Partition" - description: "The nodev mount option specifies that the /dev/shm (temporary filesystem stored in memory) cannot contain block or character special devices." - rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /dev/shm). # mount -o remount,nodev /dev/shm" - compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" - references: - - CCE-15007-8 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - id: 5513 + title: "Add nodev Option to /dev/shm Partition" + description: "The nodev mount option specifies that the /dev/shm (temporary filesystem stored in memory) cannot contain block or character special devices." + rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /dev/shm). # mount -o remount,nodev /dev/shm" + compliance: + - cis: "1.1.14" + - pci_dss: "2.2.4" + references: + - CCE-15007-8 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' # 1.1.15 /dev/shm: nosuid - - id: 5514 - title: "Add nosuid Option to /dev/shm Partition" - description: "The nosuid mount option specifies that the /dev/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,nosuid /dev/shm" - compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" - references: - - CCE-14306-5 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - id: 5514 + title: "Add nosuid Option to /dev/shm Partition" + description: "The nosuid mount option specifies that the /dev/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,nosuid /dev/shm" + compliance: + - cis: "1.1.15" + - pci_dss: "2.2.4" + references: + - CCE-14306-5 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' # 1.1.16 /dev/shm: noexec - - id: 5515 - title: "Add noexec Option to /dev/shm Partition" - description: "Set noexec on the shared memory partition to prevent programs from executing from there." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,noexec /dev/shm" - compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" - references: - - CCE-14927-8 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - id: 5515 + title: "Add noexec Option to /dev/shm Partition" + description: "Set noexec on the shared memory partition to prevent programs from executing from there." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,noexec /dev/shm" + compliance: + - cis: "1.1.16" + - pci_dss: "2.2.4" + references: + - CCE-14927-8 + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' ########################################## # 1.2 Software Updates ########################################## # 1.2.5 Disable yum-updatesd (Scored) - - id: 5516 - title: "Disable yum-updatesd" - description: "The yum-updatesd utility provides notification of updates that are available for your system." - rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly." - remediation: "Disable the yum-updatesd daemon by running the following command: # chkconfig yum-updatesd off" - compliance: - - cis: "1.2.5" - - pci_dss: "6.2" - references: - - CCE-4218-4 - condition: none - rules: - - 'p:yum-updatesd' + - id: 5516 + title: "Disable yum-updatesd" + description: "The yum-updatesd utility provides notification of updates that are available for your system." + rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly." + remediation: "Disable the yum-updatesd daemon by running the following command: # chkconfig yum-updatesd off" + compliance: + - cis: "1.2.5" + - pci_dss: "6.2" + - nist_800_53: "SI.2" + references: + - CCE-4218-4 + condition: none + rules: + - 'p:yum-updatesd' ############################################### # 1.4 Configure SELinux ############################################### # 1.4.1 enable selinux in /etc/grub.conf - - id: 5517 - title: "Enable SELinux in /etc/grub.conf" - description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters" - rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten." - remediation: "Remove all instances of selinux=0 and enforcing=0 from /etc/grub.conf." - compliance: - - cis: "1.4.1" - - pci_dss: "2.2.4" - references: - - CCE-3977-6 - condition: none - rules: - - 'f:/etc/grub.conf -> r:selinux=0' + - id: 5517 + title: "Enable SELinux in /etc/grub.conf" + description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters" + rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten." + remediation: "Remove all instances of selinux=0 and enforcing=0 from /etc/grub.conf." + compliance: + - cis: "1.4.1" + - pci_dss: "2.2.4" + references: + - CCE-3977-6 + condition: none + rules: + - 'f:/etc/grub.conf -> r:selinux=0' # 1.4.2 Set selinux state - - id: 5518 - title: "Set the SELinux State" - description: "Set SELinux to enable when the system is booted." - rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." - remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" - compliance: - - cis: "1.4.2" - - pci_dss: "2.2.4" - references: - - CCE-3999-0 - condition: all - rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + - id: 5518 + title: "Set the SELinux State" + description: "Set SELinux to enable when the system is booted." + rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." + remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" + compliance: + - cis: "1.4.2" + - pci_dss: "2.2.4" + references: + - CCE-3999-0 + condition: all + rules: + - 'f:/etc/selinux/config -> r:SELINUX=enforcing' # 1.4.3 Set seliux policy - - id: 5519 - title: "Set the SELinux Policy" - description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." - rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." - remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" - compliance: - - cis: "1.4.3" - - pci_dss: "2.2.4" - references: - - CCE-3624-4 - condition: all - rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + - id: 5519 + title: "Set the SELinux Policy" + description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." + rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." + remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" + compliance: + - cis: "1.4.3" + - pci_dss: "2.2.4" + references: + - CCE-3624-4 + condition: all + rules: + - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' # 1.4.4 Remove SETroubleshoot - - id: 5520 - title: "Remove SETroubleshoot" - description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." - rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." - remediation: "rpm -qa setroubleshoot" - compliance: - - cis: "1.4.4" - - pci_dss: "2.2.4" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + - id: 5520 + title: "Remove SETroubleshoot" + description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." + rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." + remediation: "rpm -qa setroubleshoot" + compliance: + - cis: "1.4.4" + - pci_dss: "2.2.4" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' # 1.4.5 Disable MCS Translation service mcstrans - - id: 5521 - title: "Disable MCS Translation Service (mcstrans)" - description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" - rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system." - remediation: "# chkconfig mctrans off" - compliance: - - cis: "1.4.5" - - pci_dss: "2.2.4" - references: - - CCE-3668-1 - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$' + - id: 5521 + title: "Disable MCS Translation Service (mcstrans)" + description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" + rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system." + remediation: "# chkconfig mctrans off" + compliance: + - cis: "1.4.5" + - pci_dss: "2.2.4" + references: + - CCE-3668-1 + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dmctrans$' ############################################### # 1.5 Secure Boot Settings ############################################### # 1.5.3 Set Boot Loader Password (Scored) - - id: 5522 - title: "Set Boot Loader Password" - description: "Setting the boot loader password will require that the person who is rebooting system the must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Set a bootloader password" - compliance: - - cis: "1.5.3" - - pci_dss: "2.2.4" - references: - - CCE-3818-2 - condition: all - rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + - id: 5522 + title: "Set Boot Loader Password" + description: "Setting the boot loader password will require that the person who is rebooting system the must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Set a bootloader password" + compliance: + - cis: "1.5.3" + - pci_dss: "2.2.4" + references: + - CCE-3818-2 + condition: all + rules: + - 'f:/boot/grub/menu.lst -> !r:^# && r:password' # 1.5.4 Require Authentication for Single-User Mode (Scored) - - id: 5523 - title: "Require Authentication for Single-User Mode" - description: "Since /etc/init determines what run state the system is in, setting the entry in /etc/inittab will force single user authentication." - rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." - remediation: "Add the following to /etc/inittab : ~:S:wait:/sbin/sulogin" - compliance: - - cis: "1.5.4" - - pci_dss: "2.2.4" - references: - - CCE-4241-6 - condition: none - rules: - - 'f:/etc/inittab -> !r:^# && r:S:wait' + - id: 5523 + title: "Require Authentication for Single-User Mode" + description: "Since /etc/init determines what run state the system is in, setting the entry in /etc/inittab will force single user authentication." + rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." + remediation: "Add the following to /etc/inittab : ~:S:wait:/sbin/sulogin" + compliance: + - cis: "1.5.4" + - pci_dss: "2.2.4" + references: + - CCE-4241-6 + condition: none + rules: + - 'f:/etc/inittab -> !r:^# && r:S:wait' # 1.5.5 Disable Interactive Boot (Scored) - - id: 5524 - title: "Disable Interactive Boot" - description: "The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." - rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." - remediation: "Set the PROMPT parameter in /etc/sysconfig/init to no ." - compliance: - - cis: "1.5.5" - - pci_dss: "2.2.4" - references: - - CCE-4245-7 - condition: all - rules: - - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' + - id: 5524 + title: "Disable Interactive Boot" + description: "The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." + rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." + remediation: "Set the PROMPT parameter in /etc/sysconfig/init to no ." + compliance: + - cis: "1.5.5" + - pci_dss: "2.2.4" + references: + - CCE-4245-7 + condition: all + rules: + - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' ############################################### # 1.6 Additional Process Hardening ############################################### # 1.6.1 Restrict Core Dumps (Scored) - - id: 5525 - title: "Restrict Core Dumps" - description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." - rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" - compliance: - - cis: "1.6.1" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - id: 5525 + title: "Restrict Core Dumps" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" + compliance: + - cis: "1.6.1" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' # 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 5526 - title: "Enable Randomized Virtual Memory Region Placement" - description: "Set the system flag to force randomized virtual memory region placement." - rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" - compliance: - - cis: "1.6.3" - - pci_dss: "2.2.4" - references: - - CCE-4146-7 - condition: all - rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - id: 5526 + title: "Enable Randomized Virtual Memory Region Placement" + description: "Set the system flag to force randomized virtual memory region placement." + rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" + compliance: + - cis: "1.6.3" + - pci_dss: "2.2.4" + references: + - CCE-4146-7 + condition: all + rules: + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' # 1.6.2 Configure ExecShield (Scored) - - id: 5527 - title: "Configure ExecShield" - description: "Execshield is made up of a number of kernel features to provide protection against buffer overflow attacks. These features include prevention of execution in memory data space, and special handling of text buffers." - rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." - remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1" - compliance: - - cis: "1.6.2" - - pci_dss: "2.2.4" - references: - - CCE-4168-1 - condition: all - rules: - - 'f:/proc/sys/kernel/exec-shield -> 1' + - id: 5527 + title: "Configure ExecShield" + description: "Execshield is made up of a number of kernel features to provide protection against buffer overflow attacks. These features include prevention of execution in memory data space, and special handling of text buffers." + rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." + remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1" + compliance: + - cis: "1.6.2" + - pci_dss: "2.2.4" + references: + - CCE-4168-1 + condition: all + rules: + - 'f:/proc/sys/kernel/exec-shield -> 1' # 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored) # TODO # 1.6.5 Disable Prelink (Scored) - - id: 5528 - title: "Disable Prelink" - description: "Prelinking is a performance enhancing feature that decreases process start up time. It loads shared libraries into addresses for which the linking of required symbols has already been performed. After a binary has been prelinked, the addresses at which shared libraries is not changed, even if kernel.randomize_va_space is set to 1." - rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)." - remediation: "Edit /etc/sysconfig/prelink and set PRELINKING=no" - compliance: - - cis: "1.6.5" - condition: all - rules: - - 'f:/etc/sysconfig/prelink -> r:PRELINKING=no' + - id: 5528 + title: "Disable Prelink" + description: "Prelinking is a performance enhancing feature that decreases process start up time. It loads shared libraries into addresses for which the linking of required symbols has already been performed. After a binary has been prelinked, the addresses at which shared libraries is not changed, even if kernel.randomize_va_space is set to 1." + rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)." + remediation: "Edit /etc/sysconfig/prelink and set PRELINKING=no" + compliance: + - cis: "1.6.5" + condition: all + rules: + - 'f:/etc/sysconfig/prelink -> r:PRELINKING=no' ############################################### # 2 OS Services @@ -483,244 +484,251 @@ checks: # 2.1 Remove Legacy Services ############################################### # 2.1.1 Remove telnet-server (Scored) - - id: 5529 - title: "Remove telnet-server" - description: "The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions." - remediation: "# yum erase telnet-server" - compliance: - - cis: "2.1.1" - - pci_dss: "2.2.3" - references: - - CCE-3390-2 - - CCE-4330-7 - condition: none - rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - id: 5529 + title: "Remove telnet-server" + description: "The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions." + remediation: "# yum erase telnet-server" + compliance: + - cis: "2.1.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + references: + - CCE-3390-2 + - CCE-4330-7 + condition: none + rules: + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' # 2.1.2 Remove telnet Clients (Scored) - - id: 5530 - title: "Remove rsh-server" - description: "The Berkeley rsh-server ( rsh , rlogin , rcp ) package contains legacy services that exchange credentials in clear-text." - rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." - remediation: "# yum erase rsh-server" - compliance: - - cis: "2.1.3" - - pci_dss: "2.2.3" - references: - - CCE-4308-3 - condition: none - rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - id: 5530 + title: "Remove rsh-server" + description: "The Berkeley rsh-server ( rsh , rlogin , rcp ) package contains legacy services that exchange credentials in clear-text." + rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." + remediation: "# yum erase rsh-server" + compliance: + - cis: "2.1.3" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + references: + - CCE-4308-3 + condition: none + rules: + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' # 2.1.4 Remove rsh (Scored) - - id: 5531 - title: "Remove NIS Client" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files" - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." - remediation: "# yum erase ypbind" - compliance: - - cis: "2.1.5" - - pci_dss: "2.2.3" - references: - - CCE-3705-1 (disable) - - CCE-4348-9 (uninstall) - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' + - id: 5531 + title: "Remove NIS Client" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files" + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "# yum erase ypbind" + compliance: + - cis: "2.1.5" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + references: + - CCE-3705-1 (disable) + - CCE-4348-9 (uninstall) + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypbind$' # 2.1.6 Remove NIS Server (Scored) - - id: 5532 - title: "Remove NIS Server" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." - remediation: "# yum erase ypserv" - compliance: - - cis: "2.1.6" - - pci_dss: "2.2.3" - references: - - CCE-3705-1 (disable) - - CCE-4348-9 (uninstall) - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' + - id: 5532 + title: "Remove NIS Server" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." + remediation: "# yum erase ypserv" + compliance: + - cis: "2.1.6" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + references: + - CCE-3705-1 (disable) + - CCE-4348-9 (uninstall) + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypserv$' # 2.1.7 Remove tftp (Scored) - - id: 5533 - title: "Remove tftp-server" - description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is the server package used to define and support a TFTP server." - rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." - remediation: "# yum erase tftp-server" - compliance: - - cis: "2.1.8" - - pci_dss: "2.2.3" - references: - - CCE-4273-9 (disable) - - CCE-3916-4 (uninstall) - condition: none - rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - id: 5533 + title: "Remove tftp-server" + description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is the server package used to define and support a TFTP server." + rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." + remediation: "# yum erase tftp-server" + compliance: + - cis: "2.1.8" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + references: + - CCE-4273-9 (disable) + - CCE-3916-4 (uninstall) + condition: none + rules: + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' # 2.1.9 Remove talk (Scored) - - id: 5534 - title: "Remove talk-server" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "# yum erase talk-server" - compliance: - - cis: "2.1.10" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - id: 5534 + title: "Remove talk-server" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "# yum erase talk-server" + compliance: + - cis: "2.1.10" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' ############################################### # 3 Special Purpose Services ############################################### # 3.2 Set Daemon umask (Scored) - - id: 5535 - title: "Set Daemon umask" - description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." - rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." - remediation: "Add the following line to the /etc/sysconfig/init file. umask 027" - compliance: - - cis: "3.2" - condition: all - rules: - - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' + - id: 5535 + title: "Set Daemon umask" + description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." + rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." + remediation: "Add the following line to the /etc/sysconfig/init file. umask 027" + compliance: + - cis: "3.2" + condition: all + rules: + - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' # 3.3 Remove X Windows (Scored) - - id: 5536 - title: "Remove X Windows" - description: "The X Windows system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on." - rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." - remediation: "Edit /etc/inittab set default runlevel as follows: s/:5:/:3:/ Uninstall the X Windows System: # yum groupremove 'X Window System'" - compliance: - - cis: "3.3" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inittab -> !r:^# && r:id:5' + - id: 5536 + title: "Remove X Windows" + description: "The X Windows system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on." + rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." + remediation: "Edit /etc/inittab set default runlevel as follows: s/:5:/:3:/ Uninstall the X Windows System: # yum groupremove 'X Window System'" + compliance: + - cis: "3.3" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inittab -> !r:^# && r:id:5' # 3.1.1 Disable Avahi Server (Scored) - - id: 5537 - title: "Disable Avahi Server" - description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." - rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." - remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf." - compliance: - - cis: "3.1.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:avahi-daemon' + - id: 5537 + title: "Disable Avahi Server" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." + rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." + remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf." + compliance: + - cis: "3.1.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'p:avahi-daemon' # 3.8 Disable NFS and RPC (Not Scored) - - id: 5538 - title: "Disable NFS and RPC" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "# chkconfig nfslock off; #chkconfig rpcgssd off; #chkconfig rpcidmapd off; # chkconfig portmap off;" - compliance: - - cis: "3.8" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - id: 5538 + title: "Disable NFS and RPC" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "# chkconfig nfslock off; #chkconfig rpcgssd off; #chkconfig rpcidmapd off; # chkconfig portmap off;" + compliance: + - cis: "3.8" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' # 3.10 Remove FTP Server (Not Scored) - - id: 5539 - title: "Remove FTP Server" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "# yum erase vsftpd" - compliance: - - cis: "3.10" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - id: 5539 + title: "Remove FTP Server" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "# yum erase vsftpd" + compliance: + - cis: "3.10" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' # 3.11 Remove HTTP Server (Not Scored) - - id: 5540 - title: "Remove HTTP Server" - description: "HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with Red Hat Linux is Apache." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "# yum erase httpd" - compliance: - - cis: "3.11" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$' + - id: 5540 + title: "Remove HTTP Server" + description: "HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with Red Hat Linux is Apache." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "# yum erase httpd" + compliance: + - cis: "3.11" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dhttpd$' # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) - - id: 5541 - title: "Remove Dovecot" - description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." - remediation: "# yum erase dovecot" - compliance: - - cis: "3.12" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - - id: 5542 - title: "Remove Dovecot" - description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." - remediation: "# yum erase dovecot" - compliance: - - cis: "3.12" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - id: 5541 + title: "Remove Dovecot" + description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." + remediation: "# yum erase dovecot" + compliance: + - cis: "3.12" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + + - id: 5542 + title: "Remove Dovecot" + description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." + remediation: "# yum erase dovecot" + compliance: + - cis: "3.12" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' # 3.13 Remove Samba (Not Scored) - - id: 5543 - title: "Remove Samba" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." - remediation: "# yum erase samba" - compliance: - - cis: "3.13" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - id: 5543 + title: "Remove Samba" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "# yum erase samba" + compliance: + - cis: "3.13" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' # 3.14 Remove HTTP Proxy Server (Not Scored) - - id: 5544 - title: "Remove HTTP Proxy Server" - description: "The default HTTP proxy package shipped with Red Hat Linux is squid." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." - remediation: "# yum erase squid" - compliance: - - cis: "3.14" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - id: 5544 + title: "Remove HTTP Proxy Server" + description: "The default HTTP proxy package shipped with Red Hat Linux is squid." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "# yum erase squid" + compliance: + - cis: "3.14" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsquid$' # 3.15 Remove SNMP Server (Not Scored) - - id: 5545 - title: "Remove SNMP Server" - description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." - rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." - remediation: "# yum erase net-snmp" - compliance: - - cis: "3.15" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - id: 5545 + title: "Remove SNMP Server" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." + remediation: "# yum erase net-snmp" + compliance: + - cis: "3.15" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsnmpd$' ############################################### # 4 Network Configuration and Firewalls @@ -729,166 +737,166 @@ checks: # 4.1 Modify Network Parameters (Host Only) ############################################### # 4.1.1 Disable IP Forwarding (Scored) - - id: 5546 - title: "Disable IP Forwarding" - description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." - rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf and modify active kernel parameters to match:" - compliance: - - cis: "4.1.1" - - pci_dss: "2.2.4" - references: - - CCE-3561-8 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - id: 5546 + title: "Disable IP Forwarding" + description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." + rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf and modify active kernel parameters to match:" + compliance: + - cis: "4.1.1" + - pci_dss: "2.2.4" + references: + - CCE-3561-8 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' # 4.1.2 Disable Send Packet Redirects (Scored) - - id: 5547 - title: "Disable Send Packet Redirects" - description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." - rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf" - compliance: - - cis: "4.1.2" - - pci_dss: "2.2.4" - references: - - CCE-4151-7 - - CCE-4155-8 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - id: 5547 + title: "Disable Send Packet Redirects" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf" + compliance: + - cis: "4.1.2" + - pci_dss: "2.2.4" + references: + - CCE-4151-7 + - CCE-4155-8 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' ############################################### # 4.2 Modify Network Parameters (Host and Router) ############################################### # 4.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 5548 - title: "Disable Source Routed Packet Acceptance" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." - remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." - compliance: - - cis: "4.2.1" - - pci_dss: "2.2.4" - references: - - CCE-4236-6 - - CCE-4091-5 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - id: 5548 + title: "Disable Source Routed Packet Acceptance" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." + remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." + compliance: + - cis: "4.2.1" + - pci_dss: "2.2.4" + references: + - CCE-4236-6 + - CCE-4091-5 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' # 4.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 5549 - title: "Disable ICMP Redirect Acceptance" - description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." - rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." - remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." - compliance: - - cis: "4.2.2" - - pci_dss: "2.2.4" - references: - - CCE-4217-6 - - CCE-4186-3 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - id: 5549 + title: "Disable ICMP Redirect Acceptance" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." + compliance: + - cis: "4.2.2" + - pci_dss: "2.2.4" + references: + - CCE-4217-6 + - CCE-4186-3 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' # 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 5550 - title: "Disable Secure ICMP Redirect Acceptance" - description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." - rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." - remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." - compliance: - - cis: "4.2.3" - - pci_dss: "2.2.4" - references: - - CCE-3472-8 - - CCE-3339-9 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - id: 5550 + title: "Disable Secure ICMP Redirect Acceptance" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." + compliance: + - cis: "4.2.3" + - pci_dss: "2.2.4" + references: + - CCE-3472-8 + - CCE-3339-9 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' # 4.2.4 Log Suspicious Packets (Scored) - - id: 5551 - title: "Log Suspicious Packets" - description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." - rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." - remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." - compliance: - - cis: "4.2.4" - - pci_dss: "2.2.4" - references: - - CCE-4320-8 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - id: 5551 + title: "Log Suspicious Packets" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." + remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." + compliance: + - cis: "4.2.4" + - pci_dss: "2.2.4" + references: + - CCE-4320-8 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' # 4.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 5552 - title: "Enable Ignore Broadcast Requests" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." - remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." - compliance: - - cis: "4.2.5" - - pci_dss: "2.2.4" - references: - - CCE-3644-2 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - id: 5552 + title: "Enable Ignore Broadcast Requests" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." + remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." + compliance: + - cis: "4.2.5" + - pci_dss: "2.2.4" + references: + - CCE-3644-2 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' # 4.2.6 Enable Bad Error Message Protection (Scored) - - id: 5553 - title: "Enable Bad Error Message Protection" - description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." - rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." - compliance: - - cis: "4.2.6" - - pci_dss: "2.2.4" - references: - - CCE-4133-5 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - id: 5553 + title: "Enable Bad Error Message Protection" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." + compliance: + - cis: "4.2.6" + - pci_dss: "2.2.4" + references: + - CCE-4133-5 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' # 4.2.7 Enable RFC-recommended Source Route Validation (Scored) - - id: 5554 - title: "Enable RFC-recommended Source Route Validation" - description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." - rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." - remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." - compliance: - - cis: "4.2.7" - - pci_dss: "2.2.4" - references: - - CCE-4080-8 - - CCE-3840-6 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - id: 5554 + title: "Enable RFC-recommended Source Route Validation" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." + rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." + remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." + compliance: + - cis: "4.2.7" + - pci_dss: "2.2.4" + references: + - CCE-4080-8 + - CCE-3840-6 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' # 4.2.8 Enable TCP SYN Cookies (Scored) - - id: 5555 - title: "Enable TCP SYN Cookies" - description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all." - rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding." - remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match." - compliance: - - cis: "4.2.8" - - pci_dss: "2.2.4" - references: - - CCE-4265-5 - condition: all - rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - id: 5555 + title: "Enable TCP SYN Cookies" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding." + remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match." + compliance: + - cis: "4.2.8" + - pci_dss: "2.2.4" + references: + - CCE-4265-5 + condition: all + rules: + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' ############################################### # 6 System Access, Authentication and Authorization @@ -897,108 +905,120 @@ checks: # 6.1 Configure SSH ############################################### # 6.2.1 Set SSH Protocol to 2 (Scored) - - id: 5556 - title: "Set SSH Protocol to 2" - description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis: "6.2.1" - - pci_dss: "4.1" - references: - - CCE-4245-7 - - https://www.ssh.com/ssh/ - condition: all - rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - id: 5556 + title: "Set SSH Protocol to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "6.2.1" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + references: + - CCE-4245-7 + - https://www.ssh.com/ssh/ + condition: all + rules: + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' # 6.2.2 Set LogLevel to INFO (Scored) - - id: 5557 - title: "Ensure SSH LogLevel is set to INFO" - description: "The INFO parameter specifies that login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" - compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - id: 5557 + title: "Ensure SSH LogLevel is set to INFO" + description: "The INFO parameter specifies that login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "5.2.3" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' # 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 5558 - title: "Ensure SSH MaxAuthTries is set to 4 or less" - description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." - rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" - compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - id: 5558 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.5" + - cis_csc: "16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' # 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 5559 - title: "Set SSH IgnoreRhosts to Yes" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis: "6.2.6" - - pci_dss: "4.1" - references: - - CCE-4250-7 - condition: none - rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - id: 5559 + title: "Set SSH IgnoreRhosts to Yes" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "6.2.6" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + references: + - CCE-4250-7 + condition: none + rules: + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' # 6.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 5560 - title: "Set SSH HostbasedAuthentication to No" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis: "6.2.7" - - pci_dss: "4.1" - references: - - CCE-4251-5 - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - id: 5560 + title: "Set SSH HostbasedAuthentication to No" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "6.2.7" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + references: + - CCE-4251-5 + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' # 6.2.8 Disable SSH Root Login (Scored) - - id: 5561 - title: "Disable SSH Root Login" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1) . The default is no." - rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis: "6.2.8" - - pci_dss: "4.1" - references: - - CCE-4252-3 - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + - id: 5561 + title: "Disable SSH Root Login" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1) . The default is no." + rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "6.2.8" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + references: + - CCE-4252-3 + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' # 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 5562 - title: "Set SSH PermitEmptyPasswords to No" - description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis: "6.2.9" - - pci_dss: "4.1" - references: - - CCE-4256-4 - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - id: 5562 + title: "Set SSH PermitEmptyPasswords to No" + description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "6.2.9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + references: + - CCE-4256-4 + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' ############################################### # 9 System Maintenance @@ -1007,70 +1027,74 @@ checks: # 9.2 Review User and Group Settings ############################################### # 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 5563 - title: "Verify No UID 0 Accounts Exist Other Than root" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis: "9.2.5" - - pci_dss: "10.2.5" - references: - - CCE-4009-7 - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - id: 5563 + title: "Verify No UID 0 Accounts Exist Other Than root" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis: "9.2.5" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + references: + - CCE-4009-7 + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' # Other/Legacy Tests - - id: 5564 - title: "Account with empty password present" - compliance: - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 5565 - title: "User-mounted removable partition allowed on the console" - condition: none - rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - - id: 5566 - title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$' - - - id: 5567 - title: "Disable standard boot services - PostgreSQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$' - - - id: 5568 - title: "Disable standard boot services - MySQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$' - - - id: 5569 - title: "Disable standard boot services - DNS server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 5570 - title: "Disable standard boot services - NetFS Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$' + - id: 5564 + title: "Account with empty password present" + compliance: + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 5565 + title: "User-mounted removable partition allowed on the console" + condition: none + rules: + - 'f:/etc/security/console.perms -> r:^ \d+ ' + - 'f:/etc/security/console.perms -> r:^ \d+ ' + + - id: 5566 + title: "Disable standard boot services - Kudzu hardware detection Enabled" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dkudzu$' + + - id: 5567 + title: "Disable standard boot services - PostgreSQL server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dpostgresql$' + + - id: 5568 + title: "Disable standard boot services - MySQL server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dmysqld$' + + - id: 5569 + title: "Disable standard boot services - DNS server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnamed$' + + - id: 5570 + title: "Disable standard boot services - NetFS Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnetfs$' diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index c83f5f4ef..4cc6f03bf 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -23,11 +23,11 @@ requirements: description: "Requirements for running the policy against RHEL 6 family." condition: any rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' - - 'f:/etc/redhat-release -> r:^CentOS && r:release 6' - - 'f:/etc/redhat-release -> r:^Cloud && r:release 6' - - 'f:/etc/redhat-release -> r:^Oracle && r:release 6' - - 'f:/etc/redhat-release -> r:^Better && r:release 6' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' + - 'f:/etc/redhat-release -> r:^CentOS && r:release 6' + - 'f:/etc/redhat-release -> r:^Cloud && r:release 6' + - 'f:/etc/redhat-release -> r:^Oracle && r:release 6' + - 'f:/etc/redhat-release -> r:^Better && r:release 6' variables: $sshd_file: /etc/ssh/sshd_config @@ -35,368 +35,368 @@ variables: checks: # 1.1.2 /tmp: partition - - id: 6000 - title: "Ensure separate partition exists for /tmp" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.2" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - id: 6000 + title: "Ensure separate partition exists for /tmp" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.2" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' # 1.1.3 /tmp: nodev - - id: 6001 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" - compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - id: 6001 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" + compliance: + - cis: "1.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' # 1.1.4 /tmp: nosuid - - id: 6002 - title: "Ensure nosuid option set on /tmp partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp ." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" - compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - id: 6002 + title: "Ensure nosuid option set on /tmp partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp ." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" + compliance: + - cis: "1.1.4" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' # 1.1.5 /tmp: noexec - - id: 6003 - title: "Ensure noexec option set on /tmp partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" - compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - id: 6003 + title: "Ensure noexec option set on /tmp partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" + compliance: + - cis: "1.1.5" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 6004 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.6" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' + - id: 6004 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.6" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' # 1.1.7 bind mount /var/tmp to /tmp - - id: 6005 - title: "Ensure separate partition exists for /var/tmp" - description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.7" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' + - id: 6005 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.7" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' # 1.1.11 /var/log: partition - - id: 6006 - title: "Ensure separate partition exists for /var/log" - description: "The /var/log directory is used by system services to store log data ." - rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.11" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - id: 6006 + title: "Ensure separate partition exists for /var/log" + description: "The /var/log directory is used by system services to store log data ." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.11" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log' # 1.1.12 /var/log/audit: partition - - id: 6007 - title: "Ensure separate partition exists for /var/log/audit" - description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." - rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.12" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - id: 6007 + title: "Ensure separate partition exists for /var/log/audit" + description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.12" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' # 1.1.13 /home: partition - - id: 6008 - title: "Ensure separate partition exists for /home" - description: "The /home directory is used to support disk storage needs of local users." - rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.13" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - id: 6008 + title: "Ensure separate partition exists for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.13" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home' # 1.1.14 /home: nodev - - id: 6009 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" - compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + - id: 6009 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" + compliance: + - cis: "1.1.14" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' # 1.1.18 nodev on removable media partitions (not scored) - - id: 6010 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + - id: 6010 + title: "Ensure nodev option set on removable media partitions" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.18" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' # 1.1.19 nosuid on removable media partitions (not scored) - - id: 6011 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + - id: 6011 + title: "Ensure nosuid option set on removable media partitions" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.19" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' # 1.1.20 noexec on removable media partitions (not scored) - - id: 6012 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - id: 6012 + title: "Ensure noexec option set on removable media partitions" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.20" + - cis_csc: "8" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' # 1.1.15 /dev/shm: nodev - - id: 6013 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" - compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - id: 6013 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" + compliance: + - cis: "1.1.15" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 6014 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" - compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - id: 6014 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" + compliance: + - cis: "1.1.16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 6015 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" - compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - id: 6015 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" + compliance: + - cis: "1.1.17" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' ############################################### # 1.4 Configure SELinux ############################################### # 1.6.1.1 enable selinux in /etc/grub.conf - - id: 6016 - title: "Ensure SELinux is not disabled in bootloader configuration" - description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters." - rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." - remediation: "Edit /boot/grub/grub.conf and remove all instances of selinux=0 and enforcing=0 on all kernel lines." - compliance: - - cis: "1.6.1.1" - - cis_csc: "14.4" - - pci_dss: "2.2.4" - condition: none - rules: - - 'f:/etc/grub.conf -> r:selinux=0' + - id: 6016 + title: "Ensure SELinux is not disabled in bootloader configuration" + description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters." + rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." + remediation: "Edit /boot/grub/grub.conf and remove all instances of selinux=0 and enforcing=0 on all kernel lines." + compliance: + - cis: "1.6.1.1" + - cis_csc: "14.4" + - pci_dss: "2.2.4" + condition: none + rules: + - 'f:/etc/grub.conf -> r:selinux=0' # 1.6.1.2 Set selinux state - - id: 6017 - title: "Ensure the SELinux state is enforcing" - description: "Set SELinux to enable when the system is booted." - rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." - remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" - compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + - id: 6017 + title: "Ensure the SELinux state is enforcing" + description: "Set SELinux to enable when the system is booted." + rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." + remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" + compliance: + - cis: "1.6.1.2" + - cis_csc: "14.4" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/selinux/config -> r:SELINUX=enforcing' # 1.6.1.3 Set seliux policy - - id: 6018 - title: "Ensure SELinux policy is configured" - description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." - rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." - remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" - compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + - id: 6018 + title: "Ensure SELinux policy is configured" + description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." + rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." + remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" + compliance: + - cis: "1.6.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' # 1.6.1.4 Remove SETroubleshoot - - id: 6019 - title: "Ensure SETroubleshoot is not installed" - description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user- friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." - rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." - remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot" - compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + - id: 6019 + title: "Ensure SETroubleshoot is not installed" + description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user- friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." + rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." + remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot" + compliance: + - cis: "1.6.1.4" + - pci_dss: "2.2.4" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' # 1.6.1.5 Disable MCS Translation service mcstrans - - id: 6020 - title: "Ensure the MCS Translation Service (mcstrans) is not installed" - description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" - rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." - remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" - compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$' + - id: 6020 + title: "Ensure the MCS Translation Service (mcstrans) is not installed" + description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" + rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." + remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" + compliance: + - cis: "1.6.1.5" + - pci_dss: "2.2.4" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dmctrans$' ############################################### # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 6021 - title: "Ensure bootloader password is set" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security." - remediation: "Create an encrypted password with grub-md5-crypt, copy and paste the into the global section of /boot/grub/grub.conf." - compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + - id: 6021 + title: "Ensure bootloader password is set" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security." + remediation: "Create an encrypted password with grub-md5-crypt, copy and paste the into the global section of /boot/grub/grub.conf." + compliance: + - cis: "1.4.2" + - cis_csc: "5.1" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/boot/grub/menu.lst -> !r:^# && r:password' # 1.4.3 Require Authentication for Single-User Mode (Scored) - - id: 6022 - title: "Ensure authentication required for single user mode" - description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." - rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." - remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin ': SINGLE=/sbin/sulogin" - compliance: - - cis: "1.4.3" - - cis_csc: "5.1" - - pci_dss: "2.2.4" - condition: none - rules: - - 'f:/etc/inittab -> !r:^# && r:S:wait' + - id: 6022 + title: "Ensure authentication required for single user mode" + description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." + rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." + remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin ': SINGLE=/sbin/sulogin" + compliance: + - cis: "1.4.3" + - cis_csc: "5.1" + - pci_dss: "2.2.4" + condition: none + rules: + - 'f:/etc/inittab -> !r:^# && r:S:wait' # 1.4.4 Disable Interactive Boot (Scored) - - id: 6023 - title: "Ensure interactive boot is disabled" - description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." - rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." - remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no" - compliance: - - cis: "1.4.4" - - cis_csc: "5.1" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' + - id: 6023 + title: "Ensure interactive boot is disabled" + description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." + rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." + remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no" + compliance: + - cis: "1.4.4" + - cis_csc: "5.1" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' ############################################### # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 6024 - title: "Ensure core dumps are restricted" - description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." - rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) )." - remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0; fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" - compliance: - - cis: "1.5.1" - - cis_csc: "13" - condition: all - rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - id: 6024 + title: "Ensure core dumps are restricted" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) )." + remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0; fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" + compliance: + - cis: "1.5.1" + - cis_csc: "13" + condition: all + rules: + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 6025 - title: "Ensure address space layout randomization (ASLR) is enabled" - description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." - rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" - compliance: - - cis: "1.5.3" - - cis_csc: "8.4" - condition: all - rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - id: 6025 + title: "Ensure address space layout randomization (ASLR) is enabled" + description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." + rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + compliance: + - cis: "1.5.3" + - cis_csc: "8.4" + condition: all + rules: + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' ############################################### # 2 OS Services @@ -405,246 +405,252 @@ checks: # 2.1 Remove Legacy Services ############################################### # 2.1.8 Remove telnet-server (Scored) - - id: 6026 - title: "Ensure telnet server is disabled" - description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." - remediation: "Run the following command to disable telnet: # chkconfig telnet off" - compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - id: 6026 + title: "Ensure telnet server is disabled" + description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." + remediation: "Run the following command to disable telnet: # chkconfig telnet off" + compliance: + - cis: "2.1.8" + - cis_csc: "3.4, 9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' # 2.1.6 Remove rsh-server (Scored) - - id: 6027 - title: "Ensure rsh server is disabled" - description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." - rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." - remediation: "Disable rsh, rlogin, and rexec." - compliance: - - cis: "2.1.6" - - cis_csc: "3.4" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - id: 6027 + title: "Ensure rsh server is disabled" + description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." + rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." + remediation: "Disable rsh, rlogin, and rexec." + compliance: + - cis: "2.1.6" + - cis_csc: "3.4" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' # 2.3.1 Remove NIS Client (Scored) - - id: 6028 - title: "Ensure NIS Client is not installed" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." - remediation: "Run the following command to uninstall ypbind : # yum remove ypbind" - compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' + - id: 6028 + title: "Ensure NIS Client is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." + remediation: "Run the following command to uninstall ypbind : # yum remove ypbind" + compliance: + - cis: "2.3.1" + - cis_csc: "2" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypbind$' # 2.2.16 Remove NIS Server (Scored) - - id: 6029 - title: "Ensure NIS Server is disabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." - remediation: "Run the following command to disable ypserv: # chkconfig ypserv off" - compliance: - - cis: "2.2.16" - - cis_csc: "9.4" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' + - id: 6029 + title: "Ensure NIS Server is disabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." + remediation: "Run the following command to disable ypserv: # chkconfig ypserv off" + compliance: + - cis: "2.2.16" + - cis_csc: "9.4" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypserv$' # 2.1.9 Remove tftp-server (Scored) - - id: 6030 - title: "Ensure tftp server is disabled" - description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." - rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." - remediation: "Run the following command to disable tftp: # chkconfig tftp off" - compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - id: 6030 + title: "Ensure tftp server is disabled" + description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." + rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." + remediation: "Run the following command to disable tftp: # chkconfig tftp off" + compliance: + - cis: "2.1.9" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' # 2.1.7 Remove talk-server (Scored) - - id: 6031 - title: "Ensure talk server is disabled" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "Run the following command to disable talk: # chkconfig talk off" - compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - id: 6031 + title: "Ensure talk server is disabled" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable talk: # chkconfig talk off" + compliance: + - cis: "2.1.7" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' ############################################### # 2 Special Purpose Services ############################################### # 3.1 Set Daemon umask (Scored) - - id: 6032 - title: "Set Daemon umask" - description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." - rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." - remediation: "Add the following line to the /etc/sysconfig/init file.umask 027" - compliance: - - cis: "3.1" - - pci_dss: "2.2.2" - condition: all - rules: - - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' + - id: 6032 + title: "Set Daemon umask" + description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." + rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." + remediation: "Add the following line to the /etc/sysconfig/init file.umask 027" + compliance: + - cis: "3.1" + - pci_dss: "2.2.2" + condition: all + rules: + - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' # 2.2.2 Remove X Windows (Scored) - - id: 6033 - title: "Ensure X Window System is not installed" - description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." - rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." - remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" - compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inittab -> !r:^# && r:id:5' + - id: 6033 + title: "Ensure X Window System is not installed" + description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." + rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." + remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" + compliance: + - cis: "2.2.2" + - cis_csc: "2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inittab -> !r:^# && r:id:5' # 2.2.3 Disable Avahi Server (Scored) - - id: 6034 - title: "Ensure Avahi Server is disabled" - description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." - rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." - remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" - compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:avahi-daemon' + - id: 6034 + title: "Ensure Avahi Server is disabled" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." + rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." + remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" + compliance: + - cis: "2.2.3" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'p:avahi-daemon' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 6035 - title: "Ensure NFS and RPC are disabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs and rpcbind: # chkconfig nfs off # chkconfig rpcbind off" - compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - id: 6035 + title: "Ensure NFS and RPC are disabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind: # chkconfig nfs off # chkconfig rpcbind off" + compliance: + - cis: "2.2.7" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' # 2.2.9 Remove FTP Server (Not Scored) - - id: 6036 - title: "Ensure FTP Server is disabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." - remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off" - compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - id: 6036 + title: "Ensure FTP Server is disabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." + remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off" + compliance: + - cis: "2.2.9" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' # 2.2.10 Remove HTTP Server (Not Scored) - - id: 6037 - title: "Ensure HTTP server is disabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable httpd: # chkconfig httpd off" - compliance: - - cis: "2.2.10" - - cis_csc: "9.1" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$' + - id: 6037 + title: "Ensure HTTP server is disabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable httpd: # chkconfig httpd off" + compliance: + - cis: "2.2.10" + - cis_csc: "9.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dhttpd$' # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) - - id: 6038 - title: "Ensure IMAP and POP3 server is disabled" - description: "dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - - id: 6039 - title: "Ensure IMAP and POP3 server is disabled" - description: "dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - id: 6038 + title: "Ensure IMAP and POP3 server is disabled" + description: "dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" + compliance: + - cis: "2.2.11" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + + - id: 6039 + title: "Ensure IMAP and POP3 server is disabled" + description: "dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" + compliance: + - cis: "2.2.11" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' # 2.2.12 Remove Samba (Not Scored) - - id: 6040 - title: "Ensure Samba is disabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable smb: # chkconfig smb off" - compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - id: 6040 + title: "Ensure Samba is disabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable smb: # chkconfig smb off" + compliance: + - cis: "2.2.12" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' # 2.2.13 Remove HTTP Proxy Server (Not Scored) - - id: 6041 - title: "Ensure HTTP Proxy Server is disabled" - description: "Squid is a standard proxy server used in many environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable squid : # chkconfig squid off" - compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - id: 6041 + title: "Ensure HTTP Proxy Server is disabled" + description: "Squid is a standard proxy server used in many environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable squid : # chkconfig squid off" + compliance: + - cis: "2.2.13" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsquid$' # 2.2.14 Remove SNMP Server (Not Scored) - - id: 6042 - title: "Ensure SNMP Server is disabled" - description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." - rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." - remediation: "Run the following command to disable snmpd: # chkconfig snmpd off" - compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - id: 6042 + title: "Ensure SNMP Server is disabled" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." + remediation: "Run the following command to disable snmpd: # chkconfig snmpd off" + compliance: + - cis: "2.2.14" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsnmpd$' ############################################### # 3 Network Configuration and Firewalls @@ -653,163 +659,163 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 6043 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and run # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 6044 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0 and run # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - id: 6043 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and run # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + + - id: 6044 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0 and run # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 6045 - title: "Ensure packet redirect sending is disabled" - description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." - rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." - compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - id: 6045 + title: "Ensure packet redirect sending is disabled" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." + compliance: + - cis: "3.1.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' ############################################### # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 6046 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" - compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - id: 6046 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" + compliance: + - cis: "3.2.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 6047 - title: "Ensure ICMP redirects are not accepted" - description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." - rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." - compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - id: 6047 + title: "Ensure ICMP redirects are not accepted" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." + compliance: + - cis: "3.2.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 6048 - title: "Ensure secure ICMP redirects are not accepted" - description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." - rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - id: 6048 + title: "Ensure secure ICMP redirects are not accepted" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.3" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' # 3.2.4 Log Suspicious Packets (Scored) - - id: 6049 - title: "Ensure suspicious packets are logged" - description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." - rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." - compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + - id: 6049 + title: "Ensure suspicious packets are logged" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." + compliance: + - cis: "3.2.4" + - cis_csc: "6" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6050 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." - compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - id: 6050 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." + compliance: + - cis: "3.2.5" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6051 - title: "Ensure bogus ICMP responses are ignored" - description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." - rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1" - compliance: - - cis: "3.2.6" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - id: 6051 + title: "Ensure bogus ICMP responses are ignored" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1" + compliance: + - cis: "3.2.6" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 6052 - title: "Ensure Reverse Path Filtering is enabled" - description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." - rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." - remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" - compliance: - - cis: "3.2.7" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - id: 6052 + title: "Ensure Reverse Path Filtering is enabled" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." + rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." + remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" + compliance: + - cis: "3.2.7" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6053 - title: "Ensure TCP SYN Cookies is enabled" - description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." - rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." - compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - id: 6053 + title: "Ensure TCP SYN Cookies is enabled" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." + compliance: + - cis: "3.2.8" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' ############################################### # 5 System Access, Authentication and Authorization @@ -818,102 +824,114 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6054 - title: "Ensure SSH Protocol is set to 2" - description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - id: 6054 + title: "Ensure SSH Protocol is set to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "5.2.2" + - cis_csc: "3.4" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 6055 - title: "Ensure SSH LogLevel is set to INFO" - description: "The INFO parameter specifies that login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" - compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - id: 6055 + title: "Ensure SSH LogLevel is set to INFO" + description: "The INFO parameter specifies that login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "5.2.3" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 6056 - title: "Ensure SSH MaxAuthTries is set to 4 or less" - description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." - rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" - compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - id: 6056 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.5" + - cis_csc: "16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6057 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - id: 6057 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "5.2.6" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6058 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - id: 6058 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "5.2.7" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' # 5.2.8 Disable SSH Root Login (Scored) - - id: 6059 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + - id: 6059 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "5.2.8" + - cis_csc: "5.8" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6060 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - id: 6060 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "5.2.9" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' ############################################### # 6 System Maintenance @@ -922,69 +940,73 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6061 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - id: 6061 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis: "6.2.5" + - cis_csc: "5.1" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' # Other/Legacy Tests - - id: 6062 - title: "Account with empty password present" - compliance: - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 6063 - title: "User-mounted removable partition allowed on the console" - condition: none - rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - - id: 6064 - title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$' - - - id: 6065 - title: "Disable standard boot services - PostgreSQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$' - - - id: 6066 - title: "Disable standard boot services - MySQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$' - - - id: 6067 - title: "Disable standard boot services - DNS server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 6068 - title: "Disable standard boot services - NetFS Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$' + - id: 6062 + title: "Account with empty password present" + compliance: + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 6063 + title: "User-mounted removable partition allowed on the console" + condition: none + rules: + - 'f:/etc/security/console.perms -> r:^ \d+ ' + - 'f:/etc/security/console.perms -> r:^ \d+ ' + + - id: 6064 + title: "Disable standard boot services - Kudzu hardware detection Enabled" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dkudzu$' + + - id: 6065 + title: "Disable standard boot services - PostgreSQL server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dpostgresql$' + + - id: 6066 + title: "Disable standard boot services - MySQL server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dmysqld$' + + - id: 6067 + title: "Disable standard boot services - DNS server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnamed$' + + - id: 6068 + title: "Disable standard boot services - NetFS Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnetfs$' diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 7c59e021e..87e40227d 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -36,343 +36,343 @@ variables: checks: # 1.1.2 /tmp: partition - - id: 6500 - title: "Ensure separate partition exists for /tmp" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition for /tmp if not using tmpfs. Enable systemd /tmp mounting" - compliance: - - cis: "1.1.2" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - id: 6500 + title: "Ensure separate partition exists for /tmp" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition for /tmp if not using tmpfs. Enable systemd /tmp mounting" + compliance: + - cis: "1.1.2" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' # 1.1.3 /tmp: nodev - - id: 6501 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." - remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" - compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - id: 6501 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" + compliance: + - cis: "1.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' # 1.1.4 /tmp: nosuid - - id: 6502 - title: "Ensure nosuid option set on /tmp partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." - remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" - compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - id: 6502 + title: "Ensure nosuid option set on /tmp partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" + compliance: + - cis: "1.1.4" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' # 1.1.5 /tmp: noexec - - id: 6503 - title: "Ensure noexec option set on /tmp partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." - remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" - compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - id: 6503 + title: "Ensure noexec option set on /tmp partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" + compliance: + - cis: "1.1.5" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 6504 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.6" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/var' - - 'f:/etc/fstab -> !r^# && r:/var' + - id: 6504 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.6" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/var' + - 'f:/etc/fstab -> !r^# && r:/var' # 1.1.7 bind mount /var/tmp to /tmp - - id: 6505 - title: "Ensure separate partition exists for /var/tmp" - description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.7" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' + - id: 6505 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.7" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' # 1.1.11 /var/log: partition - - id: 6506 - title: "Ensure separate partition exists for /var/log" - description: "The /var/log directory is used by system services to store log data ." - rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.11" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - id: 6506 + title: "Ensure separate partition exists for /var/log" + description: "The /var/log directory is used by system services to store log data ." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.11" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log' # 1.1.12 /var/log/audit: partition - - id: 6507 - title: "Ensure separate partition exists for /var/log/audit" - description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." - rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.12" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - id: 6507 + title: "Ensure separate partition exists for /var/log/audit" + description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.12" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' # 1.1.13 /home: partition - - id: 6508 - title: "Ensure separate partition exists for /home" - description: "The /home directory is used to support disk storage needs of local users." - rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.13" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - id: 6508 + title: "Ensure separate partition exists for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.13" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home' # 1.1.14 /home: nodev - - id: 6509 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" - compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + - id: 6509 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" + compliance: + - cis: "1.1.14" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' # 1.1.18 nodev on removable media partitions (not scored) - - id: 6510 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + - id: 6510 + title: "Ensure nodev option set on removable media partitions" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.18" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' # 1.1.19 nosuid on removable media partitions (not scored) - - id: 6511 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + - id: 6511 + title: "Ensure nosuid option set on removable media partitions" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.19" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' # 1.1.20 noexec on removable media partitions (not scored) - - id: 6512 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - id: 6512 + title: "Ensure noexec option set on removable media partitions" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." + compliance: + - cis: "1.1.20" + - cis_csc: "8" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' # 1.1.15 /dev/shm: nodev - - id: 6513 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" - compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - id: 6513 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" + compliance: + - cis: "1.1.15" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 6514 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" - compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - id: 6514 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" + compliance: + - cis: "1.1.16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 6515 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" - compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - id: 6515 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" + compliance: + - cis: "1.1.17" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' ############################################### # 1.6 Configure SELinux ############################################### # 1.6.1.1 enable selinux in /etc/grub.conf - - id: 6516 - title: "Ensure SELinux is not disabled in bootloader configuration" - description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters." - rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." - remediation: "Edit /etc/default/grub and remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT='quiet'; GRUB_CMDLINE_LINUX=''" - compliance: - - cis: "1.6.1.1" - - cis_csc: "14.4" - - pci_dss: "2.2.4" - condition: none - rules: - - 'f:/etc/grub.conf -> r:selinux=0' - - 'f:/etc/grub2.cfg -> r:selinux=0' + - id: 6516 + title: "Ensure SELinux is not disabled in bootloader configuration" + description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters." + rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." + remediation: "Edit /etc/default/grub and remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT='quiet'; GRUB_CMDLINE_LINUX=''" + compliance: + - cis: "1.6.1.1" + - cis_csc: "14.4" + - pci_dss: "2.2.4" + condition: none + rules: + - 'f:/etc/grub.conf -> r:selinux=0' + - 'f:/etc/grub2.cfg -> r:selinux=0' # 1.6.1.2 Set selinux state - - id: 6517 - title: "Ensure the SELinux state is enforcing" - description: "Set SELinux to enable when the system is booted." - rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." - remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" - compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + - id: 6517 + title: "Ensure the SELinux state is enforcing" + description: "Set SELinux to enable when the system is booted." + rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." + remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" + compliance: + - cis: "1.6.1.2" + - cis_csc: "14.4" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/selinux/config -> r:SELINUX=enforcing' # 1.6.1.3 Set selinux policy - - id: 6518 - title: "Ensure SELinux policy is configured" - description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." - rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." - remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" - compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + - id: 6518 + title: "Ensure SELinux policy is configured" + description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." + rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." + remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" + compliance: + - cis: "1.6.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' # 1.6.1.4 Remove SETroubleshoot - - id: 6519 - title: "Ensure SETroubleshoot is not installed" - description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." - rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." - remediation: "Run the following command to uninstall s etroubleshoot: # yum remove setroubleshoot" - compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' - - 'f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert' + - id: 6519 + title: "Ensure SETroubleshoot is not installed" + description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." + rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." + remediation: "Run the following command to uninstall s etroubleshoot: # yum remove setroubleshoot" + compliance: + - cis: "1.6.1.4" + - pci_dss: "2.2.4" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + - 'f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert' # 1.6.1.5 Disable MCS Translation service mcstrans - - id: 6520 - title: "Ensure the MCS Translation Service (mcstrans) is not installed" - description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" - rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." - remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" - compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$' - - 'f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd' + - id: 6520 + title: "Ensure the MCS Translation Service (mcstrans) is not installed" + description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" + rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." + remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" + compliance: + - cis: "1.6.1.5" + - pci_dss: "2.2.4" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dmctrans$' + - 'f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd' ############################################### # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 6521 - title: "Ensure bootloader password is set" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword" - compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + - id: 6521 + title: "Ensure bootloader password is set" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword" + compliance: + - cis: "1.4.2" + - cis_csc: "5.1" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' ############################################### # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 6522 - title: "Ensure core dumps are restricted" - description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." - rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and set the active kernel parameter" - compliance: - - cis: "1.5.1" - - cis_csc: "13" - condition: all - rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - id: 6522 + title: "Ensure core dumps are restricted" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and set the active kernel parameter" + compliance: + - cis: "1.5.1" + - cis_csc: "13" + condition: all + rules: + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 6523 - title: "Ensure address space layout randomization (ASLR) is enabled" - description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." - rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" - compliance: - - cis: "1.5.3" - - cis_csc: "8.4" - condition: all - rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - id: 6523 + title: "Ensure address space layout randomization (ASLR) is enabled" + description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." + rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" + compliance: + - cis: "1.5.3" + - cis_csc: "8.4" + condition: all + rules: + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' ############################################### # 2 OS Services @@ -381,361 +381,367 @@ checks: # 2.2 Remove Legacy Services ############################################### # 2.2.19 Remove telnet-server (Scored) - - id: 6524 - title: "Ensure telnet server is disabled" - description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." - remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" - compliance: - - cis: "2.2.19" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' + - id: 6524 + title: "Ensure telnet server is disabled" + description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." + remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" + compliance: + - cis: "2.2.19" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' # 2.2.17 Remove rsh-server (Scored) - - id: 6525 - title: "Ensure rsh server is disabled" - description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." - rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." - remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " - compliance: - - cis: "2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' + - id: 6525 + title: "Ensure rsh server is disabled" + description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." + rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." + remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " + compliance: + - cis: "2.2.17" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' # 2.3.1 Remove NIS Client (Scored) - - id: 6526 - title: "Ensure NIS Client is not installed" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." - remediation: "Run the following command to uninstall ypbind: # yum remove ypbind" - compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' - - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' + - id: 6526 + title: "Ensure NIS Client is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Run the following command to uninstall ypbind: # yum remove ypbind" + compliance: + - cis: "2.3.1" + - cis_csc: "2" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypbind$' + - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' # 2.2.16 Remove NIS Server (Scored) - - id: 6527 - title: "Ensure NIS Server is disabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" - compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' - - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' + - id: 6527 + title: "Ensure NIS Server is disabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" + compliance: + - cis: "2.2.16" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypserv$' + - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' # 2.2.20 Remove tftp-server (Scored) - - id: 6528 - title: "Ensure tftp server is disabled" - description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." - rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." - remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" - compliance: - - cis: "2.2.20" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' + - id: 6528 + title: "Ensure tftp server is disabled" + description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." + rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." + remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" + compliance: + - cis: "2.2.20" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' # 2.1.18 Remove talk-server (Scored) - - id: 6529 - title: "Ensure talk server is disabled" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "Run the following command to disable talk: # systemctl disable ntalk" - compliance: - - cis: "2.2.18" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' + - id: 6529 + title: "Ensure talk server is disabled" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable talk: # systemctl disable ntalk" + compliance: + - cis: "2.2.18" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' # 2.1.7 Remove xinetd (Scored) - - id: 6530 - title: "Ensure xinetd is disabled" - description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." - rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." - remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" - compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' + - id: 6530 + title: "Ensure xinetd is disabled" + description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." + remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" + compliance: + - cis: "2.1.7" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' # 2.1.1 Disable chargen-dgram (Scored) - - id: 6531 - title: "Ensure chargen services are is disabled" - description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" - compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no' + - id: 6531 + title: "Ensure chargen services are is disabled" + description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" + compliance: + - cis: "2.1.1" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no' # 2.1.1 Disable chargen-stream (Scored) - - id: 6532 - title: "Ensure chargen services are is disabled" - description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" - compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no' + - id: 6532 + title: "Ensure chargen services are is disabled" + description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" + compliance: + - cis: "2.1.1" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no' # 2.1.2 Disable daytime-dgram (Scored) - - id: 6533 - title: "Ensure daytime services are is disabled" - description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" - compliance: - - cis: "2.1.2" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no' + - id: 6533 + title: "Ensure daytime services are is disabled" + description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" + compliance: + - cis: "2.1.2" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no' # 2.1.2 Disable daytime-stream (Scored) - - id: 6534 - title: "Ensure daytime services are is disabled" - description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" - compliance: - - cis: "2.1.2" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no' + - id: 6534 + title: "Ensure daytime services are is disabled" + description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" + compliance: + - cis: "2.1.2" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no' # 2.1.4 Disable echo-dgram (Scored) - - id: 6535 - title: "Ensure echo services are is disabled" - description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" - compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no' + - id: 6535 + title: "Ensure echo services are is disabled" + description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" + compliance: + - cis: "2.1.4" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no' # 2.1.4 Disable echo-stream (Scored) - - id: 6536 - title: "Ensure echo services are is disabled" - description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" - compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no' + - id: 6536 + title: "Ensure echo services are is disabled" + description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" + compliance: + - cis: "2.1.4" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no' # 2.2.2 Remove X Windows (Scored) - - id: 6537 - title: "Ensure X Window System is not installed" - description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." - rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." - remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" - compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:gdm-x-session' + - id: 6537 + title: "Ensure X Window System is not installed" + description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." + rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." + remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" + compliance: + - cis: "2.2.2" + - cis_csc: "2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'p:gdm-x-session' # 2.2.3 Disable Avahi Server (Scored) - - id: 6538 - title: "Ensure Avahi Server is disabled" - description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." - rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." - remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" - compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:avahi-daemon' + - id: 6538 + title: "Ensure Avahi Server is disabled" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." + rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." + remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" + compliance: + - cis: "2.2.3" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'p:avahi-daemon' # 2.2.5 Remove DHCP Server (Scored) - - id: 6539 - title: "Ensure DHCP Server is disabled" - description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." - rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" - compliance: - - cis: "2.2.5" - - cis_csc: "9.1" - references: - - More detailed documentation on DHCP is available at https://www.isc.org - condition: none - rules: - - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' + - id: 6539 + title: "Ensure DHCP Server is disabled" + description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." + rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" + compliance: + - cis: "2.2.5" + - cis_csc: "9.1" + references: + - More detailed documentation on DHCP is available at https://www.isc.org + condition: none + rules: + - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored) - - id: 6540 - title: "Ensure time synchronization is in use" - description: "System time should be synchronized between all systems in an environment. This typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them." - rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." - remediation: "On physical systems or virtual systems where host based time synchronization is not available run one of the following commands to install either ntp or chrony: # yum install ntp; # yum install chrony; On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization." - compliance: - - cis: "2.2.1.1" - - cis_csc: "6.1" - - pci_dss: "2.2.2" - condition: all - rules: - - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^server\.+$' - - 'f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"' + - id: 6540 + title: "Ensure time synchronization is in use" + description: "System time should be synchronized between all systems in an environment. This typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them." + rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." + remediation: "On physical systems or virtual systems where host based time synchronization is not available run one of the following commands to install either ntp or chrony: # yum install ntp; # yum install chrony; On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization." + compliance: + - cis: "2.2.1.1" + - cis_csc: "6.1" + - pci_dss: "2.2.2" + condition: all + rules: + - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server\.+$' + - 'f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 6541 - title: "Ensure NFS and RPC are is disabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # systemctl disable nfs; # systemctl disable nfs-server; # systemctl disable rpcbind" - compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - id: 6541 + title: "Ensure NFS and RPC are is disabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # systemctl disable nfs; # systemctl disable nfs-server; # systemctl disable rpcbind" + compliance: + - cis: "2.2.7" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' # 2.2.9 Remove FTP Server (Not Scored) - - id: 6542 - title: "Ensure FTP Server is disabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" - compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - id: 6542 + title: "Ensure FTP Server is disabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" + compliance: + - cis: "2.2.9" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' # 2.2.10 Remove HTTP Server (Not Scored) - - id: 6543 - title: "Ensure HTTP server is disabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable httpd: # systemctl disable httpd" - compliance: - - cis: "2.2.10" - - cis_csc: "9.1" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$' + - id: 6543 + title: "Ensure HTTP server is disabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable httpd: # systemctl disable httpd" + compliance: + - cis: "2.2.10" + - cis_csc: "9.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dhttpd$' # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) - - id: 6544 - title: "Ensure IMAP and POP3 server is disabled" - description: "dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - - id: 6545 - title: "Ensure IMAP and POP3 server is disabled" - description: "dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - id: 6544 + title: "Ensure IMAP and POP3 server is disabled" + description: "dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" + compliance: + - cis: "2.2.11" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + + - id: 6545 + title: "Ensure IMAP and POP3 server is disabled" + description: "dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" + compliance: + - cis: "2.2.11" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' # 2.2.12 Remove Samba (Not Scored) - - id: 6546 - title: "Ensure Samba is disabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable smb: # systemctl disable smb" - compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - id: 6546 + title: "Ensure Samba is disabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable smb: # systemctl disable smb" + compliance: + - cis: "2.2.12" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' # 2.2.13 Remove HTTP Proxy Server (Not Scored) - - id: 6547 - title: "Ensure HTTP Proxy Server is disabled" - description: "Squid is a standard proxy server used in many distributions and environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable squid: # systemctl disable squid" - compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - id: 6547 + title: "Ensure HTTP Proxy Server is disabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable squid: # systemctl disable squid" + compliance: + - cis: "2.2.13" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsquid$' # 2.2.14 Remove SNMP Server (Not Scored) - - id: 6548 - title: "Ensure SNMP Server is disabled" - description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." - rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." - remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" - compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - id: 6548 + title: "Ensure SNMP Server is disabled" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." + remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" + compliance: + - cis: "2.2.14" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsnmpd$' ############################################### # 3 Network Configuration and Firewalls @@ -744,162 +750,162 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 6549 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and set the active kernel parameters." - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 6550 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0 and set the active kernel parameters." - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - id: 6549 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and set the active kernel parameters." + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + + - id: 6550 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0 and set the active kernel parameters." + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 6551 - title: "Ensure packet redirect sending is disabled" - description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." - rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." - compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - id: 6551 + title: "Ensure packet redirect sending is disabled" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." + compliance: + - cis: "3.1.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' ############################################### # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 6552 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" - compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - id: 6552 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" + compliance: + - cis: "3.2.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 6553 - title: "Ensure ICMP redirects are not accepted" - description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." - rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." - compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - id: 6553 + title: "Ensure ICMP redirects are not accepted" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." + compliance: + - cis: "3.2.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 6554 - title: "Ensure secure ICMP redirects are not accepted" - description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." - rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0 and set the active kernel parameters." - compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - id: 6554 + title: "Ensure secure ICMP redirects are not accepted" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0 and set the active kernel parameters." + compliance: + - cis: "3.2.3" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' # 3.2.4 Log Suspicious Packets (Scored) - - id: 6555 - title: "Ensure suspicious packets are logged" - description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." - rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." - compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - id: 6555 + title: "Ensure suspicious packets are logged" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." + compliance: + - cis: "3.2.4" + - cis_csc: "6" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6556 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." - compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - id: 6556 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." + compliance: + - cis: "3.2.5" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6557 - title: "Enable Bad Error Message Protection" - description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." - rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.6" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - id: 6557 + title: "Enable Bad Error Message Protection" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.6" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - - id: 6558 - title: "Ensure Reverse Path Filtering is enabled" - description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." - rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." - remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1; net.ipv4.conf.default.rp_filter=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1; # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1; # /sbin/sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.7" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - id: 6558 + title: "Ensure Reverse Path Filtering is enabled" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." + rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." + remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1; net.ipv4.conf.default.rp_filter=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1; # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1; # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.7" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6559 - title: "Ensure TCP SYN Cookies is enabled" - description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." - rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." - compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - id: 6559 + title: "Ensure TCP SYN Cookies is enabled" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." + compliance: + - cis: "3.2.8" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' ############################################### # 5 System Access, Authentication and Authorization @@ -908,102 +914,114 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6560 - title: "Ensure SSH Protocol is set to 2" - description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' + - id: 6560 + title: "Ensure SSH Protocol is set to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "5.2.2" + - cis_csc: "3.4" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 6561 - title: "Ensure SSH LogLevel is set to INFO" - description: "The INFO parameter specifies that login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" - compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - id: 6561 + title: "Ensure SSH LogLevel is set to INFO" + description: "The INFO parameter specifies that login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "5.2.3" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 6562 - title: "Ensure SSH MaxAuthTries is set to 4 or less" - description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." - rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" - compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - id: 6562 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.5" + - cis_csc: "16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6563 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' + - id: 6563 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "5.2.6" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6564 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' + - id: 6564 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "5.2.7" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 6565 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s\t**PermitRootLogin\.+no' + - id: 6565 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "5.2.8" + - cis_csc: "5.8" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s\t**PermitRootLogin\.+no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6566 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' + - id: 6566 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "5.2.9" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' ############################################### # 6 System Maintenance @@ -1012,69 +1030,73 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6567 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - id: 6567 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis: "6.2.5" + - cis_csc: "5.1" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' # Other/Legacy Tests - - id: 6568 - title: "Account with empty password present" - compliance: - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 6569 - title: "User-mounted removable partition allowed on the console" - condition: none - rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - - id: 6570 - title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$' - - - id: 6571 - title: "Disable standard boot services - PostgreSQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$' - - - id: 6572 - title: "Disable standard boot services - MySQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$' - - - id: 6573 - title: "Disable standard boot services - DNS server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 6574 - title: "Disable standard boot services - NetFS Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$' + - id: 6568 + title: "Account with empty password present" + compliance: + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 6569 + title: "User-mounted removable partition allowed on the console" + condition: none + rules: + - 'f:/etc/security/console.perms -> r:^ \d+ ' + - 'f:/etc/security/console.perms -> r:^ \d+ ' + + - id: 6570 + title: "Disable standard boot services - Kudzu hardware detection Enabled" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dkudzu$' + + - id: 6571 + title: "Disable standard boot services - PostgreSQL server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dpostgresql$' + + - id: 6572 + title: "Disable standard boot services - MySQL server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dmysqld$' + + - id: 6573 + title: "Disable standard boot services - DNS server Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnamed$' + + - id: 6574 + title: "Disable standard boot services - NetFS Enabled" + compliance: + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnetfs$' diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index 2bf77be4f..34862b1f1 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -31,254 +31,254 @@ variables: checks: # Section 1.1 - Filesystem Configuration - - id: 7000 - title: "Ensure separate partition exists for /tmp" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.2" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' - - - id: 7001 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" - compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' - - - id: 7002 - title: "Ensure nosuid option set on /tmp partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" - compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - id: 7000 + title: "Ensure separate partition exists for /tmp" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.2" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + + - id: 7001 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" + compliance: + - cis: "1.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + + - id: 7002 + title: "Ensure nosuid option set on /tmp partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" + compliance: + - cis: "1.1.4" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' # 1.1.5 /tmp: noexec - - id: 7003 - title: "Ensure noexec option set on /tmp partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" - compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - id: 7003 + title: "Ensure noexec option set on /tmp partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" + compliance: + - cis: "1.1.5" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 7004 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.6" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' - - - id: 7005 - title: "Ensure separate partition exists for /var/log" - description: "The /var/log directory is used by system services to store log data." - rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.11" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - id: 7004 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.6" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' + + - id: 7005 + title: "Ensure separate partition exists for /var/log" + description: "The /var/log directory is used by system services to store log data." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.11" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log' # 1.1.12 /var/log/audit: partition - - id: 7006 - title: "Ensure separate partition exists for /var/log/audit" - description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." - rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.12" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - id: 7006 + title: "Ensure separate partition exists for /var/log/audit" + description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.12" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' # 1.1.13 /home: partition - - id: 7007 - title: "Ensure separate partition exists for /home" - description: "The /home directory is used to support disk storage needs of local users." - rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.13" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home' - - - id: 7008 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." - compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + - id: 7007 + title: "Ensure separate partition exists for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.13" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home' + + - id: 7008 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." + compliance: + - cis: "1.1.14" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' # 1.1.18 nodev on removable media partitions (not scored) - - id: 7012 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + - id: 7012 + title: "Ensure nodev option set on removable media partitions" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.18" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' # 1.1.19 nosuid on removable media partitions (not scored) - - id: 7013 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + - id: 7013 + title: "Ensure nosuid option set on removable media partitions" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.19" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' # 1.1.20 noexec on removable media partitions (not scored) - - id: 7014 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - id: 7014 + title: "Ensure noexec option set on removable media partitions" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.20" + - cis_csc: "8" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' # 1.1.15 /dev/shm: nodev - - id: 7009 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm" - compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - id: 7009 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm" + compliance: + - cis: "1.1.15" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 7010 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm" - compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - id: 7010 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm" + compliance: + - cis: "1.1.16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 7011 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" - compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - id: 7011 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" + compliance: + - cis: "1.1.17" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' ############################################### # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 7015 - title: "Ensure bootloader password is set" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-md5-crypt : # grub-md5-crypt. The result is an . Copy and paste the into the global section of /boot/grub/menu.lst: password --md5 Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." - compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + - id: 7015 + title: "Ensure bootloader password is set" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Create an encrypted password with grub-md5-crypt : # grub-md5-crypt. The result is an . Copy and paste the into the global section of /boot/grub/menu.lst: password --md5 Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." + compliance: + - cis: "1.4.2" + - cis_csc: "5.1" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' ############################################### # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 7016 - title: "Ensure core dumps are restricted" - description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." - rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to the /etc/security/limits.conf file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0." - compliance: - - cis: "1.5.1" - - cis_csc: "13" - condition: all - rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - id: 7016 + title: "Ensure core dumps are restricted" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to the /etc/security/limits.conf file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0." + compliance: + - cis: "1.5.1" + - cis_csc: "13" + condition: all + rules: + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 7017 - title: "Ensure address space layout randomization (ASLR) is enabled" - description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." - rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" - compliance: - - cis: "1.5.3" - - cis_csc: "8.4" - condition: all - rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - id: 7017 + title: "Ensure address space layout randomization (ASLR) is enabled" + description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." + rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + compliance: + - cis: "1.5.3" + - cis_csc: "8.4" + condition: all + rules: + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' ############################################### # 2 OS Services @@ -287,332 +287,338 @@ checks: # 2.1 Remove Legacy Services ############################################### # Section 2.1 - inetd Services - - id: 7018 - title: "Ensure chargen services are not enabled" - description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" - compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' - - - id: 7019 - title: "Ensure daytime services are not enabled" - description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable daytime - and daytime-udp: # chkconfig daytime-off # chkconfig daytime-udp off" - compliance: - - cis: "2.1.2" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' - - - id: 7020 - title: "Ensure discard services are not enabled" - description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" - compliance: - - cis: "2.1.3" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' - - - id: 7021 - title: "Ensure echo services are not enabled" - description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" - compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' - - - id: 7022 - title: "Ensure time services are not enabled" - description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" - compliance: - - cis: "2.1.5" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' - - - id: 7023 - title: "Ensure rsh server is not enabled" - description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." - rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." - remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" - compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' - - - id: 7024 - title: "Ensure talk server is not enabled" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "Run the following command to disable talk: # chkconfig talk off" - compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' - - - id: 7025 - title: "Ensure telnet server is not enabled" - description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." - remediation: "Run the following command to disable telnet: # chkconfig telnet off" - compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' - - - id: 7026 - title: "Ensure tftp server is not enabled" - description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." - rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." - remediation: "Run the following command to disable tftp: # chkconfig tftp off" - compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' - - - id: 7027 - title: "Ensure rsync service is not enabled" - description: "The rsyncd service can be used to synchronize files between systems over network links." - rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." - remediation: "Run the following command to disable rsyncd : # chkconfig rsyncd off" - compliance: - - cis: "2.1.10, 2.2.17" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\drsyncd$' + - id: 7018 + title: "Ensure chargen services are not enabled" + description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" + compliance: + - cis: "2.1.1" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' + + - id: 7019 + title: "Ensure daytime services are not enabled" + description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable daytime - and daytime-udp: # chkconfig daytime-off # chkconfig daytime-udp off" + compliance: + - cis: "2.1.2" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' + + - id: 7020 + title: "Ensure discard services are not enabled" + description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" + compliance: + - cis: "2.1.3" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' + + - id: 7021 + title: "Ensure echo services are not enabled" + description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" + compliance: + - cis: "2.1.4" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' + + - id: 7022 + title: "Ensure time services are not enabled" + description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" + compliance: + - cis: "2.1.5" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' + + - id: 7023 + title: "Ensure rsh server is not enabled" + description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." + rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." + remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" + compliance: + - cis: "2.1.6" + - cis_csc: "3.4, 9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + + - id: 7024 + title: "Ensure talk server is not enabled" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable talk: # chkconfig talk off" + compliance: + - cis: "2.1.7" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + + - id: 7025 + title: "Ensure telnet server is not enabled" + description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." + remediation: "Run the following command to disable telnet: # chkconfig telnet off" + compliance: + - cis: "2.1.8" + - cis_csc: "3.4, 9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + + - id: 7026 + title: "Ensure tftp server is not enabled" + description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." + rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." + remediation: "Run the following command to disable tftp: # chkconfig tftp off" + compliance: + - cis: "2.1.9" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + + - id: 7027 + title: "Ensure rsync service is not enabled" + description: "The rsyncd service can be used to synchronize files between systems over network links." + rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable rsyncd : # chkconfig rsyncd off" + compliance: + - cis: "2.1.10, 2.2.17" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\drsyncd$' ############################################### # 2 Special Purpose Services ############################################### - - id: 7028 - title: "Ensure ntp is configured" - description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." - rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." - remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" - compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" - condition: any - rules: - - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^server|^pool' - - 'f:/etc/sysconfig/ntpd -> r:NTPD_OPTIONS="-u ntp:ntp"' + - id: 7028 + title: "Ensure ntp is configured" + description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." + rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." + remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" + compliance: + - cis: "2.2.1.2" + - cis_csc: "6.1" + - pci_dss: "2.2.2" + condition: any + rules: + - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server|^pool' + - 'f:/etc/sysconfig/ntpd -> r:NTPD_OPTIONS="-u ntp:ntp"' # 2.2.2 Remove X Windows (Scored) - - id: 7029 - title: "Ensure X Window System is not installed" - description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." - rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." - remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" - compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inittab -> IN !r:^# && r:id:5' + - id: 7029 + title: "Ensure X Window System is not installed" + description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." + rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." + remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" + compliance: + - cis: "2.2.2" + - cis_csc: "2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inittab -> IN !r:^# && r:id:5' # 2.2.3 Disable Avahi Server (Scored) - - id: 7030 - title: "Ensure Avahi Server is not enabled" - description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." - rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." - remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" - compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:avahi-daemon' - - - id: 7031 - title: "Ensure DHCP Server is not enabled" - description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." - rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dhcpd : # chkconfig dhcpd off" - compliance: - - cis: "2.2.5" - - cis_csc: "9.1" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dhcpd$' - - 'd:$rc_dirs -> ^S\d\dhcpd6$' + - id: 7030 + title: "Ensure Avahi Server is not enabled" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." + rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." + remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" + compliance: + - cis: "2.2.3" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'p:avahi-daemon' + + - id: 7031 + title: "Ensure DHCP Server is not enabled" + description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." + rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dhcpd : # chkconfig dhcpd off" + compliance: + - cis: "2.2.5" + - cis_csc: "9.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dhcpd$' + - 'd:$rc_dirs -> ^S\d\dhcpd6$' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 7032 - title: "Ensure NFS and RPC are not enabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs and rpcbind : # chkconfig nfs off # chkconfig rpcbind off" - compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' - - - id: 7033 - title: "Ensure DNS Server is not enabled" - description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable named : # chkconfig named off" - compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 7034 - title: "Ensure FTP Server is not enabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd : # chkconfig vsftpd off Notes: Additional FTP servers also exist and should be audited." - compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - id: 7032 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind : # chkconfig nfs off # chkconfig rpcbind off" + compliance: + - cis: "2.2.7" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' + + - id: 7033 + title: "Ensure DNS Server is not enabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable named : # chkconfig named off" + compliance: + - cis: "2.2.8" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnamed$' + + - id: 7034 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd : # chkconfig vsftpd off Notes: Additional FTP servers also exist and should be audited." + compliance: + - cis: "2.2.9" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' # 2.2.10 Remove HTTP Server (Not Scored) - - id: 7035 - title: "Ensure HTTP server is not enabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface. Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." - remediation: "Run the following command to disable apache2 : # chkconfig apache2 off" - compliance: - - cis: "2.2.10" - - cis_csc: "9.1" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dapache2$' - - - id: 7036 - title: "Ensure IMAP and POP3 server is not enabled" - description: "cyrus is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable cyrus : # chkconfig cyrus off Notes: Several IMAP/POP3 servers exist and can use other service names. dovecot is an example service that provides an IMAP/POP3 server. These and other services should also be audited." - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - id: 7035 + title: "Ensure HTTP server is not enabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface. Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." + remediation: "Run the following command to disable apache2 : # chkconfig apache2 off" + compliance: + - cis: "2.2.10" + - cis_csc: "9.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dapache2$' + + - id: 7036 + title: "Ensure IMAP and POP3 server is not enabled" + description: "cyrus is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable cyrus : # chkconfig cyrus off Notes: Several IMAP/POP3 servers exist and can use other service names. dovecot is an example service that provides an IMAP/POP3 server. These and other services should also be audited." + compliance: + - cis: "2.2.11" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' # 2.2.12 Remove Samba (Not Scored) - - id: 7037 - title: "Ensure Samba is not enabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable smb : # chkconfig smb off" - compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' - - - id: 7038 - title: "Ensure HTTP Proxy Server is not enabled" - description: "Squid is a standard proxy server used in many environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable squid : # chkconfig squid off" - compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' - - - id: 7039 - title: "Ensure SNMP Server is not enabled" - description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." - rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." - remediation: "Run the following command to disable snmpd: # chkconfig snmpd off Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." - compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' - - - id: 7040 - title: "Ensure NIS Server is not enabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." - remediation: "Run the following command to disable ypserv : # chkconfig ypserv off" - compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' + - id: 7037 + title: "Ensure Samba is not enabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable smb : # chkconfig smb off" + compliance: + - cis: "2.2.12" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' + + - id: 7038 + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable squid : # chkconfig squid off" + compliance: + - cis: "2.2.13" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsquid$' + + - id: 7039 + title: "Ensure SNMP Server is not enabled" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." + remediation: "Run the following command to disable snmpd: # chkconfig snmpd off Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." + compliance: + - cis: "2.2.14" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsnmpd$' + + - id: 7040 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." + remediation: "Run the following command to disable ypserv : # chkconfig ypserv off" + compliance: + - cis: "2.2.16" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypserv$' # Section 2.3 - Service Clients - - id: 7041 - title: "Ensure NIS Client is not installed" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." - remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" - compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' + - id: 7041 + title: "Ensure NIS Client is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" + compliance: + - cis: "2.3.1" + - cis_csc: "2" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypbind$' ############################################### # 3 Network Configuration and Firewalls @@ -621,164 +627,164 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 7042 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 7043 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - id: 7042 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + + - id: 7043 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 7044 - title: "Ensure packet redirect sending is disabled" - description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." - rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - id: 7044 + title: "Ensure packet redirect sending is disabled" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.1.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' ############################################### # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 7045 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - id: 7045 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 7046 - title: "Ensure ICMP redirects are not accepted" - description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." - rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - id: 7046 + title: "Ensure ICMP redirects are not accepted" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 7047 - title: "Ensure secure ICMP redirects are not accepted" - description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." - rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' - - - id: 7048 - title: "Ensure suspicious packets are logged" - description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." - rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + - id: 7047 + title: "Ensure secure ICMP redirects are not accepted" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.3" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + + - id: 7048 + title: "Ensure suspicious packets are logged" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.4" + - cis_csc: "6" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 7049 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - id: 7049 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.5" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 7050 - title: "Ensure bogus ICMP responses are ignored" - description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." - rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - id: 7050 + title: "Ensure bogus ICMP responses are ignored" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.6" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 7051 - title: "Ensure Reverse Path Filtering is enabled" - description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." - rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - id: 7051 + title: "Ensure Reverse Path Filtering is enabled" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." + rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.7" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 7052 - title: "Ensure TCP SYN Cookies is enabled" - description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." - rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - id: 7052 + title: "Ensure TCP SYN Cookies is enabled" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.8" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' ############################################### # 5 System Access, Authentication and Authorization @@ -787,102 +793,114 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 7053 - title: "Ensure SSH Protocol is set to 2" - description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - id: 7053 + title: "Ensure SSH Protocol is set to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "5.2.2" + - cis_csc: "3.4" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 7054 - title: "Ensure SSH LogLevel is set to INFO" - description: "The INFO parameter specifies that login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" - compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - id: 7054 + title: "Ensure SSH LogLevel is set to INFO" + description: "The INFO parameter specifies that login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "5.2.3" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 7055 - title: "Ensure SSH MaxAuthTries is set to 4 or less" - description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." - rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" - compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - id: 7055 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.5" + - cis_csc: "16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 7056 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - id: 7056 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "5.2.6" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 7057 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - id: 7057 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "5.2.7" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' # 5.2.8 Disable SSH Root Login (Scored) - - id: 7058 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." - rationale: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + - id: 7058 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." + rationale: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "5.2.8" + - cis_csc: "5.8" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 7059 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - id: 7059 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "5.2.9" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' ############################################### # 6 System Maintenance @@ -891,28 +909,32 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 7061 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - - - id: 7060 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." - compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' + - id: 7061 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis: "6.2.5" + - cis_csc: "5.1" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + + - id: 7060 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + compliance: + - cis: "6.2.1" + - cis_csc: "16" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index 2c266144d..bb8749170 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -31,255 +31,255 @@ variables: checks: # Section 1.1 - Filesystem Configuration - - id: 7500 - title: "Ensure separate partition exists for /tmp" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab or the systemd tmp.mount service as appropriate." - compliance: - - cis: "1.1.2" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' - - - id: 7501 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" - compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' - - - id: 7502 - title: "Ensure nosuid option set on /tmp partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" - compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - id: 7500 + title: "Ensure separate partition exists for /tmp" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab or the systemd tmp.mount service as appropriate." + compliance: + - cis: "1.1.2" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp' + + - id: 7501 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" + compliance: + - cis: "1.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'd:/tmp' + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + + - id: 7502 + title: "Ensure nosuid option set on /tmp partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" + compliance: + - cis: "1.1.4" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' # 1.1.5 /tmp: noexec - - id: 7503 - title: "Ensure noexec option set on /tmp partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" - compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - id: 7503 + title: "Ensure noexec option set on /tmp partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" + compliance: + - cis: "1.1.5" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 7504 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.6" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' - - - id: 7505 - title: "Ensure separate partition exists for /var/log" - description: "The /var/log directory is used by system services to store log data." - rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.11" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - id: 7504 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.6" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'd:/var' + - 'f:/etc/fstab -> !r:^# && r:/var' + + - id: 7505 + title: "Ensure separate partition exists for /var/log" + description: "The /var/log directory is used by system services to store log data." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.11" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log' # 1.1.12 /var/log/audit: partition - - id: 7506 - title: "Ensure separate partition exists for /var/log/audit" - description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." - rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.12" - - cis_csc: "6.3" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - id: 7506 + title: "Ensure separate partition exists for /var/log/audit" + description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.12" + - cis_csc: "6.3" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' # 1.1.13 /home: partition - - id: 7507 - title: "Ensure separate partition exists for /home" - description: "The /home directory is used to support disk storage needs of local users." - rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis: "1.1.13" - references: - - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - id: 7507 + title: "Ensure separate partition exists for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.13" + references: + - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home' # 1.1.14 /home: nodev - - id: 7508 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." - compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + - id: 7508 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." + compliance: + - cis: "1.1.14" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' # 1.1.18 nodev on removable media partitions (not scored) - - id: 7512 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + - id: 7512 + title: "Ensure nodev option set on removable media partitions" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.18" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' # 1.1.19 nosuid on removable media partitions (not scored) - - id: 7513 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + - id: 7513 + title: "Ensure nosuid option set on removable media partitions" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.19" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' # 1.1.20 noexec on removable media partitions (not scored) - - id: 7514 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - id: 7514 + title: "Ensure noexec option set on removable media partitions" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: "1.1.20" + - cis_csc: "8" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' # 1.1.15 /dev/shm: nodev - - id: 7509 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" - compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - id: 7509 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + compliance: + - cis: "1.1.15" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 7510 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" - compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - id: 7510 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + compliance: + - cis: "1.1.16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 7511 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" - compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - id: 7511 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" + compliance: + - cis: "1.1.17" + - cis_csc: "2" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' ############################################### # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 7515 - title: "Ensure bootloader password is set" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub2-mkpasswd-pbkdf2. The final message is 'Your PBKDF2 is '. Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Run the following command to update the grub2 configuration: # grub2-mkconfig > /boot/grub2/grub.cfg Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." - compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + - id: 7515 + title: "Ensure bootloader password is set" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub2-mkpasswd-pbkdf2. The final message is 'Your PBKDF2 is '. Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Run the following command to update the grub2 configuration: # grub2-mkconfig > /boot/grub2/grub.cfg Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." + compliance: + - cis: "1.4.2" + - cis_csc: "5.1" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' ############################################### # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 7516 - title: "Ensure core dumps are restricted" - description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." - rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" - compliance: - - cis: "1.5.1" - - cis_csc: "13" - condition: all - rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - id: 7516 + title: "Ensure core dumps are restricted" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" + compliance: + - cis: "1.5.1" + - cis_csc: "13" + condition: all + rules: + - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 7517 - title: "Ensure address space layout randomization (ASLR) is enabled" - description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." - rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" - compliance: - - cis: "1.5.3" - - cis_csc: "8.4" - condition: all - rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - id: 7517 + title: "Ensure address space layout randomization (ASLR) is enabled" + description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." + rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + compliance: + - cis: "1.5.3" + - cis_csc: "8.4" + condition: all + rules: + - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' ############################################### # 2 OS Services @@ -288,353 +288,359 @@ checks: # 2.1 Remove Legacy Services ############################################### # Section 2.1 - inetd Services - - id: 7518 - title: "Ensure chargen services are not enabled" - description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" - compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' - - - id: 7519 - title: "Ensure daytime services are not enabled" - description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable daytime and daytime-udp: # chkconfig daytime off # chkconfig daytime-udp off" - compliance: - - cis: "2.1.2" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' - - - id: 7520 - title: "Ensure discard services are not enabled" - description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" - compliance: - - cis: "2.1.3" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' - - - id: 7521 - title: "Ensure echo services are not enabled" - description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" - compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' - - - id: 7522 - title: "Ensure time services are not enabled" - description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" - compliance: - - cis: "2.1.5" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' - - - id: 7523 - title: "Ensure rsh server is disabled" - description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." - rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." - remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" - compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' - - - id: 7524 - title: "Ensure talk server is disabled" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "Run the following command to disable talk: # chkconfig talk off" - compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' - - - id: 7525 - title: "Ensure telnet server is disabled" - description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." - remediation: "Run the following command to disable telnet: # chkconfig telnet off" - compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' - - - id: 7526 - title: "Ensure tftp server is disabled" - description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." - rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." - remediation: "Run the following command to disable tftp: # systemctl disable atftpd" - compliance: - - cis: "2.1.9, 2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' - - - id: 7527 - title: "Ensure rsync service is disabled" - description: "The rsyncd service can be used to synchronize files between systems over network links." - rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." - remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" - compliance: - - cis: "2.1.10, 2.2.18" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\drsyncd$' - - - id: 7528 - title: "Ensure xinetd is disabled" - description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." - rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." - remediation: "Run the following command to disable xinetd : # systemctl disable xinetd" - compliance: - - cis: "2.1.11" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' + - id: 7518 + title: "Ensure chargen services are not enabled" + description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" + compliance: + - cis: "2.1.1" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' + + - id: 7519 + title: "Ensure daytime services are not enabled" + description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable daytime and daytime-udp: # chkconfig daytime off # chkconfig daytime-udp off" + compliance: + - cis: "2.1.2" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' + + - id: 7520 + title: "Ensure discard services are not enabled" + description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" + compliance: + - cis: "2.1.3" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' + + - id: 7521 + title: "Ensure echo services are not enabled" + description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" + compliance: + - cis: "2.1.4" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' + + - id: 7522 + title: "Ensure time services are not enabled" + description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" + compliance: + - cis: "2.1.5" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' + + - id: 7523 + title: "Ensure rsh server is disabled" + description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." + rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." + remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" + compliance: + - cis: "2.1.6" + - cis_csc: "3.4, 9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' + - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' + + - id: 7524 + title: "Ensure talk server is disabled" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable talk: # chkconfig talk off" + compliance: + - cis: "2.1.7" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' + + - id: 7525 + title: "Ensure telnet server is disabled" + description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." + remediation: "Run the following command to disable telnet: # chkconfig telnet off" + compliance: + - cis: "2.1.8" + - cis_csc: "3.4, 9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' + + - id: 7526 + title: "Ensure tftp server is disabled" + description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." + rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." + remediation: "Run the following command to disable tftp: # systemctl disable atftpd" + compliance: + - cis: "2.1.9, 2.2.17" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' + + - id: 7527 + title: "Ensure rsync service is disabled" + description: "The rsyncd service can be used to synchronize files between systems over network links." + rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" + compliance: + - cis: "2.1.10, 2.2.18" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\drsyncd$' + + - id: 7528 + title: "Ensure xinetd is disabled" + description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." + remediation: "Run the following command to disable xinetd : # systemctl disable xinetd" + compliance: + - cis: "2.1.11" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' ############################################### # 2 Special Purpose Services ############################################### - - id: 7529 - title: "Ensure ntp is configured" - description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." - rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." - remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" - compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" - condition: any - rules: - - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^server|^pool' - - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' + - id: 7529 + title: "Ensure ntp is configured" + description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." + rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." + remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" + compliance: + - cis: "2.2.1.2" + - cis_csc: "6.1" + - pci_dss: "2.2.2" + condition: any + rules: + - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^server|^pool' + - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' # 2.2.2 Remove X Windows (Scored) - - id: 7530 - title: "Ensure X Window System is not installed" - description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." - rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." - remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" - compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/usr/lib/systemd/system/default.target -> r:Graphical' - - 'p:gdm-x-session' + - id: 7530 + title: "Ensure X Window System is not installed" + description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." + rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." + remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" + compliance: + - cis: "2.2.2" + - cis_csc: "2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/usr/lib/systemd/system/default.target -> r:Graphical' + - 'p:gdm-x-session' # 2.2.3 Disable Avahi Server (Scored) - - id: 7531 - title: "Ensure Avahi Server is disabled" - description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." - rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." - remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon" - compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:avahi-daemon' - - - id: 7532 - title: "Ensure DHCP Server is disabled" - description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." - rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd" - compliance: - - cis: "2.2.5" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' + - id: 7531 + title: "Ensure Avahi Server is disabled" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." + rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." + remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon" + compliance: + - cis: "2.2.3" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'p:avahi-daemon' + + - id: 7532 + title: "Ensure DHCP Server is disabled" + description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." + rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd" + compliance: + - cis: "2.2.5" + - cis_csc: "9.1" + condition: none + rules: + - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 7533 - title: "Ensure NFS and RPC are not enabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs # systemctl disable rpcbind" - compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' - - - id: 7534 - title: "Ensure DNS Server is disabled" - description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable named : # systemctl disable named" - compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 7535 - title: "Ensure FTP Server is disabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd Notes: Additional FTP servers also exist and should be audited." - compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - id: 7533 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs # systemctl disable rpcbind" + compliance: + - cis: "2.2.7" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnfs$' + - 'd:$rc_dirs -> ^S\d\dnfslock$' + + - id: 7534 + title: "Ensure DNS Server is disabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable named : # systemctl disable named" + compliance: + - cis: "2.2.8" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dnamed$' + + - id: 7535 + title: "Ensure FTP Server is disabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd Notes: Additional FTP servers also exist and should be audited." + compliance: + - cis: "2.2.9" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' # 2.2.10 Remove HTTP Server (Not Scored) - - id: 7536 - title: "Ensure HTTP server is disabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable apache2 : # systemctl disable apache2 Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." - compliance: - - cis: "2.2.10" - - cis_csc: "9.1" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dapache2$' - - - id: 7537 - title: "Ensure IMAP and POP3 server is disabled" - description: "dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dovecot : # systemctl disable dovecot Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited." - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - id: 7536 + title: "Ensure HTTP server is disabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable apache2 : # systemctl disable apache2 Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." + compliance: + - cis: "2.2.10" + - cis_csc: "9.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dapache2$' + + - id: 7537 + title: "Ensure IMAP and POP3 server is disabled" + description: "dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable dovecot : # systemctl disable dovecot Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited." + compliance: + - cis: "2.2.11" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' + - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' # 2.2.12 Remove Samba (Not Scored) - - id: 7538 - title: "Ensure Samba is disabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable smb : # systemctl disable smb" - compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' - - - id: 7539 - title: "Ensure HTTP Proxy Server is disabled" - description: "Squid is a standard proxy server used in many distributions and environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable squid : # systemctl disable squid Notes: Several HTTP proxy servers exist. These and other services should be checked." - compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' - - - id: 7540 - title: "Ensure SNMP Server is disabled" - description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." - rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." - remediation: "Run the following command to disable snmpd: # systemctl disable snmpd Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." - compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' - - - id: 7541 - title: "Ensure NIS Server is disabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable ypserv : # systemctl disable ypserv" - compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' - - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' + - id: 7538 + title: "Ensure Samba is disabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable smb : # systemctl disable smb" + compliance: + - cis: "2.2.12" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsamba$' + - 'd:$rc_dirs -> ^S\d\dsmb$' + + - id: 7539 + title: "Ensure HTTP Proxy Server is disabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable squid : # systemctl disable squid Notes: Several HTTP proxy servers exist. These and other services should be checked." + compliance: + - cis: "2.2.13" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsquid$' + + - id: 7540 + title: "Ensure SNMP Server is disabled" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." + remediation: "Run the following command to disable snmpd: # systemctl disable snmpd Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." + compliance: + - cis: "2.2.14" + - cis_csc: "9.1" + - pci_dss: "2.2.2" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dsnmpd$' + + - id: 7541 + title: "Ensure NIS Server is disabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable ypserv : # systemctl disable ypserv" + compliance: + - cis: "2.2.16" + - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypserv$' + - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' # Section 2.3 - Service Clients - - id: 7542 - title: "Ensure NIS Client is not installed" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." - remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" - compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' - - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' + - id: 7542 + title: "Ensure NIS Client is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" + compliance: + - cis: "2.3.1" + - cis_csc: "2" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: none + rules: + - 'd:$rc_dirs -> ^S\d\dypbind$' + - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' ############################################### # 3 Network Configuration and Firewalls @@ -643,164 +649,164 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 7543 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 7544 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - id: 7543 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + + - id: 7544 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." + rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "3.1.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 7545 - title: "Ensure packet redirect sending is disabled" - description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." - rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - id: 7545 + title: "Ensure packet redirect sending is disabled" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.1.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' ############################################### # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 7546 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - id: 7546 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.1" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 7547 - title: "Ensure ICMP redirects are not accepted" - description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." - rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - id: 7547 + title: "Ensure ICMP redirects are not accepted" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.2" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 7548 - title: "Ensure secure ICMP redirects are not accepted" - description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." - rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' - - - id: 7549 - title: "Ensure suspicious packets are logged" - description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." - rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + - id: 7548 + title: "Ensure secure ICMP redirects are not accepted" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.3" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' + - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + + - id: 7549 + title: "Ensure suspicious packets are logged" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.4" + - cis_csc: "6" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 7550 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - id: 7550 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.5" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 7551 - title: "Ensure bogus ICMP responses are ignored" - description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." - rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." - compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - id: 7551 + title: "Ensure bogus ICMP responses are ignored" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." + compliance: + - cis: "3.2.6" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 7552 - title: "Ensure Reverse Path Filtering is enabled" - description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." - rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - id: 7552 + title: "Ensure Reverse Path Filtering is enabled" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." + rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.7" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' + - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 7553 - title: "Ensure TCP SYN Cookies is enabled" - description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." - rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" - compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - id: 7553 + title: "Ensure TCP SYN Cookies is enabled" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.8" + - cis_csc: "3, 11" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' ############################################### # 5 System Access, Authentication and Authorization @@ -809,102 +815,114 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 7554 - title: "Ensure SSH Protocol is set to 2" - description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' + - id: 7554 + title: "Ensure SSH Protocol is set to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "5.2.2" + - cis_csc: "3.4" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 7555 - title: "Ensure SSH LogLevel is set to INFO" - description: "The INFO parameter specifies that login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" - compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - id: 7555 + title: "Ensure SSH LogLevel is set to INFO" + description: "The INFO parameter specifies that login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "5.2.3" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 7556 - title: "Ensure SSH MaxAuthTries is set to 4 or less" - description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." - rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" - compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - id: 7556 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.5" + - cis_csc: "16" + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 7557 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." - rationale: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - id: 7557 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + rationale: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "5.2.6" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 7558 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - id: 7558 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "5.2.7" + - cis_csc: "9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' # 5.2.8 Disable SSH Root Login (Scored) - - id: 7559 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + - id: 7559 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "5.2.8" + - cis_csc: "5.8" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 7560 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - condition: none - rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - id: 7560 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "5.2.9" + - cis_csc: "16" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' ############################################### # 6 System Maintenance @@ -913,28 +931,32 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 7562 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - - - id: 7561 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." - compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' + - id: 7562 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis: "6.2.5" + - cis_csc: "5.1" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + + - id: 7561 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + compliance: + - cis: "6.2.1" + - cis_csc: "16" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml index 35d0e811c..60ab427cc 100644 --- a/sca/sunos/cis_solaris11_rcl.yml +++ b/sca/sunos/cis_solaris11_rcl.yml @@ -23,755 +23,755 @@ requirements: description: "Requirements for running the CIS benchmark against Solaris 11" condition: all rules: - - 'f:/etc/release -> r:^\s*Oracle\s+Solaris\s+11\p' + - 'f:/etc/release -> r:^\s*Oracle\s+Solaris\s+11\p' variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ + $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ checks: # 2 Disable Unnecessary Services - - id: 11500 - title: "Disable Local-only Graphical Login Environment" - description: "The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode." - rationale: "This service should be disabled if it is not required." - remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" - compliance: - - cis: "2.1" - condition: none - rules: - - 'p:gdm' - - 'p:cde' - - - id: 11501 - title: "Configure sendmail Service for Local-Only Mode" - description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it." - rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems." - remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" - compliance: - - cis: "2.2" - condition: all - rules: - - 'f:/etc/mail/local.cf' - - - id: 11502 - title: "Disable RPC Encryption Key" - description: "The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is \"secure NFS\", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. (\"Secure NFS\" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. \"Kerberized\" NFS does not require the keyserv service to be running.)" - rationale: "This service should be disabled if it is not required." - remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" - compliance: - - cis: "2.3" - condition: none - rules: - - 'p:keyserv' - - - id: 11503 - title: "Disable NIS Server Services" - description: "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server." - rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." - remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain" - compliance: - - cis: "2.4" - condition: none - rules: - - 'p:ypserv' - - 'p:ypbind' - - 'p:ypxfr' - - 'p:rpc.yppasswdd' - - 'p:rpc.ypupdated' - - 'f:/etc/init.d/nis' - - - id: 11504 - title: "Disable NIS Client Services" - description: "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system." - rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." - remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client # svcadm disable svc:/network/nis/domain" - compliance: - - cis: "2.5" - condition: none - rules: - - 'p:ypserv' - - 'p:ypbind' - - 'p:ypxfr' - - 'p:rpc.yppasswdd' - - 'p:rpc.ypupdated' - - 'f:/etc/init.d/nis' - - - id: 11505 - title: "Disable Kerberos TGT Expiration Warning" - description: "The Kerberos TGT warning service is used to warn users when their Kerberos tickets are about expire or to renew those tickets before they expire. This service is not used if Kerberos has not been configured. This service is configured to be \"local only\" by default." - rationale: "This service should be disabled if it is not required." - remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" - compliance: - - cis: "2.6" - condition: none - rules: - - 'p:ktkt_warnd' - - - id: 11506 - title: "Disable Generic Security Services (GSS)" - description: "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes." - rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required." - remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" - compliance: - - cis: "2.7" - condition: none - rules: - - 'p:gssd' - - - id: 11507 - title: "Disable Removable Volume Manager" - description: "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details." - rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports." - remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver" - compliance: - - cis: "2.8" - condition: none - rules: - - 'p:smserverd' - - - id: 11508 - title: "Disable automount Service" - description: "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration." - rationale: "This service should be disabled if it is not required." - remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" - compliance: - - cis: "2.9" - condition: none - rules: - - 'p:automountd' - - - id: 11509 - title: "Disable Apache Service" - description: "The Apache service provides an instance of the Apache web server." - rationale: "This service should be disabled if it is not required." - remediation: "To disable this service, run the following command: # svcadm disable svc:/network/http:apache22" - compliance: - - cis: "2.10" - references: - - http://httpd.apache.org/docs/2.0/misc/security_tips.html - condition: none - rules: - - 'p:apache' - - 'p:httpd' - - - id: 11510 - title: "Disable Local-only RPC Port Mapping Service" - description: "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS). By default, the Solaris 11 OS configures this service to be local only." - rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled." - remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." - compliance: - - cis: "2.11" - condition: none - rules: - - 'p:rpcbind' - - - id: 11511 - title: "Configure TCP Wrappers" - description: "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections." - rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts." - remediation: "To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo \"ALL: /, , ...\" > /etc/hosts.allow where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true # svcadm refresh rpc/bind The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information." - compliance: - - cis: "2.12" - references: - - ipfilter(5) man page - condition: all - rules: - - 'f:/etc/hosts.allow' - - 'f:/etc/hosts.deny' - - - id: 11512 - title: "Disable Telnet Service" - description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." - remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" - compliance: - - cis: "2.13" - condition: all - rules: - - 'p:telnetd' + - id: 11500 + title: "Disable Local-only Graphical Login Environment" + description: "The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode." + rationale: "This service should be disabled if it is not required." + remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" + compliance: + - cis: "2.1" + condition: none + rules: + - 'p:gdm' + - 'p:cde' + + - id: 11501 + title: "Configure sendmail Service for Local-Only Mode" + description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it." + rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems." + remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" + compliance: + - cis: "2.2" + condition: all + rules: + - 'f:/etc/mail/local.cf' + + - id: 11502 + title: "Disable RPC Encryption Key" + description: "The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is \"secure NFS\", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. (\"Secure NFS\" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. \"Kerberized\" NFS does not require the keyserv service to be running.)" + rationale: "This service should be disabled if it is not required." + remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" + compliance: + - cis: "2.3" + condition: none + rules: + - 'p:keyserv' + + - id: 11503 + title: "Disable NIS Server Services" + description: "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server." + rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." + remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain" + compliance: + - cis: "2.4" + condition: none + rules: + - 'p:ypserv' + - 'p:ypbind' + - 'p:ypxfr' + - 'p:rpc.yppasswdd' + - 'p:rpc.ypupdated' + - 'f:/etc/init.d/nis' + + - id: 11504 + title: "Disable NIS Client Services" + description: "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system." + rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." + remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client # svcadm disable svc:/network/nis/domain" + compliance: + - cis: "2.5" + condition: none + rules: + - 'p:ypserv' + - 'p:ypbind' + - 'p:ypxfr' + - 'p:rpc.yppasswdd' + - 'p:rpc.ypupdated' + - 'f:/etc/init.d/nis' + + - id: 11505 + title: "Disable Kerberos TGT Expiration Warning" + description: "The Kerberos TGT warning service is used to warn users when their Kerberos tickets are about expire or to renew those tickets before they expire. This service is not used if Kerberos has not been configured. This service is configured to be \"local only\" by default." + rationale: "This service should be disabled if it is not required." + remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" + compliance: + - cis: "2.6" + condition: none + rules: + - 'p:ktkt_warnd' + + - id: 11506 + title: "Disable Generic Security Services (GSS)" + description: "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes." + rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required." + remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" + compliance: + - cis: "2.7" + condition: none + rules: + - 'p:gssd' + + - id: 11507 + title: "Disable Removable Volume Manager" + description: "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details." + rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports." + remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver" + compliance: + - cis: "2.8" + condition: none + rules: + - 'p:smserverd' + + - id: 11508 + title: "Disable automount Service" + description: "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration." + rationale: "This service should be disabled if it is not required." + remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" + compliance: + - cis: "2.9" + condition: none + rules: + - 'p:automountd' + + - id: 11509 + title: "Disable Apache Service" + description: "The Apache service provides an instance of the Apache web server." + rationale: "This service should be disabled if it is not required." + remediation: "To disable this service, run the following command: # svcadm disable svc:/network/http:apache22" + compliance: + - cis: "2.10" + references: + - http://httpd.apache.org/docs/2.0/misc/security_tips.html + condition: none + rules: + - 'p:apache' + - 'p:httpd' + + - id: 11510 + title: "Disable Local-only RPC Port Mapping Service" + description: "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS). By default, the Solaris 11 OS configures this service to be local only." + rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled." + remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." + compliance: + - cis: "2.11" + condition: none + rules: + - 'p:rpcbind' + + - id: 11511 + title: "Configure TCP Wrappers" + description: "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections." + rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts." + remediation: "To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo \"ALL: /, , ...\" > /etc/hosts.allow where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true # svcadm refresh rpc/bind The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information." + compliance: + - cis: "2.12" + references: + - ipfilter(5) man page + condition: all + rules: + - 'f:/etc/hosts.allow' + - 'f:/etc/hosts.deny' + + - id: 11512 + title: "Disable Telnet Service" + description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." + remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" + compliance: + - cis: "2.13" + condition: all + rules: + - 'p:telnetd' # 3 Kernel Tuning - - id: 11513 - title: "Restrict Core Dumps to Protected Directory" - description: "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core." - rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data." - remediation: "To implement the recommendation, run the commands: # chmod 700 /var/cores # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid" - compliance: - - cis: "3.1" - condition: all - rules: - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_PATTERN\p\.+' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_CONTENT\pdefault' - - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_PATTERN\pcore' - - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_CONTENT\pdefault' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_SETID_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_LOG_ENABLED\pyes' - - - id: 11514 - title: "Enable Stack Protection" - description: "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor- supplied and third party software." - rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed." - remediation: "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file: # if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then cat <>/etc/system set noexec_user_stack=1 set noexec_user_stack_log=1 END_CFG fi" - compliance: - - cis: "3.2" - condition: all - rules: - - 'f:/etc/system' - - 'f:/etc/system -> r:^\s*\t*noexec_user_stack\p1' - - 'f:/etc/system -> r:^\s*\t*noexec_user_stack_log\p1' - - - id: 11515 - title: "Enable Strong TCP Sequence Number Generation" - description: "The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session." - rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this." - remediation: "Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file: # cd /etc/default # awk '/TCP_STRONG_ISS=/ { $1 = \"TCP_STRONG_ISS=2\" }; { print }' inetinit > inetinit.CIS # mv inetinit.CIS inetinit To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp" - compliance: - - cis: "3.3" - condition: all - rules: - - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' + - id: 11513 + title: "Restrict Core Dumps to Protected Directory" + description: "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core." + rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data." + remediation: "To implement the recommendation, run the commands: # chmod 700 /var/cores # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid" + compliance: + - cis: "3.1" + condition: all + rules: + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_PATTERN\p\.+' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_CONTENT\pdefault' + - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_PATTERN\pcore' + - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_CONTENT\pdefault' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_SETID_ENABLED\pno' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_LOG_ENABLED\pyes' + + - id: 11514 + title: "Enable Stack Protection" + description: "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor- supplied and third party software." + rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed." + remediation: "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file: # if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then cat <>/etc/system set noexec_user_stack=1 set noexec_user_stack_log=1 END_CFG fi" + compliance: + - cis: "3.2" + condition: all + rules: + - 'f:/etc/system' + - 'f:/etc/system -> r:^\s*\t*noexec_user_stack\p1' + - 'f:/etc/system -> r:^\s*\t*noexec_user_stack_log\p1' + + - id: 11515 + title: "Enable Strong TCP Sequence Number Generation" + description: "The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session." + rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this." + remediation: "Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file: # cd /etc/default # awk '/TCP_STRONG_ISS=/ { $1 = \"TCP_STRONG_ISS=2\" }; { print }' inetinit > inetinit.CIS # mv inetinit.CIS inetinit To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp" + compliance: + - cis: "3.3" + condition: all + rules: + - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' # 4 Auditing and Logging - - id: 11516 - title: "Create CIS Audit Class" - description: "To group a set of related audit events, the Solaris Audit service provides the ability for sites to define their own audit classes that contain just those events that the site wants to audit." - rationale: "To simplify administration, a CIS specific audit class should be created." - remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark" - compliance: - - cis: "4.1" - condition: all - rules: - - 'f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark' - - - id: 11517 - title: "Enable Auditing of Incoming Network Connections" - description: "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system." - rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service- specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity." - remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_ACCEPT AUE_CONNECT AUE_SOCKACCEPT AUE_SOCKCONNECT AUE_inetd_connect" - compliance: - - cis: "4.2" - condition: all - rules: - - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACCEPT:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_CONNECT:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKACCEPT:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKCONNECT:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_inetd_connect:\.+cis\.*' - - - id: 11518 - title: "Enable Auditing of File Metadata Modification Events" - description: "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed." - rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." - remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHMOD AUE_CHOWN AUE_FCHOWN AUE_FCHMOD AUE_LCHOWN AUE_ACLSET AUE_FACLSET" - compliance: - - cis: "4.3" - condition: all - rules: - - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHMOD:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHOWN:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHOWN:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHMOD:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_LCHOWN:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACLSET:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_FACLSET:\.+cis\.*' - - - id: 11519 - title: "Enable Auditing of Process and Privilege Events" - description: "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2)." - rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." - remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHROOT AUE_SETREUID AUE_SETREGID AUE_FCHROOT AUE_PFEXEC AUE_SETUID AUE_NICE AUE_SETGID AUE_PRIOCNTLSYS AUE_SETEGID AUE_SETEUID AUE_SETPPRIV AUE_SETSID AUE_SETPGID" - compliance: - - cis: "4.4" - condition: all - rules: - - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHROOT:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREUID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREGID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHROOT:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_PFEXEC:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETUID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_NICE:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETGID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEGID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEUID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPRIV:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETSID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPGID:\.+cis\.*' - - - id: 11520 - title: "Configure Solaris Auditing" - description: "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis)." - rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls." - remediation: "To enforce this setting, use the command: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis # auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n . w q END_CRON # chown root:root /var/audit # chmod 750 /var/audit" - compliance: - - cis: "4.5" - condition: all - rules: - - 'd:/var/spool/cron/crontabs -> r:/usr/sbin/audit -n' + - id: 11516 + title: "Create CIS Audit Class" + description: "To group a set of related audit events, the Solaris Audit service provides the ability for sites to define their own audit classes that contain just those events that the site wants to audit." + rationale: "To simplify administration, a CIS specific audit class should be created." + remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark" + compliance: + - cis: "4.1" + condition: all + rules: + - 'f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark' + + - id: 11517 + title: "Enable Auditing of Incoming Network Connections" + description: "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system." + rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service- specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity." + remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_ACCEPT AUE_CONNECT AUE_SOCKACCEPT AUE_SOCKCONNECT AUE_inetd_connect" + compliance: + - cis: "4.2" + condition: all + rules: + - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACCEPT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CONNECT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKACCEPT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKCONNECT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_inetd_connect:\.+cis\.*' + + - id: 11518 + title: "Enable Auditing of File Metadata Modification Events" + description: "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed." + rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." + remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHMOD AUE_CHOWN AUE_FCHOWN AUE_FCHMOD AUE_LCHOWN AUE_ACLSET AUE_FACLSET" + compliance: + - cis: "4.3" + condition: all + rules: + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHMOD:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHOWN:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHOWN:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHMOD:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_LCHOWN:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACLSET:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FACLSET:\.+cis\.*' + + - id: 11519 + title: "Enable Auditing of Process and Privilege Events" + description: "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2)." + rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." + remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHROOT AUE_SETREUID AUE_SETREGID AUE_FCHROOT AUE_PFEXEC AUE_SETUID AUE_NICE AUE_SETGID AUE_PRIOCNTLSYS AUE_SETEGID AUE_SETEUID AUE_SETPPRIV AUE_SETSID AUE_SETPGID" + compliance: + - cis: "4.4" + condition: all + rules: + - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHROOT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREUID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETREGID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_FCHROOT:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_PFEXEC:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETUID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_NICE:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETGID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEGID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEUID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPRIV:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETSID:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPGID:\.+cis\.*' + + - id: 11520 + title: "Configure Solaris Auditing" + description: "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis)." + rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls." + remediation: "To enforce this setting, use the command: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis # auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n . w q END_CRON # chown root:root /var/audit # chmod 750 /var/audit" + compliance: + - cis: "4.5" + condition: all + rules: + - 'd:/var/spool/cron/crontabs -> r:/usr/sbin/audit -n' # 5 File/Directory Permissions/Access - - id: 11521 - title: "Default Service File Creation Mask" - description: "The default system file creation mask applies to processes that are started by init - including most system services. To ensure that files are not created with write access to anyone other than their owner, the default file creation mask should be set to 022. Some sites with more stringent security requirements may prefer to set this value to 077 to eliminate all permissions for group and world. Note that changing this value from the Solaris default of 022 may negatively impact services that may not be able to operate with a stricter setting." - rationale: "The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world." - remediation: "Perform the following to implement the recommended state: # svccfg -s svc:/system/environment:init setprop umask/umask = astring: \"022\"" - compliance: - - cis: "5.1" - condition: all - rules: - - 'f:/etc/profile -> r:^umask\s*022' + - id: 11521 + title: "Default Service File Creation Mask" + description: "The default system file creation mask applies to processes that are started by init - including most system services. To ensure that files are not created with write access to anyone other than their owner, the default file creation mask should be set to 022. Some sites with more stringent security requirements may prefer to set this value to 077 to eliminate all permissions for group and world. Note that changing this value from the Solaris default of 022 may negatively impact services that may not be able to operate with a stricter setting." + rationale: "The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world." + remediation: "Perform the following to implement the recommended state: # svccfg -s svc:/system/environment:init setprop umask/umask = astring: \"022\"" + compliance: + - cis: "5.1" + condition: all + rules: + - 'f:/etc/profile -> r:^umask\s*022' # 6 System Access, Authentication, and Authorization - - id: 11522 - title: "Disable \"nobody\" Access for RPC Encryption Key Storage Service" - description: "This action listed prevents keyserv from using default keys for the nobody user, effectively stopping the nobody user from accessing information via Secure RPC." - rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user." - remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/ENABLE_NOBODY_KEYS=/ { $1 = \"ENABLE_NOBODY_KEYS=NO\" } { print }' keyserv > keyserv.CIS # mv keyserv.CIS keyserv" - compliance: - - cis: "6.2" - condition: all - rules: - - 'f:/etc/default/keyserv' - - 'f:/etc/default/keyserv -> r:^ENABLE\.NOBODY\.KEYS\pNO' - - - id: 11523 - title: "Disable X11 Forwarding for SSH" - description: "The 'X11 Forwarding' parameter defined within the /etc/ssh/sshd_config file specifies whether or not X11 Forwarding via SSH is enabled on the server: The Secure Shell service provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can be used to forward an 'X Window' session through the encrypted tunnel, allowing the remote user to have a GUI interface." - rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs." - remediation: "Perform the following to implement the recommended state: # awk '/^X11Forwarding / { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" - compliance: - - cis: "6.3" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' - - - id: 11524 - title: "Limit Consecutive Login Attempts for SSH" - description: "The 'MaxAuthTries' parameter in the /etc/ssh/sshd_config file specifies the maximum number of authentication attempts permitted per connection. By restricting the number of failed authentication attempts before the server terminates the connection, malicious users are blocked from gaining access to the host by using repetitive brute-force login exploits." - rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks." - remediation: "Perform the following to implement the recommended state: # awk '/^MaxAuthTries/ { $2 = \"3\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" - compliance: - - cis: "6.4" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' - - - id: 11525 - title: "Disable Rhost-based Authentication for SSH" - description: "The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication." - rationale: "Setting this parameter forces users to enter a password when authenticating with SSH." - remediation: "Perform the following to implement the recommended state: # awk '/^IgnoreRhosts/ { $2 = \"yes\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed." - compliance: - - cis: "6.5" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' - - - id: 11526 - title: "Disable root login for SSH" - description: "The PermitRootLogin value (in /etc/ssh/sshd_config) allows for direct root login by a remote user/application to resources on the local host." - rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user." - remediation: "Perform the following to implement the recommended state: # awk '/^PermitRootLogin/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" - compliance: - - cis: "6.6" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' - - - id: 11527 - title: "Blocking Authentication Using Empty/Null Passwords for SSH" - description: "The PermitEmptyPasswords value allows for direct login through SSH without a password by a remote user/application to resources on the local host in the same way a standard remote login would." - rationale: "Permitting login without a password is inherently risky." - remediation: "Perform the following to implement the recommended state: # awk '/^PermitEmptyPasswords/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" - compliance: - - cis: "6.7" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' - - - id: 11528 - title: "Disable Host-based Authentication for Login-based Services" - description: "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world- readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user." - rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default." - remediation: "Perform the following to implement the recommended state: # cd /etc # cp pam.conf pam.conf.pre-CIS # sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS # mv pam.conf.CIS pam.conf" - compliance: - - cis: "6.8" - condition: all - rules: - - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' - - 'f:/etc/pam.conf -> r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' - - - id: 11529 - title: "Restrict FTP Use" - description: "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP." - rationale: "FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default." - remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." - compliance: - - cis: "6.9" - condition: none - rules: - - 'f:/etc/ftpd/ftpusers -> r:^root' - - 'f:/etc/ftpd/ftpusers -> r:^daemon' - - 'f:/etc/ftpd/ftpusers -> r:^bin' - - 'f:/etc/ftpd/ftpusers -> r:^sys' - - 'f:/etc/ftpd/ftpusers -> r:^adm' - - 'f:/etc/ftpd/ftpusers -> r:^uucp' - - 'f:/etc/ftpd/ftpusers -> r:^nuucp' - - 'f:/etc/ftpd/ftpusers -> r:^smmsp' - - 'f:/etc/ftpd/ftpusers -> r:^listen' - - 'f:/etc/ftpd/ftpusers -> r:^gdm' - - 'f:/etc/ftpd/ftpusers -> r:^lp' - - 'f:/etc/ftpd/ftpusers -> r:^webservd' - - 'f:/etc/ftpd/ftpusers -> r:^postgres' - - 'f:/etc/ftpd/ftpusers -> r:^svctag' - - 'f:/etc/ftpd/ftpusers -> r:^openldap' - - 'f:/etc/ftpd/ftpusers -> r:^unknown' - - 'f:/etc/ftpd/ftpusers -> r:^aiuser' - - 'f:/etc/ftpd/ftpusers -> r:^nobody' - - 'f:/etc/ftpd/ftpusers -> r:^nobody4' - - 'f:/etc/ftpd/ftpusers -> r:^noaccess' - - - id: 11530 - title: "Set Delay between Failed Login Attempts to 4" - description: "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the \"login incorrect\" message when a bad password is provided." - rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user." - remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/SLEEPTIME=/ { $1 = \"SLEEPTIME=4\" } { print }' login > login.CIS # mv login.CIS login" - compliance: - - cis: "6.10" - condition: all - rules: - - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' - - - id: 11531 - title: "Remove Autologin Capabilities from the GNOME desktop" - description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password." - rationale: "As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)." - remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" - compliance: - - cis: "6.11" - condition: none - rules: - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' - - - id: 11532 - title: "Set Default Screen Lock for GNOME Users" - description: "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment." - rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user." - remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults # cp XScreenSaver XScreenSaver.orig # awk '/^\\*timeout:/ { $2 = \"0:10:00\" } /^\\*lockTimeout:/ { $2 = \"0:00:00\" } /^\\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS # mv xScreenSaver.CIS xScreenSaver" - compliance: - - cis: "6.12" - condition: all - rules: - - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*timeout:\s*\t*0:10:00' - - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*0:00:00' - - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true' - - - id: 11533 - title: "Restrict at/cron to Authorized Users" - description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals." - rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." - remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d # mv cron.deny cron.deny.cis # mv at.deny at.deny.cis # echo root > cron.allow # cp /dev/null at.allow # chown root:root cron.allow at.allow # chmod 400 cron.allow at.allow" - compliance: - - cis: "6.13" - condition: all - rules: - - 'not f:/etc/cron.d/cron.deny' - - 'not f:/etc/cron.d/at.deny' - - 'f:/etc/cron.d/cron.allow' - - 'f:/etc/cron.d/cron.allow -> !r:^root$' - - 'f:/etc/cron.d/at.allow' - - 'not f:/etc/cron.d/at.allow -> !r:^# && r:\w' - - - id: 11534 - title: "Restrict root Login to System Console" - description: "Privileged access to the system via root must be accountable to a particular user." - rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems." - remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS # mv login.CIS login" - compliance: - - cis: "6.14" - condition: none - rules: - - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' - - - id: 11535 - title: "Set Retry Limit for Account Lockout" - description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name." - rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." - remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS # mv login.CIS login # cd /etc/security # awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS # mv policy.conf.CIS policy.conf # svcadm restart svc:/system/name-service/cache Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle" - compliance: - - cis: "6.15" - condition: all - rules: - - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' - - 'f:/etc/security/policy.conf -> r:^LOCK_AFTER_RETRIES\pyes' - - - id: 11536 - title: "Secure the GRUB Menu (Intel)" - description: "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console." - rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password." - remediation: "Perform the following to implement the recommended state: # /boot/grub/bin/grub grub> md5crypt Password: [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)] The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user: # chmod 600 /rpool/boot/grub/menu.lst Next, add the following line to the menu.lst file above the entries added by bootadm: password --md5 [enter md5 password string generated above] Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect): title Solaris failsafe lock" - compliance: - - cis: "6.17" - condition: all - rules: - - 'f:/rpool/boot/grub/menu.lst -> r:^password\s*--md5' + - id: 11522 + title: "Disable \"nobody\" Access for RPC Encryption Key Storage Service" + description: "This action listed prevents keyserv from using default keys for the nobody user, effectively stopping the nobody user from accessing information via Secure RPC." + rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user." + remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/ENABLE_NOBODY_KEYS=/ { $1 = \"ENABLE_NOBODY_KEYS=NO\" } { print }' keyserv > keyserv.CIS # mv keyserv.CIS keyserv" + compliance: + - cis: "6.2" + condition: all + rules: + - 'f:/etc/default/keyserv' + - 'f:/etc/default/keyserv -> r:^ENABLE\.NOBODY\.KEYS\pNO' + + - id: 11523 + title: "Disable X11 Forwarding for SSH" + description: "The 'X11 Forwarding' parameter defined within the /etc/ssh/sshd_config file specifies whether or not X11 Forwarding via SSH is enabled on the server: The Secure Shell service provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can be used to forward an 'X Window' session through the encrypted tunnel, allowing the remote user to have a GUI interface." + rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs." + remediation: "Perform the following to implement the recommended state: # awk '/^X11Forwarding / { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" + compliance: + - cis: "6.3" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' + + - id: 11524 + title: "Limit Consecutive Login Attempts for SSH" + description: "The 'MaxAuthTries' parameter in the /etc/ssh/sshd_config file specifies the maximum number of authentication attempts permitted per connection. By restricting the number of failed authentication attempts before the server terminates the connection, malicious users are blocked from gaining access to the host by using repetitive brute-force login exploits." + rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks." + remediation: "Perform the following to implement the recommended state: # awk '/^MaxAuthTries/ { $2 = \"3\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" + compliance: + - cis: "6.4" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' + + - id: 11525 + title: "Disable Rhost-based Authentication for SSH" + description: "The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + rationale: "Setting this parameter forces users to enter a password when authenticating with SSH." + remediation: "Perform the following to implement the recommended state: # awk '/^IgnoreRhosts/ { $2 = \"yes\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed." + compliance: + - cis: "6.5" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' + + - id: 11526 + title: "Disable root login for SSH" + description: "The PermitRootLogin value (in /etc/ssh/sshd_config) allows for direct root login by a remote user/application to resources on the local host." + rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user." + remediation: "Perform the following to implement the recommended state: # awk '/^PermitRootLogin/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" + compliance: + - cis: "6.6" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' + + - id: 11527 + title: "Blocking Authentication Using Empty/Null Passwords for SSH" + description: "The PermitEmptyPasswords value allows for direct login through SSH without a password by a remote user/application to resources on the local host in the same way a standard remote login would." + rationale: "Permitting login without a password is inherently risky." + remediation: "Perform the following to implement the recommended state: # awk '/^PermitEmptyPasswords/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" + compliance: + - cis: "6.7" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' + + - id: 11528 + title: "Disable Host-based Authentication for Login-based Services" + description: "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world- readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user." + rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default." + remediation: "Perform the following to implement the recommended state: # cd /etc # cp pam.conf pam.conf.pre-CIS # sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS # mv pam.conf.CIS pam.conf" + compliance: + - cis: "6.8" + condition: all + rules: + - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' + - 'f:/etc/pam.conf -> r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' + + - id: 11529 + title: "Restrict FTP Use" + description: "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP." + rationale: "FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default." + remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." + compliance: + - cis: "6.9" + condition: none + rules: + - 'f:/etc/ftpd/ftpusers -> r:^root' + - 'f:/etc/ftpd/ftpusers -> r:^daemon' + - 'f:/etc/ftpd/ftpusers -> r:^bin' + - 'f:/etc/ftpd/ftpusers -> r:^sys' + - 'f:/etc/ftpd/ftpusers -> r:^adm' + - 'f:/etc/ftpd/ftpusers -> r:^uucp' + - 'f:/etc/ftpd/ftpusers -> r:^nuucp' + - 'f:/etc/ftpd/ftpusers -> r:^smmsp' + - 'f:/etc/ftpd/ftpusers -> r:^listen' + - 'f:/etc/ftpd/ftpusers -> r:^gdm' + - 'f:/etc/ftpd/ftpusers -> r:^lp' + - 'f:/etc/ftpd/ftpusers -> r:^webservd' + - 'f:/etc/ftpd/ftpusers -> r:^postgres' + - 'f:/etc/ftpd/ftpusers -> r:^svctag' + - 'f:/etc/ftpd/ftpusers -> r:^openldap' + - 'f:/etc/ftpd/ftpusers -> r:^unknown' + - 'f:/etc/ftpd/ftpusers -> r:^aiuser' + - 'f:/etc/ftpd/ftpusers -> r:^nobody' + - 'f:/etc/ftpd/ftpusers -> r:^nobody4' + - 'f:/etc/ftpd/ftpusers -> r:^noaccess' + + - id: 11530 + title: "Set Delay between Failed Login Attempts to 4" + description: "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the \"login incorrect\" message when a bad password is provided." + rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user." + remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/SLEEPTIME=/ { $1 = \"SLEEPTIME=4\" } { print }' login > login.CIS # mv login.CIS login" + compliance: + - cis: "6.10" + condition: all + rules: + - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' + + - id: 11531 + title: "Remove Autologin Capabilities from the GNOME desktop" + description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password." + rationale: "As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)." + remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" + compliance: + - cis: "6.11" + condition: none + rules: + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' + + - id: 11532 + title: "Set Default Screen Lock for GNOME Users" + description: "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment." + rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user." + remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults # cp XScreenSaver XScreenSaver.orig # awk '/^\\*timeout:/ { $2 = \"0:10:00\" } /^\\*lockTimeout:/ { $2 = \"0:00:00\" } /^\\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS # mv xScreenSaver.CIS xScreenSaver" + compliance: + - cis: "6.12" + condition: all + rules: + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*timeout:\s*\t*0:10:00' + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*0:00:00' + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true' + + - id: 11533 + title: "Restrict at/cron to Authorized Users" + description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals." + rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." + remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d # mv cron.deny cron.deny.cis # mv at.deny at.deny.cis # echo root > cron.allow # cp /dev/null at.allow # chown root:root cron.allow at.allow # chmod 400 cron.allow at.allow" + compliance: + - cis: "6.13" + condition: all + rules: + - 'not f:/etc/cron.d/cron.deny' + - 'not f:/etc/cron.d/at.deny' + - 'f:/etc/cron.d/cron.allow' + - 'f:/etc/cron.d/cron.allow -> !r:^root$' + - 'f:/etc/cron.d/at.allow' + - 'not f:/etc/cron.d/at.allow -> !r:^# && r:\w' + + - id: 11534 + title: "Restrict root Login to System Console" + description: "Privileged access to the system via root must be accountable to a particular user." + rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems." + remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS # mv login.CIS login" + compliance: + - cis: "6.14" + condition: none + rules: + - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' + + - id: 11535 + title: "Set Retry Limit for Account Lockout" + description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name." + rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." + remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS # mv login.CIS login # cd /etc/security # awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS # mv policy.conf.CIS policy.conf # svcadm restart svc:/system/name-service/cache Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle" + compliance: + - cis: "6.15" + condition: all + rules: + - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' + - 'f:/etc/security/policy.conf -> r:^LOCK_AFTER_RETRIES\pyes' + + - id: 11536 + title: "Secure the GRUB Menu (Intel)" + description: "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console." + rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password." + remediation: "Perform the following to implement the recommended state: # /boot/grub/bin/grub grub> md5crypt Password: [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)] The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user: # chmod 600 /rpool/boot/grub/menu.lst Next, add the following line to the menu.lst file above the entries added by bootadm: password --md5 [enter md5 password string generated above] Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect): title Solaris failsafe lock" + compliance: + - cis: "6.17" + condition: all + rules: + - 'f:/rpool/boot/grub/menu.lst -> r:^password\s*--md5' # 7 User Accounts and Environment - - id: 11537 - title: "Set Password Expiration Parameters on Active Accounts" - description: "The characteristics of an operating system that make 'user identification' via password a secure and workable solution is the combination of settings chosen. By requiring that a series of password-choices be security-centric, it reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based upon 'social engineering.' A basic password security strategy is requiring a new password to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force tactics will fail when a new password is chosen, which requires starting over again to break the new password." - rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)." - remediation: "Perform the following to implement the recommended state: # logins -ox | awk -F: '($1 == \"root\" || $8 == \"LK\" || $8 == \"NL\") { next } ; { $cmd = \"passwd\" } ; ($11 91) { $cmd = $cmd \" -x 91\" } ($10 < 7) { $cmd = $cmd \" -n 7\" } ($12 < 28) { $cmd = $cmd \" -w 28\" } ($cmd != \"passwd\") { print $cmd \" \" $1 }' > /etc/CISupd_accounts # /sbin/sh /etc/CISupd_accounts # rm -f /etc/CISupd_accounts # cd /etc/default # grep -v WEEKS passwd > passwd.CIS # cat <> passwd.CIS MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 EODefaults # mv passwd.CIS passwd" - compliance: - - cis: "7.1" - condition: all - rules: - - 'f:/etc/default/passwd -> n:^maxweeks\(\d+) compare <= 13' - - 'f:/etc/default/passwd -> r:^minweeks\p1' - - 'f:/etc/default/passwd -> !r:^warnweeks\p4' - - - id: 11538 - title: "Set Strong Password Creation Policies" - description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user." - rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." - remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=8\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=10\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS # mv passwd.CIS passwd" - compliance: - - cis: "7.2" - condition: all - rules: - - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' - - 'f:/etc/default/passwd -> r:^namecheck\pyes' - - 'f:/etc/default/passwd -> n:^history\p(\d+) compare >= 10' - - 'f:/etc/default/passwd -> n:^mindiff\p(\d+) compare >= 3' - - 'f:/etc/default/passwd -> n:^minalpha\p(\d+) compare >= 2' - - 'f:/etc/default/passwd -> n:^minupper\p(\d+) compare >= 1' - - 'f:/etc/default/passwd -> n:^minlower\p(\d+) compare >= 1' - - 'f:/etc/default/passwd -> n:^minnonalpha\p(\d+) compare >= 1' - - 'f:/etc/default/passwd -> r:^maxrepeats\p0' - - 'f:/etc/default/passwd -> r:^whitespace\pyes' - - 'f:/etc/default/passwd -> r:^dictiondbdir\p/var/passwd' - - 'f:/etc/default/passwd -> r:^dictionlist\p/usr/share/lib/dict/words' - - - id: 11539 - title: "Set Default umask for users" - description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories." - rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." - remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS # mv login.CIS login" - compliance: - - cis: "7.3" - condition: none - rules: - - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' - - - id: 11540 - title: "Set Default File Creation Mask for FTP Users" - description: "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server." - rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask." - remediation: "Perform the following to implement the recommended state: # cd /etc # if [ \"`grep '^Umask' proftpd.conf`\" ]; then awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo \"Umask 027\" >> proftpd.conf fi" - compliance: - - cis: "7.4" - condition: none - rules: - - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' - - - id: 11541 - title: "Set \"mesg n\" as Default for All Users" - description: "The \"mesg n\" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device." - rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality." - remediation: "Perform the following to implement the recommended state: # cd /etc # for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done" - compliance: - - cis: "7.5" - condition: none - rules: - - 'f:/etc/.login -> !r:^mesg\s*n' - - 'f:/etc/profile -> !r:^mesg\s*n' + - id: 11537 + title: "Set Password Expiration Parameters on Active Accounts" + description: "The characteristics of an operating system that make 'user identification' via password a secure and workable solution is the combination of settings chosen. By requiring that a series of password-choices be security-centric, it reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based upon 'social engineering.' A basic password security strategy is requiring a new password to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force tactics will fail when a new password is chosen, which requires starting over again to break the new password." + rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)." + remediation: "Perform the following to implement the recommended state: # logins -ox | awk -F: '($1 == \"root\" || $8 == \"LK\" || $8 == \"NL\") { next } ; { $cmd = \"passwd\" } ; ($11 91) { $cmd = $cmd \" -x 91\" } ($10 < 7) { $cmd = $cmd \" -n 7\" } ($12 < 28) { $cmd = $cmd \" -w 28\" } ($cmd != \"passwd\") { print $cmd \" \" $1 }' > /etc/CISupd_accounts # /sbin/sh /etc/CISupd_accounts # rm -f /etc/CISupd_accounts # cd /etc/default # grep -v WEEKS passwd > passwd.CIS # cat <> passwd.CIS MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 EODefaults # mv passwd.CIS passwd" + compliance: + - cis: "7.1" + condition: all + rules: + - 'f:/etc/default/passwd -> n:^maxweeks\(\d+) compare <= 13' + - 'f:/etc/default/passwd -> r:^minweeks\p1' + - 'f:/etc/default/passwd -> !r:^warnweeks\p4' + + - id: 11538 + title: "Set Strong Password Creation Policies" + description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user." + rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." + remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=8\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=10\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS # mv passwd.CIS passwd" + compliance: + - cis: "7.2" + condition: all + rules: + - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' + - 'f:/etc/default/passwd -> r:^namecheck\pyes' + - 'f:/etc/default/passwd -> n:^history\p(\d+) compare >= 10' + - 'f:/etc/default/passwd -> n:^mindiff\p(\d+) compare >= 3' + - 'f:/etc/default/passwd -> n:^minalpha\p(\d+) compare >= 2' + - 'f:/etc/default/passwd -> n:^minupper\p(\d+) compare >= 1' + - 'f:/etc/default/passwd -> n:^minlower\p(\d+) compare >= 1' + - 'f:/etc/default/passwd -> n:^minnonalpha\p(\d+) compare >= 1' + - 'f:/etc/default/passwd -> r:^maxrepeats\p0' + - 'f:/etc/default/passwd -> r:^whitespace\pyes' + - 'f:/etc/default/passwd -> r:^dictiondbdir\p/var/passwd' + - 'f:/etc/default/passwd -> r:^dictionlist\p/usr/share/lib/dict/words' + + - id: 11539 + title: "Set Default umask for users" + description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories." + rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." + remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS # mv login.CIS login" + compliance: + - cis: "7.3" + condition: none + rules: + - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' + + - id: 11540 + title: "Set Default File Creation Mask for FTP Users" + description: "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server." + rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask." + remediation: "Perform the following to implement the recommended state: # cd /etc # if [ \"`grep '^Umask' proftpd.conf`\" ]; then awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo \"Umask 027\" >> proftpd.conf fi" + compliance: + - cis: "7.4" + condition: none + rules: + - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' + + - id: 11541 + title: "Set \"mesg n\" as Default for All Users" + description: "The \"mesg n\" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device." + rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality." + remediation: "Perform the following to implement the recommended state: # cd /etc # for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done" + compliance: + - cis: "7.5" + condition: none + rules: + - 'f:/etc/.login -> !r:^mesg\s*n' + - 'f:/etc/profile -> !r:^mesg\s*n' # 8 Warning Banners - - id: 11542 - title: "Create Warnings for Standard Login Services" - description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices and also prior to logins via telnet and Secure Shell. The contents of the /etc/motd file are generally displayed after all successful logins, regardless from where the user is logging in." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only." - remediation: "Perform the following to implement the recommended state: # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/motd # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/issue # chown root:root /etc/issue # chmod 644 /etc/issue" - compliance: - - cis: "8.1" - condition: all - rules: - - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' - - 'f:/etc/motd -> r:Authorized users only. All activity may be monitored and reported' - - - id: 11543 - title: "Enable a Warning Banner for the SSH Service" - description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." - remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" - compliance: - - cis: "8.2" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' - - - id: 11544 - title: "Enable a Warning Banner for the GNOME Service" - description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user- or group specific." - rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." - remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=\"Security Message\" --filename=/etc/issue" - compliance: - - cis: "8.3" - condition: all - rules: - - 'f:/etc/gdm/Init/Default -> r:^/usr/bin/zenity\s\.' - - - id: 11545 - title: "Enable a Warning Banner for the FTP service" - description: "The action for this item sets a warning message for FTP users before they log in." - rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording." - remediation: "Perform the following to implement the recommended state: # echo \"DisplayConnect /etc/issue\" >> /etc/proftpd.conf # svcadm restart ftp" - compliance: - - cis: "8.4" - condition: all - rules: - - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' - - - id: 11546 - title: "Check that the Banner Setting for telnet is Null" - description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system." - rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." - remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS # mv telnetd.CIS telnetd" - compliance: - - cis: "8.5" - condition: all - rules: - - 'f:/etc/default/telnetd -> r:BANNER=$' + - id: 11542 + title: "Create Warnings for Standard Login Services" + description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices and also prior to logins via telnet and Secure Shell. The contents of the /etc/motd file are generally displayed after all successful logins, regardless from where the user is logging in." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only." + remediation: "Perform the following to implement the recommended state: # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/motd # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/issue # chown root:root /etc/issue # chmod 644 /etc/issue" + compliance: + - cis: "8.1" + condition: all + rules: + - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' + - 'f:/etc/motd -> r:Authorized users only. All activity may be monitored and reported' + + - id: 11543 + title: "Enable a Warning Banner for the SSH Service" + description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." + remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" + compliance: + - cis: "8.2" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' + + - id: 11544 + title: "Enable a Warning Banner for the GNOME Service" + description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user- or group specific." + rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." + remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=\"Security Message\" --filename=/etc/issue" + compliance: + - cis: "8.3" + condition: all + rules: + - 'f:/etc/gdm/Init/Default -> r:^/usr/bin/zenity\s\.' + + - id: 11545 + title: "Enable a Warning Banner for the FTP service" + description: "The action for this item sets a warning message for FTP users before they log in." + rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording." + remediation: "Perform the following to implement the recommended state: # echo \"DisplayConnect /etc/issue\" >> /etc/proftpd.conf # svcadm restart ftp" + compliance: + - cis: "8.4" + condition: all + rules: + - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' + + - id: 11546 + title: "Check that the Banner Setting for telnet is Null" + description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system." + rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." + remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS # mv telnetd.CIS telnetd" + compliance: + - cis: "8.5" + condition: all + rules: + - 'f:/etc/default/telnetd -> r:BANNER=$' # 9 System Maintenance - - id: 11547 - title: "Verify System Account Default Passwords" - description: "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts." - rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled." - remediation: "To lock a single account, use the command: # passwd -d [username] # passwd -l [username] To configure a single account to be non-login, use the command: # passwd -d [username] # passwd -N [username]" - compliance: - - cis: "9.3" - condition: none - rules: - - 'f:/etc/shadow -> r:daemon && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:lp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:adm && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:bin && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:gdm && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:noaccess && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:nobody && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:nobody4 && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:openldap && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:unknown && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:webservd && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:mysql && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:nuuc && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:postgres && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:smmsp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:sys && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:uucp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:aiuser && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:dhcpserv && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:dladm && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:ftp && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:netadm && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:netcfg && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:pkg5srv && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:svctag && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:xvm && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:upnp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:' - - - id: 11548 - title: "Ensure Password Fields are Not Empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)." - rationale: "All accounts must have passwords, be configured as \"Non-login,\" or be locked." - remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-logini." - compliance: - - cis: "9.4" - condition: none - rules: - - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' - - - id: 11549 - title: "Verify No UID 0 Accounts Exist Other than root" - description: "Any account with UID 0 has superuser rights on the system." - rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC." - remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately." - compliance: - - cis: "9.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' - - - id: 11550 - title: "Ensure root PATH Integrity" - description: "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly." - rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program." - remediation: "Correct or justify any items discovered in the Audit step." - compliance: - - cis: "9.6" - condition: none - rules: - - 'f:/etc/profile -> r:.' - - 'f:/etc/environment -> r:.' - - 'f:/.profile -> r:.' - - 'f:/.bash_profile -> r:.' - - 'f:/.bashrc -> r:.' - - 'f:/etc/profile -> r:::' - - 'f:/etc/environment -> r:::' - - 'f:/.profile -> r:::' - - 'f:/.bash_profile -> r:::' - - 'f:/.bashrc -> r:::' - - 'f:/etc/profile -> r::$' - - 'f:/etc/environment -> r::$' - - 'f:/.profile -> r::$' - - 'f:/.bash_profile -> r::$' - - 'f:/.bashrc -> r::$' - - - id: 11551 - title: "Check for Presence of User .rhosts Files" - description: "While no .rhosts files are shipped with Solaris, users can easily create them." - rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." - remediation: "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy." - compliance: - - cis: "9.10" - condition: none - rules: - - 'd:$home_dirs -> ^.rhosts$' - - - id: 11552 - title: "Check That Users Are Assigned Home Directories" - description: "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set." - rationale: "All users must be assigned a home directory in passwd(4)." - remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy." - compliance: - - cis: "9.12" - condition: none - rules: - - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' - - - id: 11553 - title: "Check for Presence of User .netrc Files" - description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." - rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form." - remediation: "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy." - compliance: - - cis: "9.20" - condition: none - rules: - - 'd:$home_dirs -> ^.netrc$' - - - id: 11554 - title: "Check for Presence of User .forward Files" - description: "The .forward file specifies an email address to which a user's mail is forwarded." - rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions." - remediation: "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy." - compliance: - - cis: "9.21" - condition: none - rules: - - 'd:$home_dirs -> ^.forward$' + - id: 11547 + title: "Verify System Account Default Passwords" + description: "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts." + rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled." + remediation: "To lock a single account, use the command: # passwd -d [username] # passwd -l [username] To configure a single account to be non-login, use the command: # passwd -d [username] # passwd -N [username]" + compliance: + - cis: "9.3" + condition: none + rules: + - 'f:/etc/shadow -> r:daemon && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:lp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:adm && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:bin && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:gdm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:noaccess && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:nobody && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:nobody4 && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:openldap && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:unknown && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:webservd && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:mysql && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:nuuc && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:postgres && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:smmsp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:sys && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:uucp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:aiuser && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:dhcpserv && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:dladm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:ftp && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:netadm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:netcfg && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:pkg5srv && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:svctag && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:xvm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:upnp && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:' + + - id: 11548 + title: "Ensure Password Fields are Not Empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)." + rationale: "All accounts must have passwords, be configured as \"Non-login,\" or be locked." + remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-logini." + compliance: + - cis: "9.4" + condition: none + rules: + - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' + + - id: 11549 + title: "Verify No UID 0 Accounts Exist Other than root" + description: "Any account with UID 0 has superuser rights on the system." + rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC." + remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately." + compliance: + - cis: "9.5" + condition: none + rules: + - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' + + - id: 11550 + title: "Ensure root PATH Integrity" + description: "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly." + rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program." + remediation: "Correct or justify any items discovered in the Audit step." + compliance: + - cis: "9.6" + condition: none + rules: + - 'f:/etc/profile -> r:.' + - 'f:/etc/environment -> r:.' + - 'f:/.profile -> r:.' + - 'f:/.bash_profile -> r:.' + - 'f:/.bashrc -> r:.' + - 'f:/etc/profile -> r:::' + - 'f:/etc/environment -> r:::' + - 'f:/.profile -> r:::' + - 'f:/.bash_profile -> r:::' + - 'f:/.bashrc -> r:::' + - 'f:/etc/profile -> r::$' + - 'f:/etc/environment -> r::$' + - 'f:/.profile -> r::$' + - 'f:/.bash_profile -> r::$' + - 'f:/.bashrc -> r::$' + + - id: 11551 + title: "Check for Presence of User .rhosts Files" + description: "While no .rhosts files are shipped with Solaris, users can easily create them." + rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." + remediation: "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy." + compliance: + - cis: "9.10" + condition: none + rules: + - 'd:$home_dirs -> ^.rhosts$' + + - id: 11552 + title: "Check That Users Are Assigned Home Directories" + description: "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set." + rationale: "All users must be assigned a home directory in passwd(4)." + remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy." + compliance: + - cis: "9.12" + condition: none + rules: + - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' + + - id: 11553 + title: "Check for Presence of User .netrc Files" + description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." + rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form." + remediation: "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy." + compliance: + - cis: "9.20" + condition: none + rules: + - 'd:$home_dirs -> ^.netrc$' + + - id: 11554 + title: "Check for Presence of User .forward Files" + description: "The .forward file specifies an email address to which a user's mail is forwarded." + rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions." + remediation: "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy." + compliance: + - cis: "9.21" + condition: none + rules: + - 'd:$home_dirs -> ^.forward$' diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016_rcl.yml index de57689d5..b76d3f2c7 100644 --- a/sca/windows/acsc_office2016_rcl.yml +++ b/sca/windows/acsc_office2016_rcl.yml @@ -25,688 +25,688 @@ requirements: description: "Requirements for running the CIS benchmark against Office 2016" condition: "any required" rules: - - 'r:HKLM\Software\Microsoft\Office\16.0\Word\InstallRoot::Path' + - 'r:HKLM\Software\Microsoft\Office\16.0\Word\InstallRoot::Path' checks: # ACSC - Attack Surface Reduction - - id: 10000 - title: "Ensure Attack Surface Reduction is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - - - id: 10001 - title: "Ensure 'Block executable content from email client and webmail' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - - - id: 10002 - title: "Ensure 'block Office applications from creating child processes' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' - - - id: 10003 - title: "Ensure 'block Office applications from creating executable content' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' - - - id: 10004 - title: "Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' - - - id: 10005 - title: "Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' - - - id: 10006 - title: "Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - - - id: 10007 - title: "Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' + - id: 10000 + title: "Ensure Attack Surface Reduction is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' + + - id: 10001 + title: "Ensure 'Block executable content from email client and webmail' is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' + + - id: 10002 + title: "Ensure 'block Office applications from creating child processes' is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' + + - id: 10003 + title: "Ensure 'block Office applications from creating executable content' is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' + + - id: 10004 + title: "Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' + + - id: 10005 + title: "Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' + + - id: 10006 + title: "Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' + + - id: 10007 + title: "Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'" + description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' # ACSC - Active X - - id: 10008 - title: "Ensure 'Disable All Active X' is set to 'Enabled'" - description: "While ActiveX controls can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, ActiveX controls should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> 1' + - id: 10008 + title: "Ensure 'Disable All Active X' is set to 'Enabled'" + description: "While ActiveX controls can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, ActiveX controls should be disabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> 1' # ACSC - Add-ins - - id: 10009 - title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Excel" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> 1' - - - id: 10010 - title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Excel" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> 1' - - - id: 10011 - title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for PowerPoint" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> 1' - - - id: 10012 - title: "Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> 1' - - - id: 10013 - title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Word" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> 1' - - - id: 10014 - title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Word" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> 1' + - id: 10009 + title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Excel" + description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> 1' + + - id: 10010 + title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Excel" + description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> 1' + + - id: 10011 + title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for PowerPoint" + description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> 1' + + - id: 10012 + title: "Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint" + description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> 1' + + - id: 10013 + title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Word" + description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> 1' + + - id: 10014 + title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Word" + description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> 1' # ACSC - Extension Hardening - - id: 10015 - title: "Ensure if Extension Hardening functionality in Microsoft Excel is enabled" - description: "Extension Hardening mitigates a number of scenarios whereby an adversary would deceive users into opening malicious Microsoft Excel files. By default, users will be warned when file content or MIME type doesn’t match the file extension;however, users can still allow such files to open. As such, it is important that only Microsoft Excel files that pass integrity checks are allowed to be opened. To reduce this risk, Extension Hardening functionality should be enabled for Microsoft Excel." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> 2' + - id: 10015 + title: "Ensure if Extension Hardening functionality in Microsoft Excel is enabled" + description: "Extension Hardening mitigates a number of scenarios whereby an adversary would deceive users into opening malicious Microsoft Excel files. By default, users will be warned when file content or MIME type doesn’t match the file extension;however, users can still allow such files to open. As such, it is important that only Microsoft Excel files that pass integrity checks are allowed to be opened. To reduce this risk, Extension Hardening functionality should be enabled for Microsoft Excel." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> 2' # ACSC - File Type Blocking - - id: 10016 - title: "Ensure dBase III / IV files are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> 2' - - - id: 10017 - title: "Ensure Dif and Sylk files are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> 2' - - - id: 10018 - title: "Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> 2' - - - id: 10019 - title: "Ensure Excel 2 worksheets are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> 2' - - - id: 10020 - title: "Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> 2' - - - id: 10021 - title: "Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> 2' - - - id: 10022 - title: "Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> 2' - - - id: 10023 - title: "Ensure Excel 4 workbooks are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> 2' - - - id: 10024 - title: "Ensure Excel 4 worksheets are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> 2' - - - id: 10025 - title: "Ensure Excel 95 workbooks are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> 2' - - - id: 10026 - title: "Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> 2' - - - id: 10027 - title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> 0' - - - id: 10028 - title: "Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> 2' + - id: 10016 + title: "Ensure dBase III / IV files are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> 2' + + - id: 10017 + title: "Ensure Dif and Sylk files are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles' + - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\excel\\security\\fileblock ->\tdifandsylkfiles -> 2" + + - id: 10018 + title: "Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> 2' + + - id: 10019 + title: "Ensure Excel 2 worksheets are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets' + - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\excel\\security\\fileblock ->\txl2worksheets -> 2" + + - id: 10020 + title: "Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> 2' + + - id: 10021 + title: "Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> 2' + + - id: 10022 + title: "Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> 2' + + - id: 10023 + title: "Ensure Excel 4 workbooks are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> 2' + + - id: 10024 + title: "Ensure Excel 4 worksheets are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> 2' + + - id: 10025 + title: "Ensure Excel 95 workbooks are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> 2' + + - id: 10026 + title: "Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> 2' + + - id: 10027 + title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> 0' + + - id: 10028 + title: "Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles' + - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\excel\\security\\fileblock ->\thtmlandxmlssfiles -> 2" # CIS 2.22 - Office Converters - - id: 10029 - title: "Ensure 'Block Opening of Pre-Release Versions of File Formats New to PowerPoint Through the Compatibility Pack for Office and PowerPoint Converter' is set to Enabled" - description: "This policy setting controls whether users with the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats installed can open Office Open XML files saved with pre-release versions of PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. The recommended state for this setting is: Enabled." - rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Office 2016 Converters\\Block Opening of Pre-Release Versions of File Formats New to PowerPoint 2016 Through the Compatibility Pack for Office 2013 and PowerPoint 2016 Converter" - compliance: - - cis: "2.22.1" - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> 2' + - id: 10029 + title: "Ensure 'Block Opening of Pre-Release Versions of File Formats New to PowerPoint Through the Compatibility Pack for Office and PowerPoint Converter' is set to Enabled" + description: "This policy setting controls whether users with the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats installed can open Office Open XML files saved with pre-release versions of PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. The recommended state for this setting is: Enabled." + rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." + remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Office 2016 Converters\\Block Opening of Pre-Release Versions of File Formats New to PowerPoint 2016 Through the Compatibility Pack for Office 2013 and PowerPoint 2016 Converter" + compliance: + - cis: "2.22.1" + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> 2' # ACSC - File Type Blocking (Cont'd) - - id: 10030 - title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> 0' - - - id: 10031 - title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> 0' - - - id: 10032 - title: "Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> 2' - - - id: 10033 - title: "Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> 2' - - - id: 10034 - title: "Ensure Word 95 binary documents and templates are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> 2' - - - id: 10035 - title: "Ensure Word 97 binary documents and templates are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> 2' + - id: 10030 + title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> 0' + + - id: 10031 + title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> 0' + + - id: 10032 + title: "Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: any + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> 2' + + - id: 10033 + title: "Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> 2' + + - id: 10034 + title: "Ensure Word 95 binary documents and templates are blocked in Microsoft Word" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> 2' + + - id: 10035 + title: "Ensure Word 97 binary documents and templates are blocked in Microsoft Word" + description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> 2' # ACSC - Hidden Markup - - id: 10036 - title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint" - description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> 1' - - - id: 10037 - title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word" - description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> 1' + - id: 10036 + title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint" + description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> 1' + + - id: 10037 + title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word" + description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> 1' # ACSC - Office File Validation - - id: 10038 - title: "Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> 1' - - - id: 10039 - title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> 1' - - - id: 10040 - title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> 1' - - - id: 10041 - title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> 1' + - id: 10038 + title: "Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office" + description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> 1' + + - id: 10039 + title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel" + description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> 1' + + - id: 10040 + title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint" + description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> 1' + + - id: 10041 + title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word" + description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> 1' # ACSC - Protected View - - id: 10042 - title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> 0' - - - id: 10043 - title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> 0' - - - id: 10044 - title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> 0' - - - id: 10045 - title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> 0' - - - id: 10046 - title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> 0' - - - id: 10047 - title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> 0' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv' - - - id: 10048 - title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> 0' - - - id: 10049 - title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> 0' - - - id: 10050 - title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> 0' - - - id: 10051 - title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> 0' - - - id: 10052 - title: "Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> 0' - - - id: 10053 - title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> 0' + - id: 10042 + title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> 0' + + - id: 10043 + title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> 0' + + - id: 10044 + title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> 0' + + - id: 10045 + title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> 0' + + - id: 10046 + title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> 0' + + - id: 10047 + title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> 0' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv' + + - id: 10048 + title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> 0' + + - id: 10049 + title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: any + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> 0' + + - id: 10050 + title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> 0' + + - id: 10051 + title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> 0' + + - id: 10052 + title: "Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> 0' + + - id: 10053 + title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word" + description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> 0' # ACSC - Trusted Documents - - id: 10054 - title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> 1' - - - id: 10055 - title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> 1' - - - id: 10056 - title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> 1' - - - id: 10057 - title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments -> 1' - - - id: 10058 - title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> 1' - - - id: 10059 - title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> 1' + - id: 10054 + title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel" + description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> 1' + + - id: 10055 + title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel" + description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> 1' + + - id: 10056 + title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint" + description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> 1' + + - id: 10057 + title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint" + description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments -> 1' + + - id: 10058 + title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word" + description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> 1' + + - id: 10059 + title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word" + description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." + references: + - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> 1' # CIS 2.24 - Privacy - - id: 10060 - title: "Ensure 'Disable Opt-in Wizard on First Run' is set to Enabled" - description: "This policy setting controls whether users see the Opt-in Wizard the first time they run a Microsoft Office application. The recommended state for this setting is: Enabled." - rationale: "By default, the Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Disable Opt-in Wizard on First Run" - compliance: - - cis: "2.24.1.1" - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> 1' - - - id: 10061 - title: "Ensure 'Enable Customer Experience Improvement Program' is set to Disabled" - description: "This policy setting controls whether users can participate in the Microsoft Office Customer Experience Improvement Program to help improve Microsoft Office. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. The recommended state for this setting is: Disabled" - rationale: "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Enable Customer Experience Improvement Program" - compliance: - - cis: "2.24.1.2" - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> 0' - - - id: 10062 - title: "Ensure 'Allow including screenshot with Office Feedback' is set to Disabled" - description: "This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Allow including screenshot with Office Feedback" - compliance: - - cis: "2.24.1.3" - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> 0' - - - id: 10063 - title: "Ensure 'Send Office Feedback' is set to Disabled" - description: "This policy setting manages the Office Feedback Tool (a.k.a. Send a Smile). The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send Office Feedback" - compliance: - - cis: "2.24.1.4" - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> 0' - - - id: 10064 - title: "Ensure 'Send personal information' is set to Disabled" - description: "This policy setting controls whether users can send personal information to Office. When users choose to send information Office applications automatically send information to Office." - rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send personal information" - compliance: - - cis: "2.24.1.5" - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> 0' - - - id: 10065 - title: "Ensure Set 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled" - description: "This policy setting controls whether Microsoft Office Diagnostics is enabled. Office Diagnostics enables Microsoft to diagnose system problems by periodically downloading a small file to the computer. If you enable this policy setting, Office Diagnostics collects information about specific errors and the IP address of the computer. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. If you disable this policy setting, users will not receive updates from Office Diagnostics. If you do not configure this policy setting, this policy setting is not enabled, but users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run an Office application. The recommended state for this setting is: Disabled." - rationale: "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" - compliance: - - cis: "2.24.1.6" - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata -> 0' + - id: 10060 + title: "Ensure 'Disable Opt-in Wizard on First Run' is set to Enabled" + description: "This policy setting controls whether users see the Opt-in Wizard the first time they run a Microsoft Office application. The recommended state for this setting is: Enabled." + rationale: "By default, the Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies." + remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Disable Opt-in Wizard on First Run" + compliance: + - cis: "2.24.1.1" + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> 1' + + - id: 10061 + title: "Ensure 'Enable Customer Experience Improvement Program' is set to Disabled" + description: "This policy setting controls whether users can participate in the Microsoft Office Customer Experience Improvement Program to help improve Microsoft Office. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. The recommended state for this setting is: Disabled" + rationale: "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies." + remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Enable Customer Experience Improvement Program" + compliance: + - cis: "2.24.1.2" + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> 0' + + - id: 10062 + title: "Ensure 'Allow including screenshot with Office Feedback' is set to Disabled" + description: "This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." + rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." + remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Allow including screenshot with Office Feedback" + compliance: + - cis: "2.24.1.3" + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' + - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\common\\feedback -> \tincludescreenshot -> 0" + + - id: 10063 + title: "Ensure 'Send Office Feedback' is set to Disabled" + description: "This policy setting manages the Office Feedback Tool (a.k.a. Send a Smile). The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." + rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." + remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send Office Feedback" + compliance: + - cis: "2.24.1.4" + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> 0' + + - id: 10064 + title: "Ensure 'Send personal information' is set to Disabled" + description: "This policy setting controls whether users can send personal information to Office. When users choose to send information Office applications automatically send information to Office." + rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." + remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send personal information" + compliance: + - cis: "2.24.1.5" + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> 0' + + - id: 10065 + title: "Ensure Set 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled" + description: "This policy setting controls whether Microsoft Office Diagnostics is enabled. Office Diagnostics enables Microsoft to diagnose system problems by periodically downloading a small file to the computer. If you enable this policy setting, Office Diagnostics collects information about specific errors and the IP address of the computer. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. If you disable this policy setting, users will not receive updates from Office Diagnostics. If you do not configure this policy setting, this policy setting is not enabled, but users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run an Office application. The recommended state for this setting is: Disabled." + rationale: "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies." + remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" + compliance: + - cis: "2.24.1.6" + condition: all + rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata -> 0' diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index a812352b7..0886e3336 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -23,3121 +23,3121 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows 10" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' checks: # 2.3 Security Options - - id: 12000 - title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" - description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." - rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." - remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" - compliance: - - cis: "2.3.1.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> r:^3$' - - - id: 12001 - title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" - description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." - rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" - compliance: - - cis: "2.3.1.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - - - id: 12002 - title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" - description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." - rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" - compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - - - id: 12003 - title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" - description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." - rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" - compliance: - - cis: "2.3.2.2" - - cis_csc: "6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - - id: 12004 - title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" - description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users." - rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" - compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - - id: 12005 - title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" - description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" - compliance: - - cis: "2.3.6.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - - id: 12006 - title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" - compliance: - - cis: "2.3.6.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - - id: 12007 - title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" - compliance: - - cis: "2.3.6.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - - id: 12008 - title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled" - rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" - compliance: - - cis: "2.3.6.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - - id: 12009 - title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" - description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." - rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" - compliance: - - cis: "2.3.6.6" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - - id: 12010 - title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." - rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" - compliance: - - cis: "2.3.7.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - - id: 12011 - title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." - rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" - compliance: - - cis: "2.3.7.2" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - - id: 12012 - title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" - description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit" - rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." - remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" - compliance: - - cis: "2.3.7.4" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - - id: 12013 - title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" - description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." - rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." - remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" - compliance: - - cis: "2.3.7.8" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare => 5 && n:^(\d+) compare <= 14' - - - id: 12014 - title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" - description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." - rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" - compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' - - - id: 12015 - title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the \"Microsoft network client and server: Digitally sign communications (four related settings)\" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" - compliance: - - cis: "2.3.8.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - - id: 12016 - title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" - compliance: - - cis: "2.3.8.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - - id: 12017 - title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" - description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" - compliance: - - cis: "2.3.8.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - - id: 12018 - title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" - description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." - rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." - remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" - compliance: - - cis: "2.3.9.1" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - - id: 12019 - title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" - compliance: - - cis: "2.3.9.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - - id: 12020 - title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" - compliance: - - cis: "2.3.9.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - - id: 12021 - title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" - description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." - rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" - compliance: - - cis: "2.3.9.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - - id: 12022 - title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" - description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark." - rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" - compliance: - - cis: "2.3.9.5" - - cis_csc: "14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - - - id: 12023 - title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" - description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." - rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" - compliance: - - cis: "2.3.10.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - - - id: 12024 - title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" - description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers" - rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" - compliance: - - cis: "2.3.10.3" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - - id: 12025 - title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." - rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" - compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - - - id: 12026 - title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" - description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." - rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" - compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - - id: 12027 - title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" - description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None)." - rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" - compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 14.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> None' - - - id: 12028 - title: "Ensure 'Network access: Remotely accessible registry paths'" - description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)." - rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" - compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - - - id: 12029 - title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" - description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog" - rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths" - compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog' - - - id: 12030 - title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled" - rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" - compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - - id: 12031 - title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" - description: "This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy." - rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM" - compliance: - - cis: "2.3.10.10" - - cis_csc: "5.1, 9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)' - - - id: 12032 - title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." - rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" - compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' - - - id: 12033 - title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." - rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" - compliance: - - cis: "2.3.10.12" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - - id: 12034 - title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" - description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." - rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" - compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - - - id: 12035 - title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" - description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled" - rationale: "NULL sessions are less secure because by definition they are unauthenticated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" - compliance: - - cis: "2.3.11.2" - - cis_csc: "14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - - - id: 12036 - title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" - description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." - rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" - compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - - - id: 12037 - title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" - description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting" - rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." - remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" - compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - - - id: 12038 - title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled" - rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" - compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - - id: 12039 - title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" - description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." - rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" - compliance: - - cis: "2.3.11.6" - - cis_csc: "16" - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - - id: 12040 - title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" - description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" - rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" - compliance: - - cis: "2.3.11.7" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - - id: 12041 - title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" - description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." - rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" - compliance: - - cis: "2.3.11.8" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - - - id: 12042 - title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." - rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" - compliance: - - cis: "2.3.11.9" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - - id: 12043 - title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." - rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" - compliance: - - cis: "2.3.11.10" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - - id: 12044 - title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" - description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." - rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems" - compliance: - - cis: "2.3.15.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - - id: 12045 - title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" - description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." - rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" - compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4, 14.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - - id: 12046 - title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" - description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" - compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - - - id: 12047 - title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" - description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." - rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" - compliance: - - cis: "2.3.17.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - - - id: 12048 - title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" - description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." - rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." - remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" - compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - - - id: 12049 - title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" - description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." - remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" - compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - - - id: 12050 - title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" - description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." - rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" - compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - - - id: 12051 - title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:  …\\Program Files\\, including subfolders  …\\Windows\\system32\\  …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." - rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" - compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - - - id: 12052 - title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" - description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." - rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" - compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - - - id: 12053 - title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" - description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." - rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" - compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - - - id: 12054 - title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:  %ProgramFiles%  %Windir%  %Windir%\\system32  HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." - rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" - compliance: - - cis: "2.3.17.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' + - id: 12000 + title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." + rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." + remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" + compliance: + - cis: "2.3.1.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> r:^3$' + + - id: 12001 + title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." + rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" + compliance: + - cis: "2.3.1.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' + + - id: 12002 + title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." + rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + compliance: + - cis: "2.3.2.1" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' + + - id: 12003 + title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." + rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + compliance: + - cis: "2.3.2.2" + - cis_csc: "6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' + + - id: 12004 + title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" + description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users." + rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + compliance: + - cis: "2.3.4.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' + + - id: 12005 + title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" + compliance: + - cis: "2.3.6.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' + + - id: 12006 + title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" + compliance: + - cis: "2.3.6.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' + + - id: 12007 + title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" + compliance: + - cis: "2.3.6.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' + + - id: 12008 + title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled" + rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." + remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + compliance: + - cis: "2.3.6.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + + - id: 12009 + title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." + rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + compliance: + - cis: "2.3.6.6" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' + + - id: 12010 + title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." + rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" + compliance: + - cis: "2.3.7.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' + + - id: 12011 + title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." + rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" + compliance: + - cis: "2.3.7.2" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + + - id: 12012 + title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit" + rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." + remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" + compliance: + - cis: "2.3.7.4" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' + + - id: 12013 + title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." + rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + compliance: + - cis: "2.3.7.8" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare => 5 && n:^(\d+) compare <= 14' + + - id: 12014 + title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." + rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + compliance: + - cis: "2.3.7.9" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' + + - id: 12015 + title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the \"Microsoft network client and server: Digitally sign communications (four related settings)\" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" + compliance: + - cis: "2.3.8.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' + + - id: 12016 + title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" + compliance: + - cis: "2.3.8.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' + + - id: 12017 + title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + compliance: + - cis: "2.3.8.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' + + - id: 12018 + title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" + description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." + rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + compliance: + - cis: "2.3.9.1" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' + + - id: 12019 + title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" + compliance: + - cis: "2.3.9.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' + + - id: 12020 + title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" + compliance: + - cis: "2.3.9.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' + + - id: 12021 + title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." + rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" + compliance: + - cis: "2.3.9.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + + - id: 12022 + title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" + description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark." + rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" + compliance: + - cis: "2.3.9.5" + - cis_csc: "14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' + + - id: 12023 + title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." + rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" + compliance: + - cis: "2.3.10.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' + + - id: 12024 + title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers" + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" + compliance: + - cis: "2.3.10.3" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + + - id: 12025 + title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + compliance: + - cis: "2.3.10.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + + - id: 12026 + title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + compliance: + - cis: "2.3.10.5" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' + + - id: 12027 + title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" + description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None)." + rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" + compliance: + - cis: "2.3.10.6" + - cis_csc: "14.1, 14.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> None' + + - id: 12028 + title: "Ensure 'Network access: Remotely accessible registry paths'" + description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)." + rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" + compliance: + - cis: "2.3.10.7" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + + - id: 12029 + title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" + description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog" + rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths" + compliance: + - cis: "2.3.10.8" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog' + + - id: 12030 + title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled" + rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + compliance: + - cis: "2.3.10.9" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' + + - id: 12031 + title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" + description: "This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy." + rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM" + compliance: + - cis: "2.3.10.10" + - cis_csc: "5.1, 9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)' + + - id: 12032 + title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." + rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + compliance: + - cis: "2.3.10.11" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' + + - id: 12033 + title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." + rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + compliance: + - cis: "2.3.10.12" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' + + - id: 12034 + title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." + rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" + compliance: + - cis: "2.3.11.1" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' + + - id: 12035 + title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled" + rationale: "NULL sessions are less secure because by definition they are unauthenticated." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" + compliance: + - cis: "2.3.11.2" + - cis_csc: "14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' + + - id: 12036 + title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." + rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" + compliance: + - cis: "2.3.11.3" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' + + - id: 12037 + title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting" + rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." + remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" + compliance: + - cis: "2.3.11.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' + + - id: 12038 + title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled" + rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + compliance: + - cis: "2.3.11.5" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' + + - id: 12039 + title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." + rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" + compliance: + - cis: "2.3.11.6" + - cis_csc: "16" + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + + - id: 12040 + title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" + rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + compliance: + - cis: "2.3.11.7" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' + + - id: 12041 + title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." + rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + compliance: + - cis: "2.3.11.8" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' + + - id: 12042 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + compliance: + - cis: "2.3.11.9" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' + + - id: 12043 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + compliance: + - cis: "2.3.11.10" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' + + - id: 12044 + title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." + rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems" + compliance: + - cis: "2.3.15.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' + + - id: 12045 + title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." + rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" + compliance: + - cis: "2.3.15.2" + - cis_csc: "14.4, 14.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' + + - id: 12046 + title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" + compliance: + - cis: "2.3.17.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' + + - id: 12047 + title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" + description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." + rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + compliance: + - cis: "2.3.17.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' + + - id: 12048 + title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." + rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." + remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + compliance: + - cis: "2.3.17.3" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' + + - id: 12049 + title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." + remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" + compliance: + - cis: "2.3.17.4" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' + + - id: 12050 + title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." + rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" + compliance: + - cis: "2.3.17.5" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' + + - id: 12051 + title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:  …\\Program Files\\, including subfolders  …\\Windows\\system32\\  …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" + compliance: + - cis: "2.3.17.6" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' + + - id: 12052 + title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." + rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" + compliance: + - cis: "2.3.17.7" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' + + - id: 12053 + title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." + rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" + compliance: + - cis: "2.3.17.8" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' + + - id: 12054 + title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:  %ProgramFiles%  %Windir%  %Windir%\\system32  HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." + rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" + compliance: + - cis: "2.3.17.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # 5 System Services - - id: 12055 - title: "Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" - description: "Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. The recommended state for this setting is: Disabled or Not Installed. Note: In Windows 8.1 and Windows 10, this service is bundled with the SMB 1.0/CIFS File Sharing Support optional feature. As a result, removing that feature (highly recommended unless backward compatibility is needed to XP/2003 and older Windows OSes - see Stop using SMB1 | Storage at Microsoft) will also remediate this recommendation. The feature is not installed by default starting with Windows 10 R1709." - rationale: "This is a legacy service - its sole purpose is to maintain a list of computers and their network shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it generates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \"master browser\". This noisy traffic could also aid malicious attackers in discovering online machines, because the service also allows anyone to \"browse\" for shared resources without any authentication. This service used to be running by default in older Windows versions (e.g. Windows XP), but today it only remains for backward compatibility for very old software that requires it." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Computer Browser" - compliance: - - cis: "5.3" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> 4' - - - id: 12056 - title: "Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'" - description: "Makes local computer changes associated with configuration and maintenance of the HomeGroup-joined computer. The recommended state for this setting is: Disabled." - rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\HomeGroup Listener" - compliance: - - cis: "5.6" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start -> 4' - - - id: 12057 - title: "Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'" - description: "Performs networking tasks associated with configuration and maintenance of HomeGroups. The recommended state for this setting is: Disabled." - rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\HomeGroup Provider" - compliance: - - cis: "5.7" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start -> 4' - - - id: 12058 - title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" - description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." - rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service" - compliance: - - cis: "5.8" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> 4' - - - id: 12059 - title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'" - description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled" - rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" - compliance: - - cis: "5.9" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4' - - - id: 12060 - title: "Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'" - description: "Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. The recommended state for this setting is: Disabled." - rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)" - compliance: - - cis: "5.10" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' - - - id: 12061 - title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" - description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)." - rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" - compliance: - - cis: "5.12" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> 4' - - - id: 12062 - title: "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" - description: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" - rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service" - compliance: - - cis: "5.13" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> 4' - - - id: 12063 - title: "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" - description: "In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. The recommended state for this setting is: Disabled." - rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator" - compliance: - - cis: "5.24" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' - - - id: 12064 - title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" - description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled." - rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" - compliance: - - cis: "5.26" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4' - - - id: 12065 - title: "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" - description: "Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc))." - rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services" - compliance: - - cis: "5.28" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> 4' - - - id: 12066 - title: "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" - description: "Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. The recommended state for this setting is: Disabled." - rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery" - compliance: - - cis: "5.30" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4' - - - id: 12067 - title: "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" - description: "Allows UPnP devices to be hosted on this computer. The recommended state for this setting is: Disabled." - rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host" - compliance: - - cis: "5.31" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4' - - - id: 12068 - title: "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" - description: "The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service)." - rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service" - compliance: - - cis: "5.32" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> 4' - - - id: 12069 - title: "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" - description: "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. The recommended state for this setting is: Disabled or Not Installed" - rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service" - compliance: - - cis: "5.35" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4' - - - id: 12070 - title: "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" - description: "Provides the ability to share a cellular data connection with another device. The recommended state for this setting is: Disabled." - rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service" - compliance: - - cis: "5.36" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4' - - - id: 12071 - title: "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" - description: "Provides Web connectivity and administration through the Internet Information Services Manager. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." - rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service" - compliance: - - cis: "5.41" - - cis_csc: "9.1, 9.2" - condition: any - rules: - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> 4' - - - id: 12072 - title: "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" - description: "This service manages connected Xbox Accessories. The recommended state for this setting is: Disabled." - rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service" - compliance: - - cis: "5.42" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4' - - - id: 12073 - title: "Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'" - description: "This service supports Xbox Game Monitoring. The recommended state for this setting is: Disabled." - rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Game Monitoring" - compliance: - - cis: "5.43" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> 4' - - - id: 12074 - title: "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" - description: "Provides authentication and authorization services for interacting with Xbox Live. The recommended state for this setting is: Disabled." - rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager" - compliance: - - cis: "5.44" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4' - - - id: 12075 - title: "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" - description: "This service syncs save data for Xbox Live save enabled games. The recommended state for this setting is: Disabled." - rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save" - compliance: - - cis: "5.45" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4' - - - id: 12076 - title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" - description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled" - rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" - compliance: - - cis: "5.46" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' + - id: 12055 + title: "Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" + description: "Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. The recommended state for this setting is: Disabled or Not Installed. Note: In Windows 8.1 and Windows 10, this service is bundled with the SMB 1.0/CIFS File Sharing Support optional feature. As a result, removing that feature (highly recommended unless backward compatibility is needed to XP/2003 and older Windows OSes - see Stop using SMB1 | Storage at Microsoft) will also remediate this recommendation. The feature is not installed by default starting with Windows 10 R1709." + rationale: "This is a legacy service - its sole purpose is to maintain a list of computers and their network shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it generates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \"master browser\". This noisy traffic could also aid malicious attackers in discovering online machines, because the service also allows anyone to \"browse\" for shared resources without any authentication. This service used to be running by default in older Windows versions (e.g. Windows XP), but today it only remains for backward compatibility for very old software that requires it." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Computer Browser" + compliance: + - cis: "5.3" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> 4' + + - id: 12056 + title: "Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'" + description: "Makes local computer changes associated with configuration and maintenance of the HomeGroup-joined computer. The recommended state for this setting is: Disabled." + rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\HomeGroup Listener" + compliance: + - cis: "5.6" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start -> 4' + + - id: 12057 + title: "Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'" + description: "Performs networking tasks associated with configuration and maintenance of HomeGroups. The recommended state for this setting is: Disabled." + rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\HomeGroup Provider" + compliance: + - cis: "5.7" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start -> 4' + + - id: 12058 + title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" + description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." + rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service" + compliance: + - cis: "5.8" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> 4' + + - id: 12059 + title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'" + description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled" + rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" + compliance: + - cis: "5.9" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4' + + - id: 12060 + title: "Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'" + description: "Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. The recommended state for this setting is: Disabled." + rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)" + compliance: + - cis: "5.10" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' + + - id: 12061 + title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" + description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)." + rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" + compliance: + - cis: "5.12" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> 4' + + - id: 12062 + title: "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" + description: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" + rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service" + compliance: + - cis: "5.13" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> 4' + + - id: 12063 + title: "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" + description: "In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. The recommended state for this setting is: Disabled." + rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator" + compliance: + - cis: "5.24" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' + + - id: 12064 + title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" + description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled." + rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" + compliance: + - cis: "5.26" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4' + + - id: 12065 + title: "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" + description: "Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc))." + rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services" + compliance: + - cis: "5.28" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> 4' + + - id: 12066 + title: "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" + description: "Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. The recommended state for this setting is: Disabled." + rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery" + compliance: + - cis: "5.30" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4' + + - id: 12067 + title: "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" + description: "Allows UPnP devices to be hosted on this computer. The recommended state for this setting is: Disabled." + rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host" + compliance: + - cis: "5.31" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4' + + - id: 12068 + title: "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" + description: "The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service)." + rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service" + compliance: + - cis: "5.32" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> 4' + + - id: 12069 + title: "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" + description: "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. The recommended state for this setting is: Disabled or Not Installed" + rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service" + compliance: + - cis: "5.35" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4' + + - id: 12070 + title: "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" + description: "Provides the ability to share a cellular data connection with another device. The recommended state for this setting is: Disabled." + rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service" + compliance: + - cis: "5.36" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4' + + - id: 12071 + title: "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" + description: "Provides Web connectivity and administration through the Internet Information Services Manager. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." + rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service" + compliance: + - cis: "5.41" + - cis_csc: "9.1, 9.2" + condition: any + rules: + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> 4' + + - id: 12072 + title: "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" + description: "This service manages connected Xbox Accessories. The recommended state for this setting is: Disabled." + rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service" + compliance: + - cis: "5.42" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4' + + - id: 12073 + title: "Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'" + description: "This service supports Xbox Game Monitoring. The recommended state for this setting is: Disabled." + rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Game Monitoring" + compliance: + - cis: "5.43" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> 4' + + - id: 12074 + title: "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" + description: "Provides authentication and authorization services for interacting with Xbox Live. The recommended state for this setting is: Disabled." + rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager" + compliance: + - cis: "5.44" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4' + + - id: 12075 + title: "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" + description: "This service syncs save data for Xbox Live save enabled games. The recommended state for this setting is: Disabled." + rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save" + compliance: + - cis: "5.45" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4' + + - id: 12076 + title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" + description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled" + rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" + compliance: + - cis: "5.46" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' # 9 Windows Firewall with Advanced Security - - id: 12077 - title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" - compliance: - - cis: "9.1.1" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - - id: 12078 - title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" - compliance: - - cis: "9.1.2" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - - id: 12079 - title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" - compliance: - - cis: "9.1.3" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - - id: 12080 - title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.1.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - - - id: 12081 - title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log" - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" - compliance: - - cis: "9.1.5" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' - - - id: 12082 - title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.1.6" - - cis_csc: "6.3, 6.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 12083 - title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.1.7" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - - id: 12084 - title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.1.8" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - - - id: 12085 - title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" - compliance: - - cis: "9.2.1" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - - id: 12086 - title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" - compliance: - - cis: "9.2.2" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - - id: 12087 - title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" - compliance: - - cis: "9.2.3" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - - id: 12088 - title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.2.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - - id: 12089 - title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" - compliance: - - cis: "9.2.5" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' - - - id: 12090 - title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.2.6" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 12091 - title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.2.7" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - - id: 12092 - title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.2.8" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' - - - id: 12093 - title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service" - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" - compliance: - - cis: "9.3.1" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - - id: 12094 - title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" - compliance: - - cis: "9.3.2" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - - id: 12095 - title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" - compliance: - - cis: "9.3.3" - - cis_csc: "9.2, 9.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - - id: 12096 - title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No" - rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." - remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - - - id: 12097 - title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" - compliance: - - cis: "9.3.5" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - - - id: 12098 - title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." - rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" - compliance: - - cis: "9.3.6" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - - - id: 12099 - title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" - compliance: - - cis: "9.3.7" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' - - - id: 12100 - title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.3.8" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 12101 - title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.3.9" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - - id: 12102 - title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.3.10" - - cis_csc: "6.2, 6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 12077 + title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" + compliance: + - cis: "9.1.1" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' + + - id: 12078 + title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" + compliance: + - cis: "9.1.2" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' + + - id: 12079 + title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" + compliance: + - cis: "9.1.3" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' + + - id: 12080 + title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.1.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' + + - id: 12081 + title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log" + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" + compliance: + - cis: "9.1.5" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + + - id: 12082 + title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.1.6" + - cis_csc: "6.3, 6.4" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 12083 + title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.1.7" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' + + - id: 12084 + title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.1.8" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + + - id: 12085 + title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" + compliance: + - cis: "9.2.1" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' + + - id: 12086 + title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" + compliance: + - cis: "9.2.2" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' + + - id: 12087 + title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" + compliance: + - cis: "9.2.3" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' + + - id: 12088 + title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.2.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' + + - id: 12089 + title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" + compliance: + - cis: "9.2.5" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + + - id: 12090 + title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.2.6" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 12091 + title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.2.7" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' + + - id: 12092 + title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.2.8" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' + + - id: 12093 + title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" + compliance: + - cis: "9.3.1" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' + + - id: 12094 + title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" + compliance: + - cis: "9.3.2" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' + + - id: 12095 + title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" + compliance: + - cis: "9.3.3" + - cis_csc: "9.2, 9.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' + + - id: 12096 + title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No" + rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." + remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' + + - id: 12097 + title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" + compliance: + - cis: "9.3.5" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' + + - id: 12098 + title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." + rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" + compliance: + - cis: "9.3.6" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' + + - id: 12099 + title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" + compliance: + - cis: "9.3.7" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + + - id: 12100 + title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.3.8" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 12101 + title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.3.9" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' + + - id: 12102 + title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.3.10" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # 18 Administrative templates (Computer) - - id: 12103 - title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" - description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." - rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera" - compliance: - - cis: "18.1.1.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - - - id: 12104 - title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" - description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled" - rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" - compliance: - - cis: "18.1.1.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' - - - id: 12105 - title: "Ensure 'Allow input personalization' is set to 'Disabled'" - description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled." - rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow input personalization" - compliance: - - cis: "18.1.2.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' - - - id: 12106 - title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" - compliance: - - cis: "18.2.1" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName -> C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll' - - - id: 12107 - title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy" - compliance: - - cis: "18.2.2" - - cis_csc: "16.2, 16.10" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - - - id: 12108 - title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management" - compliance: - - cis: "18.2.3" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - - - id: 12109 - title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" - compliance: - - cis: "18.2.4" - - cis_csc: "5.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - - - id: 12110 - title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" - compliance: - - cis: "18.2.5" - - cis_csc: "5.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - - - id: 12111 - title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" - compliance: - - cis: "18.2.6" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' - - - id: 12112 - title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" - description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1." - rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons" - compliance: - - cis: "18.3.1" - - cis_csc: "5.8, 4.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' - - - id: 12113 - title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" - description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems" - rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver" - compliance: - - cis: "18.3.2" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4' - - - id: 12114 - title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'" - description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled." - rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server" - compliance: - - cis: "18.3.3" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' - - - id: 12115 - title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" - description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled." - rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP)" - compliance: - - cis: "18.3.4" - - cis_csc: "8.4, 8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' - - - id: 12116 - title: "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" - description: "Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware." - rationale: "This opt-in feature is free and could prevent malicious software from being installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications" - compliance: - - cis: "18.3.5" - - cis_csc: "8.4, 8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 1' - - - id: 12117 - title: "Ensure 'WDigest Authentication' is set to 'Disabled'" - description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server." - rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997)" - compliance: - - cis: "18.3.6" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' - - - id: 12118 - title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group." - rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" - compliance: - - cis: "18.4.1" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - - id: 12119 - title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." - rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" - compliance: - - cis: "18.4.2" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - - id: 12120 - title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." - rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" - compliance: - - cis: "18.4.3" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - - id: 12121 - title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" - description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." - rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" - compliance: - - cis: "18.4.5" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - - - id: 12122 - title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" - description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." - rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" - compliance: - - cis: "18.4.7" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - - - id: 12123 - title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:  Search folders specified in the system path first, and then search the current working folder.  Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." - rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" - compliance: - - cis: "18.4.9" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - - id: 12124 - title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds" - rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" - compliance: - - cis: "18.4.10" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - - id: 12125 - title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less." - rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" - compliance: - - cis: "18.4.13" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' - - - id: 12126 - title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" - description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." - rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." - remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeTyp e" - compliance: - - cis: "18.5.4.1" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' - - - id: 12127 - title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'" - description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled." - rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution" - compliance: - - cis: "18.5.4.2" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' - - - id: 12128 - title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'" - description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled." - rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons" - compliance: - - cis: "18.5.8.1" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' - - - id: 12129 - title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled." - rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network" - compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - - - id: 12130 - title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" - description: "Although this legacy setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled." - rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network" - compliance: - - cis: "18.5.11.3" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0' - - - id: 12131 - title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." - rationale: "Allowing regular users to set a network location increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location" - compliance: - - cis: "18.5.11.4" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - - - id: 12132 - title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'" - description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing" - rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths" - compliance: - - cis: "18.5.14.1" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - - - id: 12133 - title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled." - rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain" - compliance: - - cis: "18.5.21.1" - - cis_csc: "12" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' - - - id: 12134 - title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" - description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." - rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" - compliance: - - cis: "18.5.21.2" - - cis_csc: "12" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' - - - id: 12135 - title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" - description: "This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services.  Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.  Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.  Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled." - rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" - compliance: - - cis: "18.5.23.2.1" - - cis_csc: "15.4, 15.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' - - - id: 12136 - title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" - description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." - rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" - compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - - - id: 12137 - title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" - description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled." - rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials" - compliance: - - cis: "18.8.4.1" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' - - - id: 12138 - title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  Good: The driver has been signed and has not been tampered with.  Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." - rationale: "This policy setting helps reduce the impact of malware that has already infected your system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy" - compliance: - - cis: "18.8.14.1" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - - - id: 12139 - title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" - description: "The \"Do not apply during periodic background processing\" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart." - rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" - compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7, 5.4, 5.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - - id: 12140 - title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" - description: "The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed." - rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" - compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7, 5.4, 5.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - - - id: 12141 - title: "Ensure 'Continue experiences on this device' is set to 'Disabled'" - description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences)." - rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device" - compliance: - - cis: "18.8.21.4" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' - - - id: 12142 - title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" - description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers." - rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy" - compliance: - - cis: "18.8.21.5" - - cis_csc: "3.7, 5.4, 5.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - - - id: 12143 - title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application." - rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store" - compliance: - - cis: "18.8.22.1.2" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - - id: 12144 - title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards." - rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards" - compliance: - - cis: "18.8.22.1.6" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - - id: 12145 - title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet." - rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP" - compliance: - - cis: "18.8.22.1.7" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - - id: 12146 - title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" - description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen." - rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in" - compliance: - - cis: "18.8.27.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' - - - id: 12147 - title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" - description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen." - rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI" - compliance: - - cis: "18.8.27.2" - - cis_csc: "5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - - id: 12148 - title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" - description: "This policy setting prevents connected users from being enumerated on domain-joined computers." - rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers" - compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - - id: 12149 - title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" - description: "This policy setting allows local users to be enumerated on domain-joined computers." - rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers" - compliance: - - cis: "18.8.27.4" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - - id: 12150 - title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" - description: "This policy setting allows you to prevent app notifications from appearing on the lock screen." - rationale: "App notifications might display sensitive business or personal data" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen" - compliance: - - cis: "18.8.27.5" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - - id: 12151 - title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" - description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled." - rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in" - compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' - - - id: 12152 - title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" - description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work." - rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in" - compliance: - - cis: "18.8.27.7" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - - id: 12153 - title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" - description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." - rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery)" - compliance: - - cis: "18.8.33.6.1" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' - - - id: 12154 - title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" - description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." - rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in)" - compliance: - - cis: "18.8.33.6.2" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' - - - id: 12155 - title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" - description: "Dictates whether or not Windows is allowed to use standby states when sleeping the computer." - rationale: "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA)." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on battery)" - compliance: - - cis: "18.8.33.6.5" - - cis_csc: "13.2, 13.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - - id: 12156 - title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in)" - compliance: - - cis: "18.8.33.6.6" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - - id: 12157 - title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests." - rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance" - compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - - id: 12158 - title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer." - rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance" - compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - - - id: 12159 - title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" - description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." - rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" - compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' - - - id: 12160 - title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" - description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" - rationale: "Unauthenticated RPC communication can create a security vulnerability." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" - compliance: - - cis: "18.8.36.2" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' - - - id: 12161 - title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" - description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it" - rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional" - compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - - id: 12162 - title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" - description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones" - rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices" - compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3, 8.4, 8.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - - id: 12163 - title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" - description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." - rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun" - compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3, 8.4, 8.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - - id: 12164 - title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" - description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives." - rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay" - compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3, 8.4, 8.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' - - - id: 12165 - title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" - description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it." - rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing" - compliance: - - cis: "18.9.10.1.1" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' - - - id: 12166 - title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" - description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account." - rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences" - compliance: - - cis: "18.9.13.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' - - - id: 12167 - title: "Ensure 'Require pin for pairing' is set to 'Enabled'" - description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device." - rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing" - compliance: - - cis: "18.9.14.1" - - cis_csc: "15.8, 15.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' - - - id: 12168 - title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" - description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences." - rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button" - compliance: - - cis: "18.9.15.1" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - - id: 12169 - title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" - description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application." - rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation" - compliance: - - cis: "18.9.15.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - - id: 12170 - title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'" - description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." - rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry" - compliance: - - cis: "18.9.16.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' - - - id: 12171 - title: "Ensure 'Disable pre-release features or settings' is set to 'Disabled'" - description: "This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimentations." - rationale: "It can be dangerous in an enterprise managed environment if experimental features are allowed because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Disable pre-release features or settings" - compliance: - - cis: "18.9.16.3" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> 0' - - - id: 12172 - title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'" - description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft." - rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications" - compliance: - - cis: "18.9.16.4" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' - - - id: 12173 - title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" - description: "This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under \"Get Insider builds,\" and enable users to make their devices available for downloading and installing Windows preview software." - rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds" - compliance: - - cis: "18.9.16.5" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' - - - id: 12174 - title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" - description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:  0 = HTTP only, no peering.  1 = HTTP blended with peering behind the same NAT.  2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.  3 = HTTP blended with Internet Peering.  99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.  100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." - rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." - remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode" - compliance: - - cis: "18.9.17.1" - - cis_csc: "4.5, 3.4, 3.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^1$|^2$' - - - id: 12175 - title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size" - compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - - id: 12176 - title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB)" - compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 12177 - title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size" - compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - - id: 12178 - title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB)" - compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - - id: 12179 - title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size" - compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - - id: 12180 - title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB)" - compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 12181 - title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size" - compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - - id: 12182 - title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB)" - compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3, 6.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 12183 - title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" - description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer." - rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer" - compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4, 8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - - id: 12184 - title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" - description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this." - rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption" - compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4, 8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - - id: 12185 - title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows." - rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode" - compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4, 8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - - id: 12186 - title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" - description: "By default, users can add their computer to a HomeGroup on a home network." - rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup" - compliance: - - cis: "18.9.35.1" - - cis_csc: "14.1, 14.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' - - - id: 12187 - title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" - description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs." - rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication" - compliance: - - cis: "18.9.44.1" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' - - - id: 12188 - title: "Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" - description: "This setting lets you configure how your company deals with cookies. The recommended state for this setting is: Enabled: Block only 3rd-party cookies. Configuring this setting to Enabled: Block all cookies also conforms to the benchmark." - rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block only 3rd-party cookies (or, if applicable for your environment, Enabled: Block all cookies): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure cookies" - compliance: - - cis: "18.9.45.4" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' - - - id: 12189 - title: "Ensure 'Configure Password Manager' is set to 'Disabled'" - description: "This setting lets you decide whether employees can save their passwords locally, using Password Manager." - rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Password Manager" - compliance: - - cis: "18.9.45.5" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' - - - id: 12190 - title: "Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" - description: "This setting controls whether Adobe Flash (within the Microsoft Edge web browser) will require the user to click on the Flash element before the browser will display the Flash content." - rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content \"opt-in\", so the user has to choose to click on each specific piece of Flash content before it will run." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Adobe Flash Click-to-Run setting" - compliance: - - cis: "18.9.45.8" - - cis_csc: "7.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' - - - id: 12191 - title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage" - compliance: - - cis: "18.9.52.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - - id: 12192 - title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" - description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer." - rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved" - compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - - id: 12193 - title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" - description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them." - rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection" - compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> 1' - - - id: 12194 - title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" - description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client." - rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection" - compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - - id: 12195 - title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" - description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests." - rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication" - compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - - id: 12196 - title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" - description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption." - rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level" - compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - - id: 12197 - title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" - description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff." - rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit" - compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4, 14.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - - id: 12198 - title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" - description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session." - rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session" - compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4, 14.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - - id: 12199 - title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" - description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer." - rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures" - compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - - id: 12200 - title: "Ensure 'Allow Cortana' is set to 'Disabled'" - description: "This policy setting specifies whether Cortana is allowed on the device" - rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana" - compliance: - - cis: "18.9.60.3" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' - - - id: 12201 - title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" - description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked." - rationale: "Access to any computer resource should not be allowed when the device is locked." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana above lock screen" - compliance: - - cis: "18.9.60.4" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' - - - id: 12202 - title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" - description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files." - rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files" - compliance: - - cis: "18.9.60.5" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - - id: 12203 - title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" - description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results." - rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out" - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location" - compliance: - - cis: "18.9.60.6" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' - - - id: 12204 - title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" - description: "This setting enables or disables the automatic download and installation of Windows Store app updates." - rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates" - compliance: - - cis: "18.9.68.2" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' - - - id: 12205 - title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" - description: "Enables or disables the Windows Store offer to update to the latest version of Windows." - rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows" - compliance: - - cis: "18.9.68.3" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' - - - id: 12206 - title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" - description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". This setting can only be set by Group Policy." - rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS" - compliance: - - cis: "18.9.76.3.1" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' - - - id: 12207 - title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" - description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus." - rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring" - compliance: - - cis: "18.9.76.7.1" - - cis_csc: "8.1, 8.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' - - - id: 12208 - title: "Ensure 'Scan removable drives' is set to 'Enabled'" - description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan." - rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable drives" - compliance: - - cis: "18.9.76.10.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' - - - id: 12209 - title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" - description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac)." - rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail scanning" - compliance: - - cis: "18.9.76.10.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' - - - id: 12210 - title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" - description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules." - rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules" - compliance: - - cis: "18.9.76.13.1.1" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - - - id: 12211 - title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail)" - rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." - remediation: "To establish the recommended configuration via GP, set the following UI path so that 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 3b576869-a4ec-4529-8536-b80a7769e899, d4f940ab-401b-4efc-aadc-ad5f3c50688a, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, d3e037e1-3eb8-44c8-a917-57927947596d, and be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" - compliance: - - cis: "18.9.76.13.1.2" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' - - - id: 12212 - title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" - description: "This policy setting controls Windows Defender Exploit Guard network protection." - rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites" - compliance: - - cis: "18.9.76.13.3.1" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' - - - id: 12213 - title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" - description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software." - rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus" - compliance: - - cis: "18.9.76.14" - - cis_csc: "8.1, 8.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' - - - id: 12214 - title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" - description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center." - rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Security Center\\App and browser protection\\Prevent users from modifying settings" - compliance: - - cis: "18.9.79.1.1" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' - - - id: 12215 - title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled." - rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen" - compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block' - - - id: 12216 - title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" - description: "This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software." - rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Configure Windows Defender SmartScreen" - compliance: - - cis: "18.9.80.2.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' - - - id: 12217 - title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" - description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files." - rationale: "SmartScreen will warn an employee if a file is potentially malicious. Enabling this setting prevents these warnings from being bypassed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: In the Windows 10 Release 1703 Administrative Templates the setting was in the following location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files In the Windows 10 Release 1709 Administrative Templates the setting was removed from the new location above and left in the old location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files" - compliance: - - cis: "18.9.80.2.2" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' - - - id: 12218 - title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" - description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites." - rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for sites" - compliance: - - cis: "18.9.80.2.3" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' - - - id: 12219 - title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" - description: "This setting enables or disables the Windows Game Recording and Broadcasting features." - rationale: "If this setting is allowed users could record and broadcast session info to external sites which is a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Game Recording and Broadcasting\\Enables or disables Windows Game Recording and Broadcasting" - compliance: - - cis: "18.9.82.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' - - - id: 12220 - title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" - description: "This policy setting determines whether Windows Ink items are allowed above the lock screen." - rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace" - compliance: - - cis: "18.9.84.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' - - - id: 12221 - title: "Ensure 'Allow user control over installs' is set to 'Disabled'" - description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user." - rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs" - compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' - - - id: 12222 - title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" - description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure." - rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges" - compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - - id: 12223 - title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" - description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system." - rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart" - compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - - id: 12224 - title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" - description: "This policy setting enables logging of all PowerShell script input to the Microsoft-WindowsPowerShell/Operational event log." - rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging" - compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - - id: 12225 - title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" - description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts." - rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription" - compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 01' - - - id: 12226 - title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication." - rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication" - compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13, 16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - - id: 12227 - title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network." - rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic" - compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.5, 16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - - id: 12228 - title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication." - rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication" - compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.5, 16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - - id: 12229 - title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client." - rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication" - compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.5, 16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - - id: 12230 - title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." - rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" - compliance: - - cis: "18.9.97.2.3" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - - id: 12231 - title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network." - rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic" - compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.5, 16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - - id: 12232 - title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" - description: "This policy setting determines whether users can access the Windows Insider Program controls in Settings -> Update and Security. These controls enable users to make their devices available for downloading and installing preview (beta) builds of Windows software." - rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable preview builds: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Manage preview builds" - compliance: - - cis: "18.9.101.1.1" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' - - - id: 12233 - title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" - description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:  Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.  Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.  Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.  Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.  Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." - rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received" - compliance: - - cis: "18.9.101.1.2" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> 32' - - - id: 12234 - title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" - description: "This settings controls when Quality Updates are received." - rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received" - compliance: - - cis: "18.9.101.1.3" - - cis_csc: "3.4, 3.5, 4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0' - - - id: 12235 - title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" - rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates" - compliance: - - cis: "18.9.101.2" - - cis_csc: "3.4, 3.5, 4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' - - - id: 12236 - title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" - description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS." - rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day" - compliance: - - cis: "18.9.101.3" - - cis_csc: "3.4, 3.5, 4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - - id: 12237 - title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation." - rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations" - compliance: - - cis: "18.9.101.4" - - cis_csc: "3.4, 3.5, 4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 1' + - id: 12103 + title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." + rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera" + compliance: + - cis: "18.1.1.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' + + - id: 12104 + title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled" + rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" + compliance: + - cis: "18.1.1.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' + + - id: 12105 + title: "Ensure 'Allow input personalization' is set to 'Disabled'" + description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled." + rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow input personalization" + compliance: + - cis: "18.1.2.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' + + - id: 12106 + title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" + compliance: + - cis: "18.2.1" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName -> C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll' + + - id: 12107 + title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy" + compliance: + - cis: "18.2.2" + - cis_csc: "16.2, 16.10" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' + + - id: 12108 + title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management" + compliance: + - cis: "18.2.3" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' + + - id: 12109 + title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" + compliance: + - cis: "18.2.4" + - cis_csc: "5.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' + + - id: 12110 + title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" + compliance: + - cis: "18.2.5" + - cis_csc: "5.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' + + - id: 12111 + title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" + compliance: + - cis: "18.2.6" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' + + - id: 12112 + title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" + description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1." + rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons" + compliance: + - cis: "18.3.1" + - cis_csc: "5.8, 4.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' + + - id: 12113 + title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" + description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems" + rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver" + compliance: + - cis: "18.3.2" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4' + + - id: 12114 + title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'" + description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled." + rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server" + compliance: + - cis: "18.3.3" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' + + - id: 12115 + title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled." + rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP)" + compliance: + - cis: "18.3.4" + - cis_csc: "8.4, 8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' + + - id: 12116 + title: "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" + description: "Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware." + rationale: "This opt-in feature is free and could prevent malicious software from being installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications" + compliance: + - cis: "18.3.5" + - cis_csc: "8.4, 8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 1' + + - id: 12117 + title: "Ensure 'WDigest Authentication' is set to 'Disabled'" + description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server." + rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997)" + compliance: + - cis: "18.3.6" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' + + - id: 12118 + title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group." + rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" + compliance: + - cis: "18.4.1" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + + - id: 12119 + title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" + compliance: + - cis: "18.4.2" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' + + - id: 12120 + title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" + compliance: + - cis: "18.4.3" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' + + - id: 12121 + title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." + rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" + compliance: + - cis: "18.4.5" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' + + - id: 12122 + title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." + rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" + compliance: + - cis: "18.4.7" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' + + - id: 12123 + title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:  Search folders specified in the system path first, and then search the current working folder.  Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" + compliance: + - cis: "18.4.9" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' + + - id: 12124 + title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds" + rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" + compliance: + - cis: "18.4.10" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' + + - id: 12125 + title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less." + rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" + compliance: + - cis: "18.4.13" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' + + - id: 12126 + title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" + description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." + rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." + remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeTyp e" + compliance: + - cis: "18.5.4.1" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' + + - id: 12127 + title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled." + rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution" + compliance: + - cis: "18.5.4.2" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' + + - id: 12128 + title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'" + description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled." + rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons" + compliance: + - cis: "18.5.8.1" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' + + - id: 12129 + title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled." + rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network" + compliance: + - cis: "18.5.11.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' + + - id: 12130 + title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + description: "Although this legacy setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled." + rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network" + compliance: + - cis: "18.5.11.3" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0' + + - id: 12131 + title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." + rationale: "Allowing regular users to set a network location increases the risk and attack surface." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location" + compliance: + - cis: "18.5.11.4" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' + + - id: 12132 + title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'" + description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing" + rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths" + compliance: + - cis: "18.5.14.1" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' + + - id: 12133 + title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" + description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled." + rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain" + compliance: + - cis: "18.5.21.1" + - cis_csc: "12" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' + + - id: 12134 + title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" + description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." + rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" + compliance: + - cis: "18.5.21.2" + - cis_csc: "12" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' + + - id: 12135 + title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" + description: "This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services.  Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.  Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.  Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled." + rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" + compliance: + - cis: "18.5.23.2.1" + - cis_csc: "15.4, 15.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' + + - id: 12136 + title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" + description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." + rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" + compliance: + - cis: "18.8.3.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' + + - id: 12137 + title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled." + rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials" + compliance: + - cis: "18.8.4.1" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' + + - id: 12138 + title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  Good: The driver has been signed and has not been tampered with.  Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + rationale: "This policy setting helps reduce the impact of malware that has already infected your system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy" + compliance: + - cis: "18.8.14.1" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' + + - id: 12139 + title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + description: "The \"Do not apply during periodic background processing\" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart." + rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" + compliance: + - cis: "18.8.21.2" + - cis_csc: "3.7, 5.4, 5.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' + + - id: 12140 + title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + description: "The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed." + rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" + compliance: + - cis: "18.8.21.3" + - cis_csc: "3.7, 5.4, 5.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' + + - id: 12141 + title: "Ensure 'Continue experiences on this device' is set to 'Disabled'" + description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences)." + rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device" + compliance: + - cis: "18.8.21.4" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' + + - id: 12142 + title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers." + rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy" + compliance: + - cis: "18.8.21.5" + - cis_csc: "3.7, 5.4, 5.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' + + - id: 12143 + title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application." + rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store" + compliance: + - cis: "18.8.22.1.2" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + + - id: 12144 + title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards." + rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards" + compliance: + - cis: "18.8.22.1.6" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + + - id: 12145 + title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet." + rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP" + compliance: + - cis: "18.8.22.1.7" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + + - id: 12146 + title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen." + rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in" + compliance: + - cis: "18.8.27.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' + + - id: 12147 + title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" + description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen." + rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI" + compliance: + - cis: "18.8.27.2" + - cis_csc: "5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' + + - id: 12148 + title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + description: "This policy setting prevents connected users from being enumerated on domain-joined computers." + rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers" + compliance: + - cis: "18.8.27.3" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' + + - id: 12149 + title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" + description: "This policy setting allows local users to be enumerated on domain-joined computers." + rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers" + compliance: + - cis: "18.8.27.4" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' + + - id: 12150 + title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + description: "This policy setting allows you to prevent app notifications from appearing on the lock screen." + rationale: "App notifications might display sensitive business or personal data" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen" + compliance: + - cis: "18.8.27.5" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' + + - id: 12151 + title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled." + rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in" + compliance: + - cis: "18.8.27.6" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' + + - id: 12152 + title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work." + rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in" + compliance: + - cis: "18.8.27.7" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' + + - id: 12153 + title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." + rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery)" + compliance: + - cis: "18.8.33.6.1" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' + + - id: 12154 + title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." + rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in)" + compliance: + - cis: "18.8.33.6.2" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' + + - id: 12155 + title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + description: "Dictates whether or not Windows is allowed to use standby states when sleeping the computer." + rationale: "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on battery)" + compliance: + - cis: "18.8.33.6.5" + - cis_csc: "13.2, 13.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' + + - id: 12156 + title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in)" + compliance: + - cis: "18.8.33.6.6" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' + + - id: 12157 + title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests." + rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance" + compliance: + - cis: "18.8.35.1" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' + + - id: 12158 + title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer." + rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance" + compliance: + - cis: "18.8.35.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' + + - id: 12159 + title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." + rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" + compliance: + - cis: "18.8.36.1" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' + + - id: 12160 + title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" + rationale: "Unauthenticated RPC communication can create a security vulnerability." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" + compliance: + - cis: "18.8.36.2" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' + + - id: 12161 + title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it" + rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional" + compliance: + - cis: "18.9.6.1" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' + + - id: 12162 + title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones" + rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices" + compliance: + - cis: "18.9.8.1" + - cis_csc: "8.3, 8.4, 8.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' + + - id: 12163 + title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." + rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun" + compliance: + - cis: "18.9.8.2" + - cis_csc: "8.3, 8.4, 8.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' + + - id: 12164 + title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives." + rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay" + compliance: + - cis: "18.9.8.3" + - cis_csc: "8.3, 8.4, 8.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' + + - id: 12165 + title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it." + rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing" + compliance: + - cis: "18.9.10.1.1" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' + + - id: 12166 + title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account." + rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences" + compliance: + - cis: "18.9.13.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' + + - id: 12167 + title: "Ensure 'Require pin for pairing' is set to 'Enabled'" + description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device." + rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing" + compliance: + - cis: "18.9.14.1" + - cis_csc: "15.8, 15.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' + + - id: 12168 + title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" + description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences." + rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button" + compliance: + - cis: "18.9.15.1" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' + + - id: 12169 + title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application." + rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation" + compliance: + - cis: "18.9.15.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' + + - id: 12170 + title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'" + description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." + rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry" + compliance: + - cis: "18.9.16.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' + + - id: 12171 + title: "Ensure 'Disable pre-release features or settings' is set to 'Disabled'" + description: "This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimentations." + rationale: "It can be dangerous in an enterprise managed environment if experimental features are allowed because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Disable pre-release features or settings" + compliance: + - cis: "18.9.16.3" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> 0' + + - id: 12172 + title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'" + description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft." + rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications" + compliance: + - cis: "18.9.16.4" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' + + - id: 12173 + title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + description: "This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under \"Get Insider builds,\" and enable users to make their devices available for downloading and installing Windows preview software." + rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds" + compliance: + - cis: "18.9.16.5" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' + + - id: 12174 + title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" + description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:  0 = HTTP only, no peering.  1 = HTTP blended with peering behind the same NAT.  2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.  3 = HTTP blended with Internet Peering.  99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.  100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." + rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." + remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode" + compliance: + - cis: "18.9.17.1" + - cis_csc: "4.5, 3.4, 3.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^1$|^2$' + + - id: 12175 + title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size" + compliance: + - cis: "18.9.26.1.1" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' + + - id: 12176 + title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB)" + compliance: + - cis: "18.9.26.1.2" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 12177 + title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size" + compliance: + - cis: "18.9.26.2.1" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' + + - id: 12178 + title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB)" + compliance: + - cis: "18.9.26.2.2" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' + + - id: 12179 + title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size" + compliance: + - cis: "18.9.26.3.1" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' + + - id: 12180 + title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB)" + compliance: + - cis: "18.9.26.3.2" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 12181 + title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size" + compliance: + - cis: "18.9.26.4.1" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' + + - id: 12182 + title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB)" + compliance: + - cis: "18.9.26.4.2" + - cis_csc: "6.3, 6.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 12183 + title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer." + rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer" + compliance: + - cis: "18.9.30.2" + - cis_csc: "8.4, 8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' + + - id: 12184 + title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this." + rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption" + compliance: + - cis: "18.9.30.3" + - cis_csc: "8.4, 8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' + + - id: 12185 + title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows." + rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode" + compliance: + - cis: "18.9.30.4" + - cis_csc: "8.4, 8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' + + - id: 12186 + title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" + description: "By default, users can add their computer to a HomeGroup on a home network." + rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup" + compliance: + - cis: "18.9.35.1" + - cis_csc: "14.1, 14.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' + + - id: 12187 + title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs." + rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication" + compliance: + - cis: "18.9.44.1" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' + + - id: 12188 + title: "Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" + description: "This setting lets you configure how your company deals with cookies. The recommended state for this setting is: Enabled: Block only 3rd-party cookies. Configuring this setting to Enabled: Block all cookies also conforms to the benchmark." + rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block only 3rd-party cookies (or, if applicable for your environment, Enabled: Block all cookies): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure cookies" + compliance: + - cis: "18.9.45.4" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' + + - id: 12189 + title: "Ensure 'Configure Password Manager' is set to 'Disabled'" + description: "This setting lets you decide whether employees can save their passwords locally, using Password Manager." + rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Password Manager" + compliance: + - cis: "18.9.45.5" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' + + - id: 12190 + title: "Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" + description: "This setting controls whether Adobe Flash (within the Microsoft Edge web browser) will require the user to click on the Flash element before the browser will display the Flash content." + rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content \"opt-in\", so the user has to choose to click on each specific piece of Flash content before it will run." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Adobe Flash Click-to-Run setting" + compliance: + - cis: "18.9.45.8" + - cis_csc: "7.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' + + - id: 12191 + title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client." + rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage" + compliance: + - cis: "18.9.52.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' + + - id: 12192 + title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer." + rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved" + compliance: + - cis: "18.9.58.2.2" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' + + - id: 12193 + title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" + description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them." + rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection" + compliance: + - cis: "18.9.58.3.3.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> 1' + + - id: 12194 + title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client." + rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection" + compliance: + - cis: "18.9.58.3.9.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' + + - id: 12195 + title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" + description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests." + rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication" + compliance: + - cis: "18.9.58.3.9.2" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' + + - id: 12196 + title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption." + rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level" + compliance: + - cis: "18.9.58.3.9.3" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' + + - id: 12197 + title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff." + rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit" + compliance: + - cis: "18.9.58.3.11.1" + - cis_csc: "14.4, 14.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' + + - id: 12198 + title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session." + rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session" + compliance: + - cis: "18.9.58.3.11.2" + - cis_csc: "14.4, 14.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' + + - id: 12199 + title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer." + rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures" + compliance: + - cis: "18.9.59.1" + - cis_csc: "7.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' + + - id: 12200 + title: "Ensure 'Allow Cortana' is set to 'Disabled'" + description: "This policy setting specifies whether Cortana is allowed on the device" + rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana" + compliance: + - cis: "18.9.60.3" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' + + - id: 12201 + title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" + description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked." + rationale: "Access to any computer resource should not be allowed when the device is locked." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana above lock screen" + compliance: + - cis: "18.9.60.4" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' + + - id: 12202 + title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files." + rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files" + compliance: + - cis: "18.9.60.5" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' + + - id: 12203 + title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" + description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results." + rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location" + compliance: + - cis: "18.9.60.6" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' + + - id: 12204 + title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" + description: "This setting enables or disables the automatic download and installation of Windows Store app updates." + rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates" + compliance: + - cis: "18.9.68.2" + - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' + + - id: 12205 + title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" + description: "Enables or disables the Windows Store offer to update to the latest version of Windows." + rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows" + compliance: + - cis: "18.9.68.3" + - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' + + - id: 12206 + title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". This setting can only be set by Group Policy." + rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS" + compliance: + - cis: "18.9.76.3.1" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' + + - id: 12207 + title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus." + rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring" + compliance: + - cis: "18.9.76.7.1" + - cis_csc: "8.1, 8.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' + + - id: 12208 + title: "Ensure 'Scan removable drives' is set to 'Enabled'" + description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan." + rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable drives" + compliance: + - cis: "18.9.76.10.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' + + - id: 12209 + title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac)." + rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail scanning" + compliance: + - cis: "18.9.76.10.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' + + - id: 12210 + title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" + description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules." + rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules" + compliance: + - cis: "18.9.76.13.1.1" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' + + - id: 12211 + title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" + description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail)" + rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." + remediation: "To establish the recommended configuration via GP, set the following UI path so that 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 3b576869-a4ec-4529-8536-b80a7769e899, d4f940ab-401b-4efc-aadc-ad5f3c50688a, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, d3e037e1-3eb8-44c8-a917-57927947596d, and be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" + compliance: + - cis: "18.9.76.13.1.2" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' + + - id: 12212 + title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + description: "This policy setting controls Windows Defender Exploit Guard network protection." + rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites" + compliance: + - cis: "18.9.76.13.3.1" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' + + - id: 12213 + title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" + description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software." + rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus" + compliance: + - cis: "18.9.76.14" + - cis_csc: "8.1, 8.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' + + - id: 12214 + title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center." + rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Security Center\\App and browser protection\\Prevent users from modifying settings" + compliance: + - cis: "18.9.79.1.1" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' + + - id: 12215 + title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" + description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled." + rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen" + compliance: + - cis: "18.9.80.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block' + + - id: 12216 + title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" + description: "This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software." + rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Configure Windows Defender SmartScreen" + compliance: + - cis: "18.9.80.2.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' + + - id: 12217 + title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" + description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files." + rationale: "SmartScreen will warn an employee if a file is potentially malicious. Enabling this setting prevents these warnings from being bypassed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: In the Windows 10 Release 1703 Administrative Templates the setting was in the following location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files In the Windows 10 Release 1709 Administrative Templates the setting was removed from the new location above and left in the old location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files" + compliance: + - cis: "18.9.80.2.2" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' + + - id: 12218 + title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" + description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites." + rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for sites" + compliance: + - cis: "18.9.80.2.3" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' + + - id: 12219 + title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" + description: "This setting enables or disables the Windows Game Recording and Broadcasting features." + rationale: "If this setting is allowed users could record and broadcast session info to external sites which is a privacy concern." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Game Recording and Broadcasting\\Enables or disables Windows Game Recording and Broadcasting" + compliance: + - cis: "18.9.82.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' + + - id: 12220 + title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" + description: "This policy setting determines whether Windows Ink items are allowed above the lock screen." + rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace" + compliance: + - cis: "18.9.84.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' + + - id: 12221 + title: "Ensure 'Allow user control over installs' is set to 'Disabled'" + description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user." + rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs" + compliance: + - cis: "18.9.85.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' + + - id: 12222 + title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" + description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure." + rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges" + compliance: + - cis: "18.9.85.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' + + - id: 12223 + title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" + description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system." + rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart" + compliance: + - cis: "18.9.86.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' + + - id: 12224 + title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + description: "This policy setting enables logging of all PowerShell script input to the Microsoft-WindowsPowerShell/Operational event log." + rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging" + compliance: + - cis: "18.9.95.1" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' + + - id: 12225 + title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts." + rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription" + compliance: + - cis: "18.9.95.2" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 01' + + - id: 12226 + title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication." + rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication" + compliance: + - cis: "18.9.97.1.1" + - cis_csc: "16.13, 16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' + + - id: 12227 + title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network." + rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic" + compliance: + - cis: "18.9.97.1.2" + - cis_csc: "16.5, 16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' + + - id: 12228 + title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication." + rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication" + compliance: + - cis: "18.9.97.1.3" + - cis_csc: "16.5, 16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' + + - id: 12229 + title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client." + rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication" + compliance: + - cis: "18.9.97.2.1" + - cis_csc: "16.5, 16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' + + - id: 12230 + title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." + rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" + compliance: + - cis: "18.9.97.2.3" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' + + - id: 12231 + title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network." + rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic" + compliance: + - cis: "18.9.97.2.4" + - cis_csc: "16.5, 16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' + + - id: 12232 + title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" + description: "This policy setting determines whether users can access the Windows Insider Program controls in Settings -> Update and Security. These controls enable users to make their devices available for downloading and installing preview (beta) builds of Windows software." + rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable preview builds: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Manage preview builds" + compliance: + - cis: "18.9.101.1.1" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' + + - id: 12233 + title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" + description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:  Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.  Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.  Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.  Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.  Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." + rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received" + compliance: + - cis: "18.9.101.1.2" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> 32' + + - id: 12234 + title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" + description: "This settings controls when Quality Updates are received." + rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received" + compliance: + - cis: "18.9.101.1.3" + - cis_csc: "3.4, 3.5, 4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0' + + - id: 12235 + title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" + rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates" + compliance: + - cis: "18.9.101.2" + - cis_csc: "3.4, 3.5, 4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + + - id: 12236 + title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS." + rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day" + compliance: + - cis: "18.9.101.3" + - cis_csc: "3.4, 3.5, 4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' + + - id: 12237 + title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation." + rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations" + compliance: + - cis: "18.9.101.4" + - cis_csc: "3.4, 3.5, 4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 1' diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index fdf65879e..1a247496a 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -23,1193 +23,1193 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L2 under Windows 10" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' checks: # 2.3 Security Options - - id: 12500 - title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." - rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" - compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - - id: 12501 - title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" - description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)." - rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." - remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" - compliance: - - cis: "2.3.7.7" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' - - - id: 12502 - title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" - description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark." - rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." - remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer" - compliance: - - cis: "2.3.14.1" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0' + - id: 12500 + title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + compliance: + - cis: "2.3.4.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + + - id: 12501 + title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" + description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)." + rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." + remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" + compliance: + - cis: "2.3.7.7" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' + + - id: 12502 + title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" + description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark." + rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." + remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer" + compliance: + - cis: "2.3.14.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0' # 5 System Services - - id: 12503 - title: "Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'" - description: "Enables wireless Bluetooth headsets to run on this computer. The recommended state for this setting is: Disabled." - rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Handsfree Service" - compliance: - - cis: "5.1" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> 4' - - - id: 12504 - title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" - description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." - rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" - compliance: - - cis: "5.2" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' - - - id: 12505 - title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" - description: "Windows service for application access to downloaded maps. This service is started on- demand by application accessing downloaded maps." - rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" - compliance: - - cis: "5.4" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4' - - - id: 12506 - title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" - description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." - rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" - compliance: - - cis: "5.5" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4' - - - id: 12507 - title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" - description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." - rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" - compliance: - - cis: "5.11" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4' - - - - id: 12508 - title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" - description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." - rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" - compliance: - - cis: "5.14" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4' - - - id: 12509 - title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" - description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." - rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" - compliance: - - cis: "5.15" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4' - - - id: 12510 - title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" - description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." - rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" - compliance: - - cis: "5.16" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4' - - - id: 12511 - title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" - description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." - rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" - compliance: - - cis: "5.17" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4' - - - id: 12512 - title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" - description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." - rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" - compliance: - - cis: "5.18" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4' - - - id: 12513 - title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" - description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." - rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" - compliance: - - cis: "5.19" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4' - - - id: 12514 - title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" - description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address." - rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" - compliance: - - cis: "5.20" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4' - - - id: 12515 - title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" - description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." - rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" - compliance: - - cis: "5.21" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4' - - - id: 12516 - title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" - description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." - rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" - compliance: - - cis: "5.22" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4' - - - id: 12517 - title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" - description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." - rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" - compliance: - - cis: "5.23" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4' - - - id: 12518 - title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" - description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." - rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" - compliance: - - cis: "5.25" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4' - - - id: 12519 - title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'" - description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." - rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" - compliance: - - cis: "5.27" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4' - - - id: 12520 - title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" - description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))." - rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" - compliance: - - cis: "5.29" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4' - - - id: 12521 - title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" - description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." - rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" - compliance: - - cis: "5.33" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4' - - - id: 12522 - title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" - description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." - rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" - compliance: - - cis: "5.34" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4' - - - id: 12523 - title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" - description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." - rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" - compliance: - - cis: "5.37" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4' - - - id: 12524 - title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" - description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." - rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" - compliance: - - cis: "5.38" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4' - - - id: 12525 - title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" - description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." - rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" - compliance: - - cis: "5.39" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4' - - - id: 12526 - title: "Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'" - description: "This service provides infrastructure support for the Windows Store. The recommended state for this setting is: Disabled." - rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Store Install Service (InstallService)" - compliance: - - cis: "5.40" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> 4' + - id: 12503 + title: "Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'" + description: "Enables wireless Bluetooth headsets to run on this computer. The recommended state for this setting is: Disabled." + rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Handsfree Service" + compliance: + - cis: "5.1" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> 4' + + - id: 12504 + title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" + description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." + rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" + compliance: + - cis: "5.2" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' + + - id: 12505 + title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" + description: "Windows service for application access to downloaded maps. This service is started on- demand by application accessing downloaded maps." + rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" + compliance: + - cis: "5.4" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4' + + - id: 12506 + title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" + description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." + rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" + compliance: + - cis: "5.5" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4' + + - id: 12507 + title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" + description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." + rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" + compliance: + - cis: "5.11" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4' + + + - id: 12508 + title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" + description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." + rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" + compliance: + - cis: "5.14" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4' + + - id: 12509 + title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" + description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." + rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" + compliance: + - cis: "5.15" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4' + + - id: 12510 + title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" + description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." + rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" + compliance: + - cis: "5.16" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4' + + - id: 12511 + title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" + description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." + rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" + compliance: + - cis: "5.17" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4' + + - id: 12512 + title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" + description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." + rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" + compliance: + - cis: "5.18" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4' + + - id: 12513 + title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" + description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." + rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" + compliance: + - cis: "5.19" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4' + + - id: 12514 + title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" + description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address." + rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" + compliance: + - cis: "5.20" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4' + + - id: 12515 + title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" + description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." + rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" + compliance: + - cis: "5.21" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4' + + - id: 12516 + title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" + description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." + rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" + compliance: + - cis: "5.22" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4' + + - id: 12517 + title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" + description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." + rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" + compliance: + - cis: "5.23" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4' + + - id: 12518 + title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" + description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." + rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" + compliance: + - cis: "5.25" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4' + + - id: 12519 + title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'" + description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." + rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" + compliance: + - cis: "5.27" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4' + + - id: 12520 + title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" + description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))." + rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" + compliance: + - cis: "5.29" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4' + + - id: 12521 + title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" + description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." + rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" + compliance: + - cis: "5.33" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4' + + - id: 12522 + title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" + description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." + rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" + compliance: + - cis: "5.34" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4' + + - id: 12523 + title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" + description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." + rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" + compliance: + - cis: "5.37" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4' + + - id: 12524 + title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" + description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." + rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" + compliance: + - cis: "5.38" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4' + + - id: 12525 + title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" + description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." + rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" + compliance: + - cis: "5.39" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4' + + - id: 12526 + title: "Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'" + description: "This service provides infrastructure support for the Windows Store. The recommended state for this setting is: Disabled." + rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Store Install Service (InstallService)" + compliance: + - cis: "5.40" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> 4' # 18.1 Control Panel - - id: 12527 - title: "Ensure 'Allow Online Tips' is set to 'Disabled'" - description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." - compliance: - - cis: "18.1.3" - - cis_csc: "9.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' + - id: 12527 + title: "Ensure 'Allow Online Tips' is set to 'Disabled'" + description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." + rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." + compliance: + - cis: "18.1.3" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' # 18.4 MSS (Legacy) - - id: 12528 - title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" - description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." - rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.4" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' - - - id: 12529 - title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" - description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." - rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.6" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' - - - id: 12530 - title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" - description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." - rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.8" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - - - id: 12531 - title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." - rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.11" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - - id: 12532 - title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." - rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.12" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' + - id: 12528 + title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" + description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." + rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.4" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' + + - id: 12529 + title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." + rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.6" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' + + - id: 12530 + title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." + rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.8" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' + + - id: 12531 + title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.11" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' + + - id: 12532 + title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.12" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # 18.5 Network - - id: 12533 - title: "Ensure 'Enable Font Providers' is set to 'Disabled'" - description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled." - rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." - compliance: - - cis: "18.5.5.1" - - cis_csc: "3, 13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' - - - id: 12534 - title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." - rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.9.1" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - - - id: 12535 - title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." - rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.9.2" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - - - id: 12536 - title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" - description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." - rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' - - - id: 12537 - title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" - description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" - rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." - compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' - - - id: 12538 - title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." - rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4, 15.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - - - id: 12539 - title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" - description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." - rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4, 15.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' + - id: 12533 + title: "Ensure 'Enable Font Providers' is set to 'Disabled'" + description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled." + rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." + compliance: + - cis: "18.5.5.1" + - cis_csc: "3, 13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' + + - id: 12534 + title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" + description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.9.1" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' + + - id: 12535 + title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" + description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.9.2" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' + + - id: 12536 + title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." + rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.10.2" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' + + - id: 12537 + title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" + rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." + compliance: + - cis: "18.5.19.2.1" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' + + - id: 12538 + title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" + description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." + rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.20.1" + - cis_csc: "15.4, 15.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' + + - id: 12539 + title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." + rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.5.20.2" + - cis_csc: "15.4, 15.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # 18.8 System - - id: 12540 - title: "Ensure 'Turn off access to the Store' is set to 'Enabled'" - description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled." - rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' - - - id: 12541 - title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" - description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." - rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - - id: 12542 - title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" - description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." - rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - - id: 12543 - title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." - rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.5" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - - id: 12544 - title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." - rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - - id: 12545 - title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" - description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." - rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - - id: 12546 - title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" - description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." - rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - - id: 12547 - title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" - description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." - rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - - id: 12548 - title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." - rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - - id: 12549 - title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." - rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - - id: 12550 - title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." - rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.14" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' - - - id: 12551 - title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" - description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic." - rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.8.25.1" - - cis_csc: "1.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1' - - - id: 12552 - title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" - description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." - rationale: "This is a way to increase the security of the system account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - - id: 12553 - title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" - description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - - id: 12554 - title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" - description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." - rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - - id: 12555 - title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" - description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." - rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.46.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - - id: 12556 - title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." - rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' - - - id: 12557 - title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" - description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled." - rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.49.1.2" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' + - id: 12540 + title: "Ensure 'Turn off access to the Store' is set to 'Enabled'" + description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled." + rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.22.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' + + - id: 12541 + title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." + rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.22.1.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' + + - id: 12542 + title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." + rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.4" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' + + - id: 12543 + title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." + rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.5" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' + + - id: 12544 + title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." + rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' + + - id: 12545 + title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." + rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.9" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' + + - id: 12546 + title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" + description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." + rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.10" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' + + - id: 12547 + title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" + description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." + rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.11" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' + + - id: 12548 + title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.12" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' + + - id: 12549 + title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.13" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' + + - id: 12550 + title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" + description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." + rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.14" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + + - id: 12551 + title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" + description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic." + rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.8.25.1" + - cis_csc: "1.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1' + + - id: 12552 + title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." + rationale: "This is a way to increase the security of the system account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.26.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' + + - id: 12553 + title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." + rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.44.5.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' + + - id: 12554 + title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." + rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.44.11.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' + + - id: 12555 + title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" + description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." + rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.46.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' + + - id: 12556 + title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." + rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.49.1.1" + - cis_csc: "6.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' + + - id: 12557 + title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" + description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled." + rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.49.1.2" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' # 18.9 Windows Components - - id: 12558 - title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" - description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled." - rationale: "Users of a system could accidentally share sensitive data with other users on the same system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.4.1" - - cis_csc: "14.4, 14.6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' - - - id: 12559 - title: "Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" - description: "This policy setting controls whether Windows Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled." - rationale: "Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Block launching Windows Store apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied. Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.6.2" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1' - - - id: 12560 - title: "Ensure 'Allow Use of Camera' is set to 'Disabled'" - description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." - rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." - compliance: - - cis: "18.9.12.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' - - - id: 12561 - title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" - description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." - rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." - compliance: - - cis: "18.9.16.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' - - - id: 12562 - title: "Ensure 'Turn off location' is set to 'Enabled'" - description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." - rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.39.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - - id: 12563 - title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" - description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." - rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." - compliance: - - cis: "18.9.43.1" - - cis_csc: "9.1, 9.2, 13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' - - - id: 12564 - title: "Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" - description: "This setting determines whether the Address bar drop-down functionality is available in Microsoft Edge. The recommended state for this setting is: Disabled." - rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." - compliance: - - cis: "18.9.45.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' - - - id: 12565 - title: "Ensure 'Allow Adobe Flash' is set to 'Disabled'" - description: "This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. The recommended state for this setting is: Disabled." - rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Adobe Flash Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." - compliance: - - cis: "18.9.45.2" - - cis_csc: "7.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' - - - id: 12566 - title: "Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" - description: "This setting lets you decide whether employees can browse using InPrivate website browsing. The recommended state for this setting is: Disabled." - rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow InPrivate Browsing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off InPrivate browsing, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." - compliance: - - cis: "18.9.45.3" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' - - - id: 12567 - title: "Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" - description: "This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop- ups to appear in secondary windows. The recommended state for this setting is: Enabled." - rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Pop-up Blocker Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off Pop-up Blocker, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." - compliance: - - cis: "18.9.45.6" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' - - - id: 12568 - title: "Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" - description: "This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. The recommended state for this setting is: Disabled." - rationale: "Having search suggestions sent out to be processed is considered a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1507 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1507 Administrative Templates, this setting was named Stops address bar from showing search suggestions. In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was renamed to Turn off address bar search suggestions, but it was finally renamed to Configure search suggestions in Address bar starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." - compliance: - - cis: "18.9.45.7" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' - - - id: 12569 - title: "Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" - description: "This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. The recommended state for this setting is: Enabled." - rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." - compliance: - - cis: "18.9.45.9" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' - - - id: 12570 - title: "Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" - description: "This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. The recommended state for this setting is: Enabled." - rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Don't allow WebRTC to share the LocalHost IP address, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." - compliance: - - cis: "18.9.45.10" - - cis_csc: "7.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' - - - id: 12571 - title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" - description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." - rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." - compliance: - - cis: "18.9.57.1" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' - - - id: 12572 - title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" - description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled." - rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.58.3.2.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1' - - - id: 12573 - title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." - rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - - id: 12574 - title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." - rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - - id: 12575 - title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" - description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." - rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - - id: 12576 - title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" - description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." - rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." - compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" - references: - - https://workbench.cisecurity.org/benchmarks/766 - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' - - - id: 12577 - title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" - description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." - rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - - id: 12578 - title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" - description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." - rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." - compliance: - - cis: "18.9.60.2" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' - - - id: 12579 - title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" - description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." - rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.65.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - - id: 12580 - title: "Ensure 'Disable all apps from Windows Store' is set to 'Disabled'" - description: "This setting configures the launch of all apps from the Windows Store that came pre- installed or were downloaded. The recommended state for this setting is: Disabled." - rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Disable all apps from Windows Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." - compliance: - - cis: "18.9.68.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1' - - - id: 12581 - title: "Ensure 'Turn off the Store application' is set to 'Enabled'" - description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education." - rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." - compliance: - - cis: "18.9.68.4" - - cis_csc: "2" - references: - - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions - - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' - - - id: 12582 - title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  (0x0) Disabled (default)  (0x1) Basic membership  (0x2) Advanced membership. The recommended state for this setting is: Disabled." - rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.76.3.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - - id: 12583 - title: "Ensure 'Configure Watson events' is set to 'Disabled'" - description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled." - rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.76.9.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' - - - id: 12584 - title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" - description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled." - rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." - compliance: - - cis: "18.9.84.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' - - - id: 12585 - title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" - description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." - rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.85.3" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - - id: 12586 - title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." - rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - - id: 12587 - title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" - description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." - rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' + - id: 12558 + title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled." + rationale: "Users of a system could accidentally share sensitive data with other users on the same system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.4.1" + - cis_csc: "14.4, 14.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' + + - id: 12559 + title: "Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" + description: "This policy setting controls whether Windows Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled." + rationale: "Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Block launching Windows Store apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied. Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.6.2" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1' + + - id: 12560 + title: "Ensure 'Allow Use of Camera' is set to 'Disabled'" + description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." + rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." + compliance: + - cis: "18.9.12.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' + + - id: 12561 + title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." + rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." + compliance: + - cis: "18.9.16.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' + + - id: 12562 + title: "Ensure 'Turn off location' is set to 'Enabled'" + description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." + rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.39.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' + + - id: 12563 + title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." + rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." + compliance: + - cis: "18.9.43.1" + - cis_csc: "9.1, 9.2, 13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' + + - id: 12564 + title: "Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" + description: "This setting determines whether the Address bar drop-down functionality is available in Microsoft Edge. The recommended state for this setting is: Disabled." + rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." + compliance: + - cis: "18.9.45.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' + + - id: 12565 + title: "Ensure 'Allow Adobe Flash' is set to 'Disabled'" + description: "This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. The recommended state for this setting is: Disabled." + rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Adobe Flash Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." + compliance: + - cis: "18.9.45.2" + - cis_csc: "7.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' + + - id: 12566 + title: "Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" + description: "This setting lets you decide whether employees can browse using InPrivate website browsing. The recommended state for this setting is: Disabled." + rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow InPrivate Browsing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off InPrivate browsing, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + compliance: + - cis: "18.9.45.3" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' + + - id: 12567 + title: "Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" + description: "This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop- ups to appear in secondary windows. The recommended state for this setting is: Enabled." + rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Pop-up Blocker Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off Pop-up Blocker, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + compliance: + - cis: "18.9.45.6" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' + + - id: 12568 + title: "Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" + description: "This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. The recommended state for this setting is: Disabled." + rationale: "Having search suggestions sent out to be processed is considered a privacy concern." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1507 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1507 Administrative Templates, this setting was named Stops address bar from showing search suggestions. In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was renamed to Turn off address bar search suggestions, but it was finally renamed to Configure search suggestions in Address bar starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + compliance: + - cis: "18.9.45.7" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' + + - id: 12569 + title: "Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" + description: "This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. The recommended state for this setting is: Enabled." + rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." + compliance: + - cis: "18.9.45.9" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' + + - id: 12570 + title: "Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" + description: "This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. The recommended state for this setting is: Enabled." + rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Don't allow WebRTC to share the LocalHost IP address, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + compliance: + - cis: "18.9.45.10" + - cis_csc: "7.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' + + - id: 12571 + title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" + description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." + rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." + compliance: + - cis: "18.9.57.1" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' + + - id: 12572 + title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" + description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled." + rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.58.3.2.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1' + + - id: 12573 + title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.1" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' + + - id: 12574 + title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." + rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.3" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' + + - id: 12575 + title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.4" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' + + - id: 12576 + title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" + description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." + rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + compliance: + - cis: "18.9.58.3.10.1" + - cis_csc: "16.5" + references: + - https://workbench.cisecurity.org/benchmarks/766 + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' + + - id: 12577 + title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." + rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.10.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' + + - id: 12578 + title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." + rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." + compliance: + - cis: "18.9.60.2" + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' + + - id: 12579 + title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." + rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.65.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' + + - id: 12580 + title: "Ensure 'Disable all apps from Windows Store' is set to 'Disabled'" + description: "This setting configures the launch of all apps from the Windows Store that came pre- installed or were downloaded. The recommended state for this setting is: Disabled." + rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Disable all apps from Windows Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." + compliance: + - cis: "18.9.68.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1' + + - id: 12581 + title: "Ensure 'Turn off the Store application' is set to 'Enabled'" + description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education." + rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." + compliance: + - cis: "18.9.68.4" + - cis_csc: "2" + references: + - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions + - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' + + - id: 12582 + title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  (0x0) Disabled (default)  (0x1) Basic membership  (0x2) Advanced membership. The recommended state for this setting is: Disabled." + rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.76.3.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' + + - id: 12583 + title: "Ensure 'Configure Watson events' is set to 'Disabled'" + description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled." + rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.76.9.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' + + - id: 12584 + title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled." + rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." + compliance: + - cis: "18.9.84.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' + + - id: 12585 + title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." + rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.85.3" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' + + - id: 12586 + title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." + rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.97.2.2" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' + + - id: 12587 + title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." + rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.98.1" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index 75ab8c0a6..e20cbde84 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -25,2021 +25,2021 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: # Section 1.1 - Password Policies - - id: 8000 - title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" - description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." - rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." - remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." - compliance: - - cis: "1.1.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' + - id: 8000 + title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." + rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." + remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." + compliance: + - cis: "1.1.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' # Section 2.3 - Security Options - - id: 8001 - title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" - description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." - rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." - remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" - compliance: - - cis: "2.3.1.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - - - id: 8002 - title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" - description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." - rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" - compliance: - - cis: "2.3.1.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - - - id: 8003 - title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" - description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." - rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" - compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - - - id: 8004 - title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" - description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." - rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" - compliance: - - cis: "2.3.2.2" - - cis_csc: "6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - - id: 8005 - title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" - description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." - rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" - compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - - id: 8006 - title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." - rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" - compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - - id: 8007 - title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" - description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks" - compliance: - - cis: "2.3.5.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> 0' - - - id: 8008 - title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" - description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." - rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements" - compliance: - - cis: "2.3.5.2" - - cis_csc: "3" - references: - - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' - - - id: 8009 - title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" - description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes" - compliance: - - cis: "2.3.5.3" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' - - - id: 8010 - title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" - description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" - compliance: - - cis: "2.3.6.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - - id: 8011 - title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" - compliance: - - cis: "2.3.6.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - - id: 8012 - title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" - compliance: - - cis: "2.3.6.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - - id: 8013 - title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." - rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" - compliance: - - cis: "2.3.6.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - - id: 8014 - title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" - description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." - rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" - compliance: - - cis: "2.3.6.6" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - - id: 8015 - title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." - rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" - compliance: - - cis: "2.3.7.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - - id: 8016 - title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." - rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" - compliance: - - cis: "2.3.7.2" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - - id: 8017 - title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" - description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." - rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." - remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" - compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - - id: 8018 - title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" - description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." - rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." - remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" - compliance: - - cis: "2.3.7.7" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - - - id: 8019 - title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" - description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." - rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" - compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - - id: 8020 - title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" - compliance: - - cis: "2.3.8.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - - id: 8021 - title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" - compliance: - - cis: "2.3.8.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - - id: 8022 - title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" - description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" - compliance: - - cis: "2.3.8.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 1' - - - id: 8023 - title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" - description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." - rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." - remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" - compliance: - - cis: "2.3.9.1" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - - id: 8024 - title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" - compliance: - - cis: "2.3.9.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - - id: 8025 - title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" - compliance: - - cis: "2.3.9.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - - id: 8026 - title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" - description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." - rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" - compliance: - - cis: "2.3.9.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - - id: 8027 - title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" - description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." - rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" - compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - - id: 8028 - title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" - description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." - rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." - remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" - compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:lsarpc|netlogon|samr' - - - id: 8029 - title: "Configure 'Network access: Remotely accessible registry paths'" - description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." - rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" - compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - - - id: 8030 - title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" - description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." - rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" - compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' - - - id: 8031 - title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." - rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" - compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - - id: 8032 - title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." - rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" - compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:^$' - - id: 8033 - title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." - rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" - compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - - id: 8034 - title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" - description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." - rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" - compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - - - id: 8035 - title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" - description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." - rationale: "NULL sessions are less secure because by definition they are unauthenticated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" - compliance: - - cis: "2.3.11.2" - - cis_csc: "14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - - - id: 8036 - title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" - description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." - rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" - compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - - - id: 8037 - title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" - description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." - rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." - remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" - compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - - - id: 8038 - title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." - rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" - compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - - id: 8039 - title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" - description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." - rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" - compliance: - - cis: "2.3.11.6" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - - id: 8040 - title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" - description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." - rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" - compliance: - - cis: "2.3.11.7" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - - id: 8041 - title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" - description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." - rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" - compliance: - - cis: "2.3.11.8" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - - id: 8042 - title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." - rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" - compliance: - - cis: "2.3.11.9" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - - id: 8043 - title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." - rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" - compliance: - - cis: "2.3.11.10" - - cis_csc: "13" - references: - - https://workbench.cisecurity.org/benchmarks/288 - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - - id: 8044 - title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" - description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." - rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" - compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' - - - id: 8045 - title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" - description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." - rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" - compliance: - - cis: "2.3.15.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - - id: 8046 - title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" - description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." - rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" - compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - - id: 8047 - title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" - description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" - compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - - - id: 8048 - title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" - description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." - rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" - compliance: - - cis: "2.3.17.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - - - id: 8049 - title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" - description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." - rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." - remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" - compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - - - id: 8050 - title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" - description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." - remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" - compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - - - id: 8051 - title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" - description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." - rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" - compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - - - id: 8052 - title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." - rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" - compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - - - id: 8053 - title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" - description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." - rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" - compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0' - - - id: 8054 - title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" - description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." - rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" - compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - - - id: 8055 - title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." - rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" - compliance: - - cis: "2.3.17.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' + - id: 8001 + title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" + description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." + rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." + remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" + compliance: + - cis: "2.3.1.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' + + - id: 8002 + title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." + rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" + compliance: + - cis: "2.3.1.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' + + - id: 8003 + title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." + rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + compliance: + - cis: "2.3.2.1" + - cis_csc: "6.2" + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' + + - id: 8004 + title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." + rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + compliance: + - cis: "2.3.2.2" + - cis_csc: "6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' + + - id: 8005 + title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" + description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." + rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + compliance: + - cis: "2.3.4.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' + + - id: 8006 + title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + compliance: + - cis: "2.3.4.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + + - id: 8007 + title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks" + compliance: + - cis: "2.3.5.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> 0' + + - id: 8008 + title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." + rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements" + compliance: + - cis: "2.3.5.2" + - cis_csc: "3" + references: + - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' + + - id: 8009 + title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" + description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes" + compliance: + - cis: "2.3.5.3" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' + + - id: 8010 + title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" + compliance: + - cis: "2.3.6.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' + + - id: 8011 + title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" + compliance: + - cis: "2.3.6.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' + + - id: 8012 + title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" + compliance: + - cis: "2.3.6.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' + + - id: 8013 + title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." + rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + compliance: + - cis: "2.3.6.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + + - id: 8014 + title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." + rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + compliance: + - cis: "2.3.6.6" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' + + - id: 8015 + title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." + rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" + compliance: + - cis: "2.3.7.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' + + - id: 8016 + title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." + rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" + compliance: + - cis: "2.3.7.2" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + + - id: 8017 + title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." + rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." + remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" + compliance: + - cis: "2.3.7.3" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' + + - id: 8018 + title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." + rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + compliance: + - cis: "2.3.7.7" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' + + - id: 8019 + title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." + rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + compliance: + - cis: "2.3.7.9" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' + + - id: 8020 + title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" + compliance: + - cis: "2.3.8.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' + + - id: 8021 + title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" + compliance: + - cis: "2.3.8.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' + + - id: 8022 + title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + compliance: + - cis: "2.3.8.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 1' + + - id: 8023 + title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" + description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." + rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + compliance: + - cis: "2.3.9.1" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' + + - id: 8024 + title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" + compliance: + - cis: "2.3.9.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' + + - id: 8025 + title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" + compliance: + - cis: "2.3.9.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' + + - id: 8026 + title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." + rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" + compliance: + - cis: "2.3.9.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + + - id: 8027 + title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + compliance: + - cis: "2.3.10.5" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' + + - id: 8028 + title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" + description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." + rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." + remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" + compliance: + - cis: "2.3.10.6" + - cis_csc: "14.1, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:lsarpc|netlogon|samr' + + - id: 8029 + title: "Configure 'Network access: Remotely accessible registry paths'" + description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" + compliance: + - cis: "2.3.10.7" + - cis_csc: "14, 16" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + + - id: 8030 + title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" + description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" + compliance: + - cis: "2.3.10.8" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' + + - id: 8031 + title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." + rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + compliance: + - cis: "2.3.10.9" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' + + - id: 8032 + title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." + rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + compliance: + - cis: "2.3.10.10" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:^$' + - id: 8033 + title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." + rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + compliance: + - cis: "2.3.10.11" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' + + - id: 8034 + title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." + rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" + compliance: + - cis: "2.3.11.1" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' + + - id: 8035 + title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." + rationale: "NULL sessions are less secure because by definition they are unauthenticated." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" + compliance: + - cis: "2.3.11.2" + - cis_csc: "14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' + + - id: 8036 + title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." + rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" + compliance: + - cis: "2.3.11.3" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' + + - id: 8037 + title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." + rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." + remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" + compliance: + - cis: "2.3.11.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' + + - id: 8038 + title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." + rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + compliance: + - cis: "2.3.11.5" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' + + - id: 8039 + title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." + rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" + compliance: + - cis: "2.3.11.6" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + + - id: 8040 + title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." + rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + compliance: + - cis: "2.3.11.7" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' + + - id: 8041 + title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." + rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + compliance: + - cis: "2.3.11.8" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' + - id: 8042 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + compliance: + - cis: "2.3.11.9" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' + + - id: 8043 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + compliance: + - cis: "2.3.11.10" + - cis_csc: "13" + references: + - https://workbench.cisecurity.org/benchmarks/288 + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' + + - id: 8044 + title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." + rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" + compliance: + - cis: "2.3.13.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' + + - id: 8045 + title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." + rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" + compliance: + - cis: "2.3.15.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' + + - id: 8046 + title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." + rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" + compliance: + - cis: "2.3.15.2" + - cis_csc: "14.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' + + - id: 8047 + title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" + compliance: + - cis: "2.3.17.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' + + - id: 8048 + title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" + description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." + rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + compliance: + - cis: "2.3.17.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' + + - id: 8049 + title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." + rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." + remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + compliance: + - cis: "2.3.17.3" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' + + - id: 8050 + title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." + remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" + compliance: + - cis: "2.3.17.4" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' + + - id: 8051 + title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." + rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" + compliance: + - cis: "2.3.17.5" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' + + - id: 8052 + title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" + compliance: + - cis: "2.3.17.6" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' + + - id: 8053 + title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." + rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" + compliance: + - cis: "2.3.17.7" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0' + + - id: 8054 + title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." + rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" + compliance: + - cis: "2.3.17.8" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' + + - id: 8055 + title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." + rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" + compliance: + - cis: "2.3.17.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # Section 9.1 - Domain Profile - - id: 8056 - title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" - compliance: - - cis: "9.1.1" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - - id: 8057 - title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" - compliance: - - cis: "9.1.2" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - - id: 8058 - title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" - compliance: - - cis: "9.1.3" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - - id: 8059 - title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.1.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' - - - id: 8060 - title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" - compliance: - - cis: "9.1.5" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' - - - id: 8061 - title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.1.6" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 8062 - title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.1.7" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - - id: 8063 - title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.1.8" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 8056 + title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" + compliance: + - cis: "9.1.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' + + - id: 8057 + title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" + compliance: + - cis: "9.1.2" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' + + - id: 8058 + title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" + compliance: + - cis: "9.1.3" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' + + - id: 8059 + title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.1.4" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' + + - id: 8060 + title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" + compliance: + - cis: "9.1.5" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' + + - id: 8061 + title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.1.6" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 8062 + title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.1.7" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' + + - id: 8063 + title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.1.8" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile - - id: 8064 - title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" - compliance: - - cis: "9.2.1" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - - id: 8065 - title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" - compliance: - - cis: "9.2.2" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - - id: 8066 - title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" - compliance: - - cis: "9.2.3" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - - id: 8067 - title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.2.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - - id: 8068 - title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" - compliance: - - cis: "9.2.5" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' - - - id: 8069 - title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.2.6" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 8070 - title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.2.7" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - - id: 8071 - title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.2.8" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 8064 + title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" + compliance: + - cis: "9.2.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' + + - id: 8065 + title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" + compliance: + - cis: "9.2.2" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' + + - id: 8066 + title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" + compliance: + - cis: "9.2.3" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' + + - id: 8067 + title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.2.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' + + - id: 8068 + title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" + compliance: + - cis: "9.2.5" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' + + - id: 8069 + title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.2.6" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 8070 + title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.2.7" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' + + - id: 8071 + title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.2.8" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile - - id: 8072 - title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" - compliance: - - cis: "9.3.1" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - - id: 8073 - title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" - compliance: - - cis: "9.3.2" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - - id: 8074 - title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" - compliance: - - cis: "9.3.3" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - - id: 8075 - title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." - rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." - remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0' - - - - id: 8076 - title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" - compliance: - - cis: "9.3.5" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - - - id: 8077 - title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." - rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" - compliance: - - cis: "9.3.6" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - - - id: 8078 - title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" - compliance: - - cis: "9.3.7" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' - - - id: 8079 - title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.3.8" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 8080 - title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.3.9" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - - id: 8081 - title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.3.10" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 8072 + title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" + compliance: + - cis: "9.3.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' + + - id: 8073 + title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" + compliance: + - cis: "9.3.2" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' + + - id: 8074 + title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" + compliance: + - cis: "9.3.3" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' + + - id: 8075 + title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." + rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." + remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0' + + + - id: 8076 + title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" + compliance: + - cis: "9.3.5" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' + + - id: 8077 + title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." + rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" + compliance: + - cis: "9.3.6" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' + + - id: 8078 + title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" + compliance: + - cis: "9.3.7" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' + + - id: 8079 + title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.3.8" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 8080 + title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.3.9" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' + + - id: 8081 + title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.3.10" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel - - id: 8082 - title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" - description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." - rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " - compliance: - - cis: "18.1.1.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - - - id: 8083 - title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" - description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." - rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.1.1.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' + - id: 8082 + title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." + rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " + compliance: + - cis: "18.1.1.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' + + - id: 8083 + title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." + rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.1.1.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' # Section 18.3 - MS Security Guide - - id: 8084 - title: "Ensure 'WDigest Authentication' is set to 'Disabled'" - description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." - rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." - compliance: - - cis: "18.3.5" - - cis_csc: "16.14" - references: - - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a - - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' + - id: 8084 + title: "Ensure 'WDigest Authentication' is set to 'Disabled'" + description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." + rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." + compliance: + - cis: "18.3.5" + - cis_csc: "16.14" + references: + - https://www.microsoft.com/en-us/download/details.aspx?id=36036 + - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a + - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' # Section 18.4 - MSS (Legacy) - - id: 8085 - title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." - rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.1" - - cis_csc: "16" - references: - - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - - id: 8086 - title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." - rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.2" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - - id: 8087 - title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." - rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.3" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - - id: 8088 - title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" - description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." - rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.4" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - - - id: 8089 - title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" - description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." - rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.6" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - - - id: 8090 - title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." - rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.8" - - cis_csc: "8" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - - id: 8091 - title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." - rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.9" - - cis_csc: "16.5" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - - id: 8092 - title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." - rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.12" - - cis_csc: "6.3" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' + - id: 8085 + title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." + rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.1" + - cis_csc: "16" + references: + - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + + - id: 8086 + title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.2" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' + + - id: 8087 + title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.3" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' + + - id: 8088 + title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." + rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.4" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' + + - id: 8089 + title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." + rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.6" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' + + - id: 8090 + title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.8" + - cis_csc: "8" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' + + - id: 8091 + title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." + rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.9" + - cis_csc: "16.5" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' + + - id: 8092 + title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." + rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.12" + - cis_csc: "6.3" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' # Section 18.5 - Network - - id: 8093 - title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" - rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' - - - id: 8094 - title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." - rationale: "Allowing regular users to set a network location increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - - - id: 8095 - title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." - rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.5.21.1" - - cis_csc: "12" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' + - id: 8093 + title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" + rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.11.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' + + - id: 8094 + title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." + rationale: "Allowing regular users to set a network location increases the risk and attack surface." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.5.11.3" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' + + - id: 8095 + title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" + description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." + rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.5.21.1" + - cis_csc: "12" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' # Section 18.8 - System - - id: 8096 - title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" - description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " - rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - - - id: 8097 - title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." - rationale: "This policy setting helps reduce the impact of malware that has already infected your system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.14.1" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - - - id: 8098 - title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" - description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." - rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - - id: 8099 - title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" - description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." - rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - - - id: 8100 - title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" - description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." - rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - - - id: 8101 - title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" - description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." - rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.1" - - cis_csc: "5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - - id: 8102 - title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" - description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." - rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - - id: 8103 - title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" - description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." - rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - - id: 8104 - title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" - description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." - rationale: "App notifications might display sensitive business or personal data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - - id: 8105 - title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" - description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." - rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." - compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - id: 8106 - title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" - rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - - id: 8107 - title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." - rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' + - id: 8096 + title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" + description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " + rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.3.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' + + - id: 8097 + title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + rationale: "This policy setting helps reduce the impact of malware that has already infected your system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.14.1" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' + + - id: 8098 + title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." + rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.21.2" + - cis_csc: "3.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' + + - id: 8099 + title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." + rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.21.3" + - cis_csc: "3.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' + + - id: 8100 + title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." + rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.21.4" + - cis_csc: "3.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' + + - id: 8101 + title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" + description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." + rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.1" + - cis_csc: "5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' + + - id: 8102 + title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." + rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.2" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' + + - id: 8103 + title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" + description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." + rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.3" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' + + - id: 8104 + title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." + rationale: "App notifications might display sensitive business or personal data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.4" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' + + - id: 8105 + title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." + rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." + compliance: + - cis: "18.8.27.6" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' + - id: 8106 + title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.35.1" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' + + - id: 8107 + title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." + rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.35.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' # Section 18.9 - Windows Components - - id: 8108 - title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" - description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - - id: 8109 - title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" - description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." - rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - - id: 8110 - title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" - description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." - rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - - id: 8111 - title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" - description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." - rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' - - - id: 8112 - title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" - description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." - rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.15.1" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - - id: 8113 - title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" - description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." - rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.15.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - - id: 8114 - title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - - id: 8115 - title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 8116 - title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - - id: 8117 - title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - - id: 8118 - title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - - id: 8119 - title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 8120 - title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - - id: 8121 - title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 8122 - title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" - description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." - rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - - id: 8123 - title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." - rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - - id: 8124 - title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." - rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - - id: 8125 - title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" - compliance: - - cis: "18.9.52.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - - id: 8126 - title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." - compliance: - - cis: "18.9.52.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' - - - id: 8127 - title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" - description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." - rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - - id: 8128 - title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" - description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." - rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 8129 - title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" - description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." - rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - - id: 8130 - title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" - description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." - rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - - id: 8131 - title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" - description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." - rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - - id: 8132 - title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" - description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." - rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - - id: 8133 - title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" - description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." - rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - - id: 8134 - title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" - description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." - rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - - id: 8135 - title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" - description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." - rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - - id: 8136 - title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." - rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." - compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - - id: 8137 - title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" - description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" - rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - - id: 8138 - title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" - description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." - rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.81.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - - id: 8139 - title: "Ensure 'Allow user control over installs' is set to 'Disabled'" - description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." - rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - - id: 8140 - title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" - description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." - rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - - id: 8141 - title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" - description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." - rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - - id: 8142 - title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" - description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." - rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - - id: 8143 - title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" - description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." - rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - - id: 8144 - title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." - rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - - id: 8145 - title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." - rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - - id: 8146 - title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." - rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - - id: 8147 - title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." - rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - - id: 8148 - title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." - rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - - id: 8149 - title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." - rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - - id: 8150 - title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." - rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' - - - id: 8151 - title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" - description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." - rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - - id: 8152 - title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." - rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." - compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' + - id: 8108 + title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.6.1" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' + + - id: 8109 + title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." + rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.8.1" + - cis_csc: "8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' + + - id: 8110 + title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." + rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.8.2" + - cis_csc: "8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' + + - id: 8111 + title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." + rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.8.3" + - cis_csc: "8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' + + - id: 8112 + title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" + description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." + rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.15.1" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' + + - id: 8113 + title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." + rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.15.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' + + - id: 8114 + title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.1.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' + + - id: 8115 + title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.1.2" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 8116 + title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.2.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' + + - id: 8117 + title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.2.2" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' + + - id: 8118 + title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.3.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' + + - id: 8119 + title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.3.2" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 8120 + title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.4.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' + + - id: 8121 + title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.4.2" + - cis_csc: "6.3" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 8122 + title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." + rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.30.2" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' + + - id: 8123 + title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.30.3" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' + + - id: 8124 + title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.30.4" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' + + - id: 8125 + title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" + compliance: + - cis: "18.9.52.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' + + - id: 8126 + title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." + rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." + compliance: + - cis: "18.9.52.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' + + - id: 8127 + title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." + rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.2.2" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' + + - id: 8128 + title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" + description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." + rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' + - id: 8129 + title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." + rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.58.3.9.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' + + - id: 8130 + title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" + description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." + rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.9.2" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' + + - id: 8131 + title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." + rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.9.3" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' + + - id: 8132 + title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." + rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.58.3.11.1" + - cis_csc: "14.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' + + - id: 8133 + title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." + rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.11.2" + - cis_csc: "14.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' + + - id: 8134 + title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." + rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.59.1" + - cis_csc: "7.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' + + - id: 8135 + title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." + rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.60.2" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' + + - id: 8136 + title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" + description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." + rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." + compliance: + - cis: "18.9.80.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' + + - id: 8137 + title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" + description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" + rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.81.2.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' + + - id: 8138 + title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" + description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." + rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.81.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' + + - id: 8139 + title: "Ensure 'Allow user control over installs' is set to 'Disabled'" + description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." + rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.85.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' + + - id: 8140 + title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" + description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." + rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.85.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' + + - id: 8141 + title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" + description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." + rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.86.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' + + - id: 8142 + title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." + rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.95.1" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' + + - id: 8143 + title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." + rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.95.2" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' + + - id: 8144 + title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." + rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.1.1" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' + + - id: 8145 + title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.1.2" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' + + - id: 8146 + title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." + rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.1.3" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' + + - id: 8147 + title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." + rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.2.1" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' + + - id: 8148 + title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.2.3" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' + + - id: 8149 + title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." + rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.97.2.4" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' + + - id: 8150 + title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.101.2" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + + - id: 8151 + title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." + rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.101.3" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' + + - id: 8152 + title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." + rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + compliance: + - cis: "18.9.101.4" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index 1d60507e9..0b6336ef1 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -25,610 +25,610 @@ requirements: description: "Requirements for running the CIS benchmark Domain Controller L2 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: # Section 2.3 - Security Options - - id: 8500 - title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." - rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" - compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + - id: 8500 + title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + compliance: + - cis: "2.3.10.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' # Section 18.4 - MSS (Legacy) - - id: 8501 - title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" - description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." - rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.5" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' - - - id: 8502 - title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" - description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." - rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.7" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - - - id: 8503 - title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." - rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.10" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - - id: 8504 - title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." - rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" - compliance: - - cis: "18.4.11" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' + - id: 8501 + title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" + description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." + rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.5" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' + + - id: 8502 + title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." + rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.7" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' + + - id: 8503 + title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.10" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' + + - id: 8504 + title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.11" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # Section 18.5 - Network - - id: 8505 - title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." - rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.9.1" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - - - id: 8506 - title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." - rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.9.2" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - - - id: 8507 - title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" - description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." - rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' - - - id: 8508 - title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" - description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" - rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." - compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' - - - id: 8509 - title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." - rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - - - id: 8510 - title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" - description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." - rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' + - id: 8505 + title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" + description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.9.1" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' + + - id: 8506 + title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" + description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.9.2" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' + + - id: 8507 + title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." + rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.10.2" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' + + - id: 8508 + title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" + rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." + compliance: + - cis: "18.5.19.2.1" + - cis_csc: "9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' + + - id: 8509 + title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" + description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." + rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.20.1" + - cis_csc: "15.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' + + - id: 8510 + title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." + rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.5.20.2" + - cis_csc: "15.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # Section 18.8 - System - - id: 8511 - title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." - rationale: "Users might download drivers that include malicious code." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - - id: 8512 - title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" - description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." - rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.22.1.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - - id: 8513 - title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" - description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." - rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - - id: 8514 - title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." - rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - - id: 8515 - title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." - rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.5" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - - id: 8516 - title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." - rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.6" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - - id: 8517 - title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." - rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - - id: 8518 - title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" - description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." - rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.8" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - - id: 8519 - title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" - description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." - rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - - id: 8520 - title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" - description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." - rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - - id: 8521 - title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." - rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - - id: 8522 - title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." - rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - - id: 8523 - title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." - rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - - id: 8524 - title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" - description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." - rationale: "This is a way to increase the security of the system account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - - id: 8525 - title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - - id: 8526 - title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - - id: 8527 - title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" - description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - - id: 8528 - title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" - description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." - rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - - id: 8529 - title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" - description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." - rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.46.1" - - cis_csc: "13" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - - id: 8530 - title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." - rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' + - id: 8511 + title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + rationale: "Users might download drivers that include malicious code." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + + - id: 8512 + title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." + rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.22.1.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' + + - id: 8513 + title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." + rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' + + - id: 8514 + title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." + rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.4" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' + + - id: 8515 + title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." + rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.5" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + + - id: 8516 + title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." + rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.6" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + + - id: 8517 + title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." + rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' + + - id: 8518 + title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." + rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.8" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' + + - id: 8519 + title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" + description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." + rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.9" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' + + - id: 8520 + title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" + description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." + rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.10" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' + + - id: 8521 + title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.11" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' + + - id: 8522 + title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.12" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' + + - id: 8523 + title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" + description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." + rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.13" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + + - id: 8524 + title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." + rationale: "This is a way to increase the security of the system account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.26.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' + + - id: 8525 + title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' + + - id: 8526 + title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' + + - id: 8527 + title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." + rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.44.5.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' + + - id: 8528 + title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." + rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.44.11.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' + + - id: 8529 + title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" + description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." + rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.46.1" + - cis_csc: "13" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' + + - id: 8530 + title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." + rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.49.1.1" + - cis_csc: "6.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' # Section 18.9 - System - - id: 8531 - title: "Ensure 'Turn off location' is set to 'Enabled'" - description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." - rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.39.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - - id: 8532 - title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" - description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." - rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." - compliance: - - cis: "18.9.58.3.2.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' - - - id: 8533 - title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." - rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - - id: 8534 - title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." - rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - - id: 8535 - title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" - description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." - rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - - id: 8536 - title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" - description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." - rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." - compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" - references: - - https://workbench.cisecurity.org/benchmarks/766 - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' - - - id: 8537 - title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" - description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." - rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - - id: 8538 - title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" - description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." - rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.60.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' - - - id: 8539 - title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" - description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." - rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.65.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - - id: 8540 - title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." - rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.76.3.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - - - id: 8541 - title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" - description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." - rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.85.3" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - - id: 8542 - title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." - rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - - id: 8543 - title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" - description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." - rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' + - id: 8531 + title: "Ensure 'Turn off location' is set to 'Enabled'" + description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." + rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.39.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' + + - id: 8532 + title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." + rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + compliance: + - cis: "18.9.58.3.2.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' + + - id: 8533 + title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" + description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.1" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' + + - id: 8534 + title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." + rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.3" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' + + - id: 8535 + title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.4" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' + + - id: 8536 + title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" + description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." + rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + compliance: + - cis: "18.9.58.3.10.1" + - cis_csc: "16.5" + references: + - https://workbench.cisecurity.org/benchmarks/766 + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' + + - id: 8537 + title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." + rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.10.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' + + - id: 8538 + title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" + description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." + rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.60.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' + + - id: 8539 + title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." + rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.65.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' + + - id: 8540 + title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." + rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.76.3.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' + + + - id: 8541 + title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." + rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.85.3" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' + + - id: 8542 + title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." + rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.97.2.2" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' + + - id: 8543 + title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." + rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.98.1" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index ee0a36d78..3bb4ecfff 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -25,2151 +25,2151 @@ requirements: description: "Requirements for running the CIS benchmark Member Server L1 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: # Section 1.1 - Password Policies - - id: 9000 - title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" - description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." - rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." - remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." - compliance: - - cis: "1.1.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' + - id: 9000 + title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." + rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." + remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." + compliance: + - cis: "1.1.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' # Section 2.3 - Security Options - - id: 9001 - title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" - description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." - rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." - remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." - compliance: - - cis: "2.3.1.2" - - cis_csc: "16" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - - - id: 9002 - title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled" - description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." - rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." - compliance: - - cis: "2.3.1.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - - - id: 9003 - title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" - description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." - rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" - compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - - - id: 9004 - title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" - description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." - rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" - default_value: "Disabled." - compliance: - - cis: "2.3.2.2" - - cis_csc: "6" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - - id: 9005 - title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" - description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." - rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" - compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - - id: 9006 - title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." - rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" - compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - - id: 9007 - title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" - description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" - compliance: - - cis: "2.3.6.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - - id: 9008 - title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" - compliance: - - cis: "2.3.6.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - - id: 9009 - title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" - compliance: - - cis: "2.3.6.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - - id: 9010 - title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." - rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" - compliance: - - cis: "2.3.6.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - - id: 9011 - title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" - description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." - rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" - compliance: - - cis: "2.3.6.6" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - - id: 9012 - title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." - rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" - compliance: - - cis: "2.3.7.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - - id: 9013 - title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." - rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" - compliance: - - cis: "2.3.7.2" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - - id: 9014 - title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" - description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." - rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." - remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" - compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - - id: 9015 - title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" - description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." - rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." - remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" - compliance: - - cis: "2.3.7.7" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare <= 14' - - - id: 9016 - title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" - description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled." - rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer." - remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation" - compliance: - - cis: "2.3.7.8" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1' - - - id: 9017 - title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" - description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." - rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" - compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> !0' - - - id: 9018 - title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" - compliance: - - cis: "2.3.8.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - - id: 9019 - title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" - compliance: - - cis: "2.3.8.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - - id: 9020 - title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" - description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" - compliance: - - cis: "2.3.8.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - - id: 9021 - title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" - description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." - rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." - remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" - compliance: - - cis: "2.3.9.1" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - - id: 9022 - title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" - compliance: - - cis: "2.3.9.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - - id: 9023 - title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" - compliance: - - cis: "2.3.9.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - - id: 9024 - title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" - description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." - rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" - compliance: - - cis: "2.3.9.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - - id: 9025 - title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" - description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers." - rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" - compliance: - - cis: "2.3.9.5" - - cis_csc: "14" - references: - - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0' - - - id: 9026 - title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" - description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." - rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" - compliance: - - cis: "2.3.10.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - - - id: 9027 - title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" - description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." - rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" - compliance: - - cis: "2.3.10.3" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - - id: 9028 - title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" - description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." - rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" - compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - - id: 9029 - title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" - description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." - rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." - remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" - compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*' - - - id: 9030 - title: "Configure 'Network access: Remotely accessible registry paths'" - description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." - rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" - compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - - - id: 9031 - title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" - description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." - rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" - compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' - - - id: 9032 - title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." - rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" - compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - - id: 9033 - title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." - rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" - compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:None' - - - id: 9034 - title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." - rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" - compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - - id: 9035 - title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" - description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." - rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" - compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - - - id: 9036 - title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" - description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." - rationale: "NULL sessions are less secure because by definition they are unauthenticated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" - compliance: - - cis: "2.3.11.2" - - cis_csc: "14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - - - id: 9037 - title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" - description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." - rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" - compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - - - id: 9038 - title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" - description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." - rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." - remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" - compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - - - id: 9039 - title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." - rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" - compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - - id: 9040 - title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" - description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." - rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" - compliance: - - cis: "2.3.11.6" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - - id: 9041 - title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" - description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." - rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" - compliance: - - cis: "2.3.11.7" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 9042 - title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" - description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." - rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" - compliance: - - cis: "2.3.11.8" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - - - id: 9043 - title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." - rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" - compliance: - - cis: "2.3.11.9" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - - id: 9044 - title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." - rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" - compliance: - - cis: "2.3.11.10" - - cis_csc: "13" - references: - - https://workbench.cisecurity.org/benchmarks/288 - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - - id: 9045 - title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" - description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." - rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" - compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' - - - id: 9046 - title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" - description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." - rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" - compliance: - - cis: "2.3.15.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - - id: 9047 - title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" - description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." - rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" - compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - - id: 9048 - title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" - description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" - compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - - - id: 9049 - title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" - description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." - rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" - compliance: - - cis: "2.3.17.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - - - id: 9050 - title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" - description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." - rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." - remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" - compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$|^5$' - - - id: 9051 - title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" - description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." - remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" - compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1' - - - id: 9052 - title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" - description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." - rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" - compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - - - id: 9053 - title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." - rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" - compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - - - id: 9054 - title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" - description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." - rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" - compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - - - id: 9055 - title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" - description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." - rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" - compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - - - id: 9056 - title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." - rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" - compliance: - - cis: "2.3.17.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' + - id: 9001 + title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" + description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." + rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." + remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." + compliance: + - cis: "2.3.1.2" + - cis_csc: "16" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' + + - id: 9002 + title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled" + description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." + rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." + compliance: + - cis: "2.3.1.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' + + - id: 9003 + title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." + rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + compliance: + - cis: "2.3.2.1" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' + + - id: 9004 + title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." + rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + default_value: "Disabled." + compliance: + - cis: "2.3.2.2" + - cis_csc: "6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' + + - id: 9005 + title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" + description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." + rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + compliance: + - cis: "2.3.4.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' + + - id: 9006 + title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + compliance: + - cis: "2.3.4.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + + - id: 9007 + title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" + compliance: + - cis: "2.3.6.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' + + - id: 9008 + title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" + compliance: + - cis: "2.3.6.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' + + - id: 9009 + title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" + compliance: + - cis: "2.3.6.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' + + - id: 9010 + title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." + rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + compliance: + - cis: "2.3.6.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + + - id: 9011 + title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." + rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + compliance: + - cis: "2.3.6.6" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' + + - id: 9012 + title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." + rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" + compliance: + - cis: "2.3.7.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' + + - id: 9013 + title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." + rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" + compliance: + - cis: "2.3.7.2" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + + - id: 9014 + title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." + rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." + remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" + compliance: + - cis: "2.3.7.3" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' + - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' + + - id: 9015 + title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." + rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + compliance: + - cis: "2.3.7.7" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare <= 14' + + - id: 9016 + title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" + description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled." + rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer." + remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation" + compliance: + - cis: "2.3.7.8" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1' + + - id: 9017 + title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." + rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + compliance: + - cis: "2.3.7.9" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> !0' + + - id: 9018 + title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" + compliance: + - cis: "2.3.8.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' + + - id: 9019 + title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" + compliance: + - cis: "2.3.8.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' + + - id: 9020 + title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + compliance: + - cis: "2.3.8.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' + + - id: 9021 + title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" + description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." + rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + compliance: + - cis: "2.3.9.1" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' + + - id: 9022 + title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" + compliance: + - cis: "2.3.9.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' + + - id: 9023 + title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" + compliance: + - cis: "2.3.9.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' + + - id: 9024 + title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." + rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" + compliance: + - cis: "2.3.9.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + + - id: 9025 + title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" + description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers." + rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" + compliance: + - cis: "2.3.9.5" + - cis_csc: "14" + references: + - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0' + + - id: 9026 + title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." + rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" + compliance: + - cis: "2.3.10.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' + + - id: 9027 + title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" + description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" + compliance: + - cis: "2.3.10.3" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + + - id: 9028 + title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + compliance: + - cis: "2.3.10.5" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' + + - id: 9029 + title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" + description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." + rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." + remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" + compliance: + - cis: "2.3.10.6" + - cis_csc: "14.1, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*' + + - id: 9030 + title: "Configure 'Network access: Remotely accessible registry paths'" + description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" + compliance: + - cis: "2.3.10.7" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + + - id: 9031 + title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" + description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" + compliance: + - cis: "2.3.10.8" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' + + - id: 9032 + title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." + rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + compliance: + - cis: "2.3.10.9" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' + + - id: 9033 + title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." + rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + compliance: + - cis: "2.3.10.10" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:None' + + - id: 9034 + title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." + rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + compliance: + - cis: "2.3.10.11" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' + + - id: 9035 + title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." + rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" + compliance: + - cis: "2.3.11.1" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' + + - id: 9036 + title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." + rationale: "NULL sessions are less secure because by definition they are unauthenticated." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" + compliance: + - cis: "2.3.11.2" + - cis_csc: "14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' + + - id: 9037 + title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." + rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" + compliance: + - cis: "2.3.11.3" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' + + - id: 9038 + title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." + rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." + remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" + compliance: + - cis: "2.3.11.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' + + - id: 9039 + title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." + rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + compliance: + - cis: "2.3.11.5" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' + + - id: 9040 + title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." + rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" + compliance: + - cis: "2.3.11.6" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' + + - id: 9041 + title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." + rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + compliance: + - cis: "2.3.11.7" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' + - id: 9042 + title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." + rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + compliance: + - cis: "2.3.11.8" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' + + - id: 9043 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + compliance: + - cis: "2.3.11.9" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' + + - id: 9044 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + compliance: + - cis: "2.3.11.10" + - cis_csc: "13" + references: + - https://workbench.cisecurity.org/benchmarks/288 + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' + + - id: 9045 + title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." + rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" + compliance: + - cis: "2.3.13.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' + + - id: 9046 + title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." + rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" + compliance: + - cis: "2.3.15.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' + + - id: 9047 + title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." + rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" + compliance: + - cis: "2.3.15.2" + - cis_csc: "14.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' + + - id: 9048 + title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" + compliance: + - cis: "2.3.17.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' + + - id: 9049 + title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" + description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." + rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + compliance: + - cis: "2.3.17.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' + + - id: 9050 + title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." + rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." + remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + compliance: + - cis: "2.3.17.3" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$|^5$' + + - id: 9051 + title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." + remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" + compliance: + - cis: "2.3.17.4" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1' + + - id: 9052 + title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." + rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" + compliance: + - cis: "2.3.17.5" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' + + - id: 9053 + title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" + compliance: + - cis: "2.3.17.6" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' + + - id: 9054 + title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." + rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" + compliance: + - cis: "2.3.17.7" + - cis_csc: "5.1" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' + + - id: 9055 + title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." + rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" + compliance: + - cis: "2.3.17.8" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' + + - id: 9056 + title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." + rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" + compliance: + - cis: "2.3.17.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # Section 9.1 - Domain Profile - - id: 9057 - title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" - compliance: - - cis: "9.1.1" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - - id: 9058 - title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" - compliance: - - cis: "9.1.2" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - - id: 9059 - title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" - compliance: - - cis: "9.1.3" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - - id: 9060 - title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.1.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - - - id: 9061 - title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" - compliance: - - cis: "9.1.5" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' - - - id: 9062 - title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.1.6" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 9063 - title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.1.7" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - - id: 9064 - title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.1.8" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 9057 + title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" + compliance: + - cis: "9.1.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' + + - id: 9058 + title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" + compliance: + - cis: "9.1.2" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' + + - id: 9059 + title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" + compliance: + - cis: "9.1.3" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' + + - id: 9060 + title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.1.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' + + - id: 9061 + title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" + compliance: + - cis: "9.1.5" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' + + - id: 9062 + title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.1.6" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 9063 + title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.1.7" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' + + - id: 9064 + title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.1.8" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile - - id: 9065 - title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" - compliance: - - cis: "9.2.1" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - - id: 9066 - title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" - compliance: - - cis: "9.2.2" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - - id: 9067 - title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" - compliance: - - cis: "9.2.3" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - - id: 9068 - title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.2.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - - id: 9069 - title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" - compliance: - - cis: "9.2.5" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' - - - id: 9070 - title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.2.6" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 9071 - title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.2.7" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - - id: 9072 - title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.2.8" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 9065 + title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" + compliance: + - cis: "9.2.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' + + - id: 9066 + title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" + compliance: + - cis: "9.2.2" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' + + - id: 9067 + title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" + compliance: + - cis: "9.2.3" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' + + - id: 9068 + title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.2.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' + + - id: 9069 + title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" + compliance: + - cis: "9.2.5" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' + + - id: 9070 + title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.2.6" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 9071 + title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.2.7" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' + + - id: 9072 + title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.2.8" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile - - id: 9073 - title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." - rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" - compliance: - - cis: "9.3.1" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - - id: 9074 - title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" - rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" - compliance: - - cis: "9.3.2" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - - id: 9075 - title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." - rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" - compliance: - - cis: "9.3.3" - - cis_csc: "9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - - id: 9076 - title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." - rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." - remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" - compliance: - - cis: "9.3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - - - id: 9077 - title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" - compliance: - - cis: "9.3.5" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' - - - id: 9078 - title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." - rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" - compliance: - - cis: "9.3.6" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' - - - id: 9079 - title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" - compliance: - - cis: "9.3.7" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' - - - id: 9080 - title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" - compliance: - - cis: "9.3.8" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - - id: 9081 - title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" - compliance: - - cis: "9.3.9" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - - id: 9082 - title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" - compliance: - - cis: "9.3.10" - - cis_csc: "6.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' + - id: 9073 + title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" + compliance: + - cis: "9.3.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' + + - id: 9074 + title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" + rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" + compliance: + - cis: "9.3.2" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' + + - id: 9075 + title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" + compliance: + - cis: "9.3.3" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' + + - id: 9076 + title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." + rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." + remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" + compliance: + - cis: "9.3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' + + - id: 9077 + title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" + compliance: + - cis: "9.3.5" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' + + - id: 9078 + title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." + rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" + compliance: + - cis: "9.3.6" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' + + - id: 9079 + title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" + compliance: + - cis: "9.3.7" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' + + - id: 9080 + title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" + compliance: + - cis: "9.3.8" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' + + - id: 9081 + title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" + compliance: + - cis: "9.3.9" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' + + - id: 9082 + title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" + compliance: + - cis: "9.3.10" + - cis_csc: "6.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel - - id: 9083 - title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" - description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." - rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " - compliance: - - cis: "18.1.1.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - - - id: 9084 - title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" - description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." - rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.1.1.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' + - id: 9083 + title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" + description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." + rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " + compliance: + - cis: "18.1.1.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' + + - id: 9084 + title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" + description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." + rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.1.1.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' # Section 18.2 - LAPS - - id: 9085 - title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" - compliance: - - cis: "18.2.1" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - - - id: 9086 - title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." - compliance: - - cis: "18.2.2" - - cis_csc: "16.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - - - id: 9087 - title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." - compliance: - - cis: "18.2.3" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - - - id: 9088 - title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." - compliance: - - cis: "18.2.4" - - cis_csc: "5.7" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - - - id: 9089 - title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." - compliance: - - cis: "18.2.5" - - cis_csc: "5.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - - - id: 9090 - title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." - rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." - compliance: - - cis: "18.2.6" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' + - id: 9085 + title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" + compliance: + - cis: "18.2.1" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' + + - id: 9086 + title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." + compliance: + - cis: "18.2.2" + - cis_csc: "16.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' + + - id: 9087 + title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." + compliance: + - cis: "18.2.3" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' + + - id: 9088 + title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." + compliance: + - cis: "18.2.4" + - cis_csc: "5.7" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' + + - id: 9089 + title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." + compliance: + - cis: "18.2.5" + - cis_csc: "5.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' + + - id: 9090 + title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." + compliance: + - cis: "18.2.6" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' # Section 18.3 - MS Security Guide - - id: 9091 - title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" - description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled." - rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." - compliance: - - cis: "18.3.1" - - cis_csc: "5.8" - references: - - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows - - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ - condition: aLL - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' - - - id: 9092 - title: "Ensure 'WDigest Authentication' is set to 'Disabled'" - description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." - rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." - compliance: - - cis: "18.3.5" - - cis_csc: "16.14" - references: - - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a - - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' + - id: 9091 + title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" + description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled." + rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." + compliance: + - cis: "18.3.1" + - cis_csc: "5.8" + references: + - https://www.microsoft.com/en-us/download/details.aspx?id=36036 + - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows + - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ + condition: aLL + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' + + - id: 9092 + title: "Ensure 'WDigest Authentication' is set to 'Disabled'" + description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." + rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." + compliance: + - cis: "18.3.5" + - cis_csc: "16.14" + references: + - https://www.microsoft.com/en-us/download/details.aspx?id=36036 + - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a + - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' # Section 18.4 - MSS (Legacy) - - id: 9093 - title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." - rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.1" - - cis_csc: "16" - references: - - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - - id: 9094 - title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." - rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.2" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - - id: 9095 - title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." - rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.3" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - - id: 9096 - title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" - description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." - rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.4" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - - - id: 9097 - title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" - description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." - rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.6" - - cis_csc: "9" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - - - id: 9098 - title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." - rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.8" - - cis_csc: "8" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - - id: 9099 - title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." - rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.9" - - cis_csc: "16.5" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - - id: 9100 - title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." - rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: - - cis: "18.4.12" - - cis_csc: "6.3" - references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' + - id: 9093 + title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." + rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.1" + - cis_csc: "16" + references: + - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + + - id: 9094 + title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.2" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' + + - id: 9095 + title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.3" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' + + - id: 9096 + title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." + rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.4" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' + + - id: 9097 + title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." + rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.6" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' + + - id: 9098 + title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.8" + - cis_csc: "8" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' + + - id: 9099 + title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." + rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.9" + - cis_csc: "16.5" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' + + - id: 9100 + title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." + rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.12" + - cis_csc: "6.3" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' # Section 18.5 - Network - - id: 9101 - title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" - rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' - - - id: 9102 - title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." - rationale: "Allowing regular users to set a network location increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - - - id: 9103 - title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." - rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.5.21.1" - - cis_csc: "12" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' + - id: 9101 + title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" + rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.5.11.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' + + - id: 9102 + title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." + rationale: "Allowing regular users to set a network location increases the risk and attack surface." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.5.11.3" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' + + - id: 9103 + title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" + description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." + rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.5.21.1" + - cis_csc: "12" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' # Section 18.8 - System - - id: 9104 - title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" - description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " - rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - - - id: 9105 - title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." - rationale: "This policy setting helps reduce the impact of malware that has already infected your system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.14.1" - - cis_csc: "8" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - - - id: 9106 - title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" - description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." - rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - - id: 9107 - title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" - description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." - rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - - - id: 9108 - title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" - description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." - rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - - - id: 9109 - title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" - description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." - rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.1" - - cis_csc: "5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - - id: 9110 - title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" - description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." - rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - - id: 9111 - title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" - description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." - rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - - id: 9112 - title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" - description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." - rationale: "App notifications might display sensitive business or personal data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - - id: 9113 - title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" - description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." - rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." - compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - - id: 9114 - title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" - rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - - id: 9115 - title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." - rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - - - id: 9116 - title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" - description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled." - rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1" - references: - - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' + - id: 9104 + title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" + description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " + rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.3.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' + + - id: 9105 + title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + rationale: "This policy setting helps reduce the impact of malware that has already infected your system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.14.1" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' + + - id: 9106 + title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." + rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.21.2" + - cis_csc: "3.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' + + - id: 9107 + title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" + description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." + rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.21.3" + - cis_csc: "3.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' + + - id: 9108 + title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." + rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.21.4" + - cis_csc: "3.7" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' + + - id: 9109 + title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" + description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." + rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.1" + - cis_csc: "5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' + + - id: 9110 + title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." + rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.2" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' + + - id: 9111 + title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" + description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." + rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.3" + - cis_csc: "16.9" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' + + - id: 9112 + title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." + rationale: "App notifications might display sensitive business or personal data." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.27.4" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' + + - id: 9113 + title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." + rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." + compliance: + - cis: "18.8.27.6" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' + + - id: 9114 + title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.35.1" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' + + - id: 9115 + title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." + rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.35.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' + + - id: 9116 + title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled." + rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.36.1" + - cis_csc: "9.1" + references: + - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' # Section 18.9 - Windows Components - - id: 9117 - title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" - description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - - id: 9118 - title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" - description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." - rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - - id: 9119 - title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" - description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." - rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - - id: 9120 - title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" - description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." - rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' - - - id: 9121 - title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" - description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." - rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.15.1" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - - id: 9122 - title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" - description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." - rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.15.2" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - - id: 9123 - title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - - id: 9124 - title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 9125 - title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - - id: 9126 - title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - - id: 9127 - title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - - id: 9128 - title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 9129 - title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." - rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - - id: 9130 - title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - - id: 9131 - title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" - description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." - rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - - id: 9132 - title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." - rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - - id: 9133 - title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." - rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - - id: 9134 - title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" - compliance: - - cis: "18.9.52.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - - id: 9135 - title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." - compliance: - - cis: "18.9.52.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' - - - id: 9136 - title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" - description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." - rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - - id: 9137 - title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" - description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." - rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - - id: 9138 - title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" - description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." - rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - - id: 9139 - title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" - description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." - rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - - id: 9140 - title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" - description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." - rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - - id: 9141 - title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" - description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." - rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - - id: 9142 - title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" - description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." - rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - - id: 9143 - title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" - description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." - rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - - id: 9144 - title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" - description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." - rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - - id: 9145 - title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." - rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." - compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - - id: 9146 - title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" - description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" - rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - - id: 9147 - title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" - description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." - rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.81.3" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - - id: 9148 - title: "Ensure 'Allow user control over installs' is set to 'Disabled'" - description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." - rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." - compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - - id: 9149 - title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" - description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." - rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - - id: 9150 - title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" - description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." - rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." - compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - - id: 9151 - title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" - description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." - rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - - id: 9152 - title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" - description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." - rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - - id: 9153 - title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." - rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - - id: 9154 - title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." - rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - - id: 9155 - title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." - rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - - id: 9156 - title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." - rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - - id: 9157 - title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." - rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - - id: 9158 - title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." - rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - - id: 9159 - title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." - rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' - - - id: 9160 - title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" - description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." - rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - - id: 9161 - title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." - rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." - compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' + - id: 9117 + title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.6.1" + - cis_csc: "16.9" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' + + - id: 9118 + title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." + rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.8.1" + - cis_csc: "8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' + + - id: 9119 + title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." + rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.8.2" + - cis_csc: "8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' + + - id: 9120 + title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." + rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.8.3" + - cis_csc: "8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' + + - id: 9121 + title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" + description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." + rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.15.1" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' + + - id: 9122 + title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." + rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.15.2" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' + + - id: 9123 + title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.1.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' + + - id: 9124 + title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.1.2" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 9125 + title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.2.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' + + - id: 9126 + title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.2.2" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' + + - id: 9127 + title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.3.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' + + - id: 9128 + title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.3.2" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 9129 + title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.4.1" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' + + - id: 9130 + title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.26.4.2" + - cis_csc: "6.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' + + - id: 9131 + title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." + rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.30.2" + - cis_csc: "8.4" + condition: any + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' + + - id: 9132 + title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.30.3" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' + + - id: 9133 + title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.30.4" + - cis_csc: "8.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' + + - id: 9134 + title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" + compliance: + - cis: "18.9.52.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' + + - id: 9135 + title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." + rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." + compliance: + - cis: "18.9.52.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' + + - id: 9136 + title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." + rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.2.2" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' + + - id: 9137 + title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" + description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." + rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' + + - id: 9138 + title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." + rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.58.3.9.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' + + - id: 9139 + title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" + description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." + rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.9.2" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' + + - id: 9140 + title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." + rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.9.3" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' + + - id: 9141 + title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." + rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.58.3.11.1" + - cis_csc: "14.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' + + - id: 9142 + title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." + rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.11.2" + - cis_csc: "14.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' + + - id: 9143 + title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." + rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.59.1" + - cis_csc: "7.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' + + - id: 9144 + title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." + rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.60.2" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' + + - id: 9145 + title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" + description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." + rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." + compliance: + - cis: "18.9.80.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' + + - id: 9146 + title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" + description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" + rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.81.2.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' + + - id: 9147 + title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" + description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." + rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.81.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' + + - id: 9148 + title: "Ensure 'Allow user control over installs' is set to 'Disabled'" + description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." + rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.85.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' + + - id: 9149 + title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" + description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." + rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.85.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' + + - id: 9150 + title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" + description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." + rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + compliance: + - cis: "18.9.86.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' + + - id: 9151 + title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." + rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.95.1" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' + + - id: 9152 + title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." + rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + compliance: + - cis: "18.9.95.2" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' + + - id: 9153 + title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." + rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.1.1" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' + + - id: 9154 + title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.1.2" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' + + - id: 9155 + title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." + rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.1.3" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' + + - id: 9156 + title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." + rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.2.1" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' + + - id: 9157 + title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.97.2.3" + - cis_csc: "16.13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' + + - id: 9158 + title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." + rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.9.97.2.4" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' + + - id: 9159 + title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.101.2" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + + - id: 9160 + title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." + rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.101.3" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' + + - id: 9161 + title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." + rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + compliance: + - cis: "18.9.101.4" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 27889ff4f..513aac072 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -22,7 +22,7 @@ requirements: description: "Requirements for running the CIS benchmark Member Server L2 under Windows Server 2012 R2" condition: "any required" rules: - - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' + - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: # Section 2.3.7 - Interactive logon @@ -189,8 +189,8 @@ checks: - id: 9511 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards." - rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards" + rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards" compliance: - cis: "18.5.20.2" - cis_csc: "15.4" @@ -231,7 +231,7 @@ checks: title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting" compliance: - cis: "18.8.22.1.3" - cis_csc: "13" @@ -309,7 +309,7 @@ checks: title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program" compliance: - cis: "18.8.22.1.11" - cis_csc: "13" @@ -410,7 +410,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID" compliance: - cis: "18.8.46.1" - - cis_csc: "13" + - cis_csc: "13" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml index 5829dd6d9..ce686b330 100644 --- a/sca/windows/win_audit_rcl.yml +++ b/sca/windows/win_audit_rcl.yml @@ -19,105 +19,122 @@ requirements: description: "Requirements for running the audit policy under a Windows platform" condition: "any required" rules: - - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' + - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' checks: - - id: 2500 - title: "Ensure Registry tools set is enabled" - compliance: - - pci_dss: "10.6.1" - condition: all - rules: - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' - - id: 2501 - title: "Ensure DCOM is enabled" - description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." - compliance: - - pci_dss: "10.6.1" - references: - - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - - id: 2502 - title: "LM authentication allowed (disable weak passwords)" - compliance: - - pci_dss: "10.6.1, 11.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^0$|^1$' + - id: 2500 + title: "Ensure Registry tools set is enabled" + compliance: + - pci_dss: "10.6.1" + - hipaa: "164.312.b" + - nist_800_53: "AU.6" + condition: all + rules: + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' + - id: 2501 + title: "Ensure DCOM is enabled" + description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." + compliance: + - pci_dss: "10.6.1" + - hipaa: "164.312.b" + - nist_800_53: "AU.6" + references: + - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' + - id: 2502 + title: "LM authentication allowed (disable weak passwords)" + compliance: + - pci_dss: "10.6.1, 11.4" + - hipaa: "164.312.b" + - nist_800_53: "AU.6, IA.10" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' + - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^0$|^1$' # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). - - id: 2503 - title: "Ensure Firewall/Anti Virus notifications are enabled" - compliance: - - pci_dss: "10.6.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' + - id: 2503 + title: "Ensure Firewall/Anti Virus notifications are enabled" + compliance: + - pci_dss: "10.6.1" + - hipaa: "164.312.b" + - nist_800_53: "AU.6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' # Checking for the microsoft firewall. - - id: 2504 - title: "Ensure Microsoft Firewall is disabled" - compliance: - - pci_dss: "10.6.1, 1.4" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0' - - id: 2505 - title: "Ensure Null sessions are disallowed" - compliance: - - pci_dss: "11.4" - condition: all - rules: - - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - id: 2506 - title: "Ensure Error reporting is enabled" - compliance: - - pci_dss: "10.6.1" - references: - - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 1' - - id: 2507 - title: "Ensure Automatic Logon is disabled" - compliance: - - pci_dss: "10.6.1" - condition: any - rules: - - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' - - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 2508 - title: "Ensure Winpcap packet filter driver is not present" - compliance: - - pci_dss: "10.6.1" - condition: none - rules: - - 'f:%WINDIR%\System32\drivers\npf.sys' - - 'f:%WINDIR%\Sysnative\drivers\npf.sys' + - id: 2504 + title: "Ensure Microsoft Firewall is disabled" + compliance: + - pci_dss: "10.6.1, 1.4" + - hipaa: "164.312.b, 164.312.a.1" + - nist_800_53: "AU.6, SC.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0' + - id: 2505 + title: "Ensure Null sessions are disallowed" + compliance: + - pci_dss: "11.4" + - nist_800_53: "IA.10" + condition: all + rules: + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + - id: 2506 + title: "Ensure Error reporting is enabled" + compliance: + - pci_dss: "10.6.1" + - hipaa: "164.312.b" + - nist_800_53: "AU.6" + references: + - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 1' + - id: 2507 + title: "Ensure Automatic Logon is disabled" + compliance: + - pci_dss: "10.6.1" + - hipaa: "164.312.b" + - nist_800_53: "AU.6" + condition: any + rules: + - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + - id: 2508 + title: "Ensure Winpcap packet filter driver is not present" + compliance: + - pci_dss: "10.6.1" + - hipaa: "164.312.b" + - nist_800_53: "AU.6" + condition: none + rules: + - 'f:%WINDIR%\System32\drivers\npf.sys' + - 'f:%WINDIR%\Sysnative\drivers\npf.sys' From 437f9da9a0b4a39df4aaf0a8609dfa8c222db596 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Thu, 6 Jun 2019 10:36:58 -0700 Subject: [PATCH 060/247] Reviewed RHEL7 policy until section 3 --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 409 +++++++++++++---------------- 1 file changed, 189 insertions(+), 220 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 87e40227d..ef61fefa8 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -47,8 +47,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - 'c:mount -> r:\s/tmp\s' # 1.1.3 /tmp: nodev - id: 6501 @@ -59,10 +58,10 @@ checks: compliance: - cis: "1.1.3" - pci_dss: "2.2.4" - condition: all + condition: any rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nodev' # 1.1.4 /tmp: nosuid - id: 6502 @@ -75,7 +74,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - id: 6503 @@ -89,7 +89,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - id: 6504 @@ -103,8 +104,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/var' - - 'f:/etc/fstab -> !r^# && r:/var' + - 'c:mount -> r:\s/var\s' # 1.1.7 bind mount /var/tmp to /tmp - id: 6505 @@ -116,7 +116,7 @@ checks: - cis: "1.1.7" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' + - 'c:mount -> r:\s/var/tmp\s' # 1.1.11 /var/log: partition - id: 6506 @@ -131,7 +131,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - id: 6507 @@ -146,7 +146,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - id: 6508 @@ -160,7 +160,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - 'c:mount -> r:\s/home\s' # 1.1.14 /home: nodev - id: 6509 @@ -171,49 +171,10 @@ checks: compliance: - cis: "1.1.14" - pci_dss: "2.2.4" - condition: all + condition: any rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' - -# 1.1.18 nodev on removable media partitions (not scored) - - id: 6510 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' - -# 1.1.19 nosuid on removable media partitions (not scored) - - id: 6511 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' - -# 1.1.20 noexec on removable media partitions (not scored) - - id: 6512 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - 'not c:mount -> r:\s/home\s' + - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - id: 6513 @@ -226,7 +187,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - id: 6514 @@ -239,7 +201,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - id: 6515 @@ -253,26 +216,12 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:noexec' ############################################### # 1.6 Configure SELinux ############################################### -# 1.6.1.1 enable selinux in /etc/grub.conf - - id: 6516 - title: "Ensure SELinux is not disabled in bootloader configuration" - description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters." - rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." - remediation: "Edit /etc/default/grub and remove all instances of selinux=0 and enforcing=0 from all CMDLINE_LINUX parameters: GRUB_CMDLINE_LINUX_DEFAULT='quiet'; GRUB_CMDLINE_LINUX=''" - compliance: - - cis: "1.6.1.1" - - cis_csc: "14.4" - - pci_dss: "2.2.4" - condition: none - rules: - - 'f:/etc/grub.conf -> r:selinux=0' - - 'f:/etc/grub2.cfg -> r:selinux=0' - # 1.6.1.2 Set selinux state - id: 6517 title: "Ensure the SELinux state is enforcing" @@ -285,7 +234,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + - 'c:sestatus -> r:^SELinux status:\s+enabled$' + - 'c:sestatus -> r:^Current mode:\s+enforcing$' + - 'c:sestatus -> r:^Mode from config file:\s+enforcing$' + - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing' # 1.6.1.3 Set selinux policy - id: 6518 @@ -298,7 +250,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + - 'c:sestatus -> r:^Loaded policy name:\s+targeted$' + - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls' # 1.6.1.4 Remove SETroubleshoot - id: 6519 @@ -309,10 +262,9 @@ checks: compliance: - cis: "1.6.1.4" - pci_dss: "2.2.4" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' - - 'f:/usr/share/dbus-1/services/sealert.service -> r:Exec=/usr/bin/sealert' + - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' # 1.6.1.5 Disable MCS Translation service mcstrans - id: 6520 @@ -323,10 +275,9 @@ checks: compliance: - cis: "1.6.1.5" - pci_dss: "2.2.4" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$' - - 'f:/usr/lib/systemd/system/mcstransd.service -> r:ExecStart=/usr/sbin/mcstransd' + - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' ############################################### # 1.4 Secure Boot Settings @@ -334,7 +285,7 @@ checks: # 1.4.2 Set Boot Loader Password (Scored) - id: 6521 title: "Ensure bootloader password is set" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword" compliance: @@ -343,7 +294,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + - 'f:/boot/grub2/grub.cfg -> !r:^# && r:^\s*GRUB2_PASSWORD\.$' ############################################### # 1.5 Additional Process Hardening @@ -357,9 +308,13 @@ checks: compliance: - cis: "1.5.1" - cis_csc: "13" - condition: all + condition: any rules: - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - 'd:/etc/security/limits.d -> r:^\.+ -> !r:^# && r:hard\.+core\.+0' + - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' + - 'f:/etc/sysctl.conf -> !r:^# && r:^\s*fs.suid_dumpable\s*=\s*0\s*$' + - 'd:/etc/sysctl.d -> r:^\.+ -> !r:^# && r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6523 @@ -372,7 +327,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### # 2 OS Services @@ -380,25 +335,24 @@ checks: ############################################### # 2.2 Remove Legacy Services ############################################### -# 2.2.19 Remove telnet-server (Scored) - - id: 6524 - title: "Ensure telnet server is disabled" - description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." - remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" +# 2.2.16 Remove NIS Server (Scored) + - id: 6527 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" compliance: - - cis: "2.2.19" + - cis: "2.2.16" - cis_csc: "9.1" - pci_dss: "2.2.3" - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' + - 'c:systemctl is-enabled ypserv -> r:^enabled' # 2.2.17 Remove rsh-server (Scored) - id: 6525 - title: "Ensure rsh server is disabled" + title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " @@ -409,48 +363,43 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' + - 'c:systemctl is-enabled rsh.socket -> r:^enabled' + - 'c:systemctl is-enabled rlogin.socket -> r:^enabled' + - 'c:systemctl is-enabled rexec.socket -> r:^enabled' -# 2.3.1 Remove NIS Client (Scored) - - id: 6526 - title: "Ensure NIS Client is not installed" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." - remediation: "Run the following command to uninstall ypbind: # yum remove ypbind" +# 2.2.18 Remove talk server (Scored) + - id: 6525 + title: "Ensure talk server is not enabled" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable talk: # systemctl disable ntalk" compliance: - - cis: "2.3.1" - - cis_csc: "2" + - cis: "2.2.18" + - cis_csc: "9.1" - pci_dss: "2.2.3" - nist_800_53: "CM.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' - - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' + - 'c:systemctl is-enabled ntalk -> r:^enabled' -# 2.2.16 Remove NIS Server (Scored) - - id: 6527 - title: "Ensure NIS Server is disabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" +# 2.2.19 Remove telnet-server (Scored) + - id: 6524 + title: "Ensure telnet server is not enabled" + description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." + remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" compliance: - - cis: "2.2.16" + - cis: "2.2.19" - cis_csc: "9.1" - pci_dss: "2.2.3" - nist_800_53: "CM.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' - - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' + - 'c:systemctl is-enabled telnet.socket -> r:^enabled' -# 2.2.20 Remove tftp-server (Scored) - - id: 6528 - title: "Ensure tftp server is disabled" +# 2.2.20 Remove tftp server (Scored) + - id: 6525 + title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" @@ -461,115 +410,130 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' + - 'c:systemctl is-enabled tftp.socket -> r:^enabled' -# 2.1.18 Remove talk-server (Scored) - - id: 6529 - title: "Ensure talk server is disabled" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "Run the following command to disable talk: # systemctl disable ntalk" +# 2.2.21 Remove rsync service (Scored) + - id: 6525 + title: "Ensure rsync service is not enabled" + description: "The rsyncd service can be used to synchronize files between systems over network links." + rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable rsync: # systemctl disable rsyncd" compliance: - - cis: "2.2.18" + - cis: "2.2.21" - cis_csc: "9.1" - pci_dss: "2.2.3" - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' + - 'c:systemctl is-enabled rsyncd -> r:^enabled' + +# 2.3.1 Remove NIS Client (Scored) + - id: 6526 + title: "Ensure NIS Client is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Run the following command to uninstall ypbind: # yum remove ypbind" + compliance: + - cis: "2.3.1" + - cis_csc: "2" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" + condition: all + rules: + - 'c:rpm -q ypbind -> r:^package ypbind is not installed$' # 2.1.7 Remove xinetd (Scored) - id: 6530 - title: "Ensure xinetd is disabled" + title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" compliance: - cis: "2.1.7" - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" condition: none rules: - - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' + - 'c:systemctl is-enabled xinetd -> r:^enabled' -# 2.1.1 Disable chargen-dgram (Scored) +# 2.1.1 Disable chargen services (Scored) - id: 6531 - title: "Ensure chargen services are is disabled" - description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" - compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - condition: none - rules: - - 'f:/etc/xinetd.d/chargen-dgram -> !r:^# && r:disable && r:no' - -# 2.1.1 Disable chargen-stream (Scored) - - id: 6532 - title: "Ensure chargen services are is disabled" + title: "Ensure chargen services are not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" compliance: - cis: "2.1.1" - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/chargen-stream -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:^\s*\t*chargen-dgram:\s*\t*on' + - 'c:chkconfig --list -> r:^\s*\t*chargen-stream:\s*\t*on' -# 2.1.2 Disable daytime-dgram (Scored) +# 2.1.2 Disable daytime services (Scored) - id: 6533 - title: "Ensure daytime services are is disabled" + title: "Ensure daytime services are not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" + remediation: "Run the following commands to disable daytime-dgram and daytime-stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" compliance: - cis: "2.1.2" - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/daytime-dgram -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:^\s*\t*daytime-dgram:\s*\t*on' + - 'c:chkconfig --list -> r:^\s*\t*daytime-stream:\s*\t*on' -# 2.1.2 Disable daytime-stream (Scored) +# 2.1.3 Disable discard services (Scored) - id: 6534 - title: "Ensure daytime services are is disabled" - description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + title: "Ensure discard services are not enabled" + description: "discardis a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable daytime -dgram and daytime -stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" + remediation: "Run the following commands to disable discard-dgram and discard-stream: # chkconfig discard-dgram off; # chkconfig discard-stream off" compliance: - - cis: "2.1.2" + - cis: "2.1.3" - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/daytime-stream -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:^\s*\t*discard-dgram:\s*\t*on' + - 'c:chkconfig --list -> r:^\s*\t*discard-stream:\s*\t*on' # 2.1.4 Disable echo-dgram (Scored) - id: 6535 - title: "Ensure echo services are is disabled" + title: "Ensure echo services are not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" + remediation: "Run the following commands to disable echo-dgram and echo-stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" compliance: - cis: "2.1.4" - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/echo-dgram -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:^\s*\t*echo-dgram:\s*\t*on' + - 'c:chkconfig --list -> r:^\s*\t*echo-stream:\s*\t*on' -# 2.1.4 Disable echo-stream (Scored) +# 2.1.5 Disable time-stream (Scored) - id: 6536 - title: "Ensure echo services are is disabled" - description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + title: "Ensure time services are not enabled" + description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Run the following commands to disable echo -dgram and echo -stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" + remediation: "Run the following commands to disable time-dgram and time-stream: # chkconfig time-dgram off; # chkconfig time-stream off" compliance: - cis: "2.1.4" - cis_csc: "9.1" + - pci_dss: "2.2.3" + - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/echo-stream -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:^\s*\t*time-dgram:\s*\t*on' + - 'c:chkconfig --list -> r:^\s*\t*time-stream:\s*\t*on' # 2.2.2 Remove X Windows (Scored) - id: 6537 @@ -583,11 +547,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'p:gdm-x-session' + - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' # 2.2.3 Disable Avahi Server (Scored) - id: 6538 - title: "Ensure Avahi Server is disabled" + title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" @@ -597,43 +561,61 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'p:avahi-daemon' + - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' # 2.2.5 Remove DHCP Server (Scored) - id: 6539 - title: "Ensure DHCP Server is disabled" + title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" compliance: - cis: "2.2.5" - cis_csc: "9.1" + - pci_dss: "2.2.2" + references: + - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp + condition: none + rules: + - 'c:systemctl is-enabled dhcpd -> r:^enabled' + +# 2.2.6 Remove LDAP Server (Scored) + - id: 6539 + title: "Ensure LDAP Server is not enabled" + description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." + rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable slapd: # systemctl disable dhcpd" + compliance: + - cis: "2.2.6" + - cis_csc: "9.1" + - pci_dss: "2.2.2" references: - - More detailed documentation on DHCP is available at https://www.isc.org + - More detailed documentation on OpenLDAP is available at https://www.openldap.org condition: none rules: - - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' + - 'c:systemctl is-enabled sladp -> r:^enabled' # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored) - id: 6540 - title: "Ensure time synchronization is in use" - description: "System time should be synchronized between all systems in an environment. This typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them." - rationale: "Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." - remediation: "On physical systems or virtual systems where host based time synchronization is not available run one of the following commands to install either ntp or chrony: # yum install ntp; # yum install chrony; On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization." + title: "Ensure ntp is configured" + description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server." + rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." + remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': - OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.1" + - cis: "2.2.1.2" - cis_csc: "6.1" - pci_dss: "2.2.2" condition: all rules: - - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' - 'f:/etc/ntp.conf -> r:^server\.+$' - - 'f:/etc/sysconfig/ntpd -> r:OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"' + - 'f:/etc/sysconfig/ntpd -> r:^OPTIONS\s*=\s* && r:-u ntp:ntp' + - 'f:/usr/lib/systemd/system/ntpd.service -> r:^Execstart\s*=\s*/usr/sbin/ntpd\s+-u\s+ntp:ntp' -# 2.2.7 Disable NFS and RPC (Not Scored) +# 2.2.7 Disable NFS and RPC (Scored) - id: 6541 - title: "Ensure NFS and RPC are is disabled" + title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # systemctl disable nfs; # systemctl disable nfs-server; # systemctl disable rpcbind" @@ -643,12 +625,13 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - 'c:systemctl is-enabled nfs -> r:^enabled' + - 'c:systemctl is-enabled nfs-server -> r:^enabled' + - 'c:systemctl is-enabled rpcbind -> r:^enabled' -# 2.2.9 Remove FTP Server (Not Scored) +# 2.2.9 Remove FTP Server (Scored) - id: 6542 - title: "Ensure FTP Server is disabled" + title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" @@ -658,11 +641,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - 'c:systemctl is-enabled vsftpd -> r:^enabled' -# 2.2.10 Remove HTTP Server (Not Scored) +# 2.2.10 Remove HTTP Server (Scored) - id: 6543 - title: "Ensure HTTP server is disabled" + title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # systemctl disable httpd" @@ -671,24 +654,11 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$' + - 'c:systemctl is-enabled httpd -> r:^enabled' -# 2.2.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) +# 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored) - id: 6544 - title: "Ensure IMAP and POP3 server is disabled" - description: "dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - - id: 6545 - title: "Ensure IMAP and POP3 server is disabled" + title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" @@ -698,11 +668,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - 'c:systemctl is-enabled dovecot -> r:^enabled' -# 2.2.12 Remove Samba (Not Scored) +# 2.2.12 Remove Samba (Scored) - id: 6546 - title: "Ensure Samba is disabled" + title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # systemctl disable smb" @@ -712,12 +682,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - 'c:systemctl is-enabled smb -> r:^enabled' -# 2.2.13 Remove HTTP Proxy Server (Not Scored) +# 2.2.13 Remove HTTP Proxy Server (Scored) - id: 6547 - title: "Ensure HTTP Proxy Server is disabled" + title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" @@ -727,11 +696,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - 'c:systemctl is-enabled squid -> r:^enabled' # 2.2.14 Remove SNMP Server (Not Scored) - id: 6548 - title: "Ensure SNMP Server is disabled" + title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" @@ -741,7 +710,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - 'c:systemctl is-enabled snmpd -> r:^enabled' ############################################### # 3 Network Configuration and Firewalls @@ -751,7 +720,7 @@ checks: ############################################### # 3.1.1 Disable IP Forwarding (Scored) - id: 6549 - title: "Ensure IPv4 forwarding is disabled" + title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and set the active kernel parameters." From 4b2c11a5664aff12486adf2cb320180096b34043 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Fri, 7 Jun 2019 10:57:19 +0200 Subject: [PATCH 061/247] Adapt cis_debian_linux to use commands --- sca/debian/cis_debian_linux_rcl.yml | 1060 +++++++++++++-------------- 1 file changed, 501 insertions(+), 559 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index fb71cd2e3..f723634be 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -30,580 +30,522 @@ requirements: checks: # Section 1.1 - Filesystem Configuration - - id: 5000 - title: "Ensure /tmp is configured" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." - remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." - compliance: - - cis_csc: "5.1" - - cis: "1.1.2" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' - - - id: 5001 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." - remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." - compliance: - - cis_csc: "5.1" - - cis: "1.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' - - - id: 5002 - title: "Ensure separate partition exists for /opt" - description: "The /opt directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /opt directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /opt. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.6" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/opt' - - 'f:/etc/fstab -> !r:^# && r:/opt' - - - id: 5003 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.6" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' - - - id: 5004 - title: "Ensure separate partition exists for /var/tmp" - description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.7" - condition: all - rules: - - 'f:/etc/fstab -> r:/var/tmp' - - - id: 5005 - title: "Ensure nodev option set on /var/tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" - compliance: - - cis_csc: "5.1" - - cis: "1.1.8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/var/tmp && r:nodev' - - - id: 5006 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" - compliance: - - cis_csc: "5.1" - - cis: "1.1.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/home && r:nodev' - - - id: 5007 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.14" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' - - - id: 5008 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.15" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' - - - id: 5009 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.16" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' - - - id: 5010 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis_csc: "5.1" - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' - - - id: 5011 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis_csc: "5.1" - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' - -# Section 1.4 - Secure boot settings - - id: 5012 - title: "Ensure bootloader password is set (GRUB)" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2, add user and password to the grub configuration file and update the grub2 configuration." - compliance: - - cis_csc: "5.1" - - cis: "1.4.2" - - pci_dss: "2.2.4" - references: - - https://help.ubuntu.com/community/Grub2/Passwords - condition: all - rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password' - - - id: 5013 - title: "Ensure bootloader password is set (LILO)" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2, add user and password to the grub configuration file and update the grub2 configuration." - compliance: - - cis_csc: "5.1" - - cis: "1.4.2" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/lilo.conf -> !r:^# && r:restricted' - - 'f:/etc/lilo.conf -> !r:^# && r:password=' + - id: 5000 + title: "Ensure /tmp is configured" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." + remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." + compliance: + - cis_csc: "5.1" + - cis: "1.1.2" + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ + condition: all + rules: + - 'c:mount -> r:\s/tmp\s' + + - id: 5001 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." + compliance: + - cis_csc: "5.1" + - cis: "1.1.3" + - pci_dss: "2.2.4" + condition: all + rules: + - 'c:mount -> r:\s/tmp\s && r:nodev' + + + - id: 5002 + title: "Ensure separate partition exists for /opt" + description: "The /opt directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /opt directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /opt. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: "5.1" + - cis: "1.1.6" + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/opt\s' + + - id: 5003 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: "5.1" + - cis: "1.1.6" + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var\s' + + - id: 5004 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: "5.1" + - cis: "1.1.7" + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s' + + - id: 5005 + title: "Ensure nodev option set on /var/tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" + compliance: + - cis_csc: "5.1" + - cis: "1.1.8" + - pci_dss: "2.2.4" + condition: any + rules: + - 'not c:mount -> r:\s/var/tmp\s' + - 'c:mount -> r:\s/var/tmp\s && r:nodev' + + - id: 5006 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + compliance: + - cis_csc: "5.1" + - cis: "1.1.14" + - pci_dss: "2.2.4" + condition: any + rules: + - 'not c:mount -> r:\s/home\s' + - 'c:mount -> r:\s/home\s && r:nodev' + + - id: 5007 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." + compliance: + - cis_csc: "5.1" + - cis: "1.1.14" + condition: any + rules: + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:nodev' + + - id: 5008 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." + compliance: + - cis_csc: "5.1" + - cis: "1.1.15" + condition: any + rules: + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' + + - id: 5009 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." + compliance: + - cis_csc: "5.1" + - cis: "1.1.16" + condition: any + rules: + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:noexec' # Section 1.7 - Warning banners - - id: 5014 - title: "Ensure GDM login banner is configured" - description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." - remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" - compliance: - - cis_csc: "5.1" - - cis: "1.7.2" - - pci_dss: "2.2.2" - condition: all - rules: - - 'f:/etc/inittab -> !r:^# && r:id:5' + - id: 5014 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: "5.1" + - cis: "1.7.2" + - pci_dss: "2.2.2" + condition: all + rules: + - 'f:/etc/dconf/profile/gdm -> r:user-db:user' + - 'f:/etc/dconf/profile/gdm -> r:system-db:gdm' + - 'f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults' + - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:[org/gnome/login-screen]' + - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-enable=true' + - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-text=\p\.+\p$' # Section 2 - Filesystem Configuration - Debian 7 - - id: 5015 - title: "Add nodev Option to /run/shm Partition" - description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" - compliance: - - cis_csc: "5.1" - - cis: "2.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:ext2|ext3 && r:/run/shm && r:nodev' - - - id: 5016 - title: "Add nosuid Option to /run/shm Partition" - description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." - compliance: - - cis_csc: "5.1" - - cis: "2.15" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:nosuid' - - - id: 5017 - title: "Add noexec Option to /run/shm Partition" - description: "Set noexec on the shared memory partition to prevent programs from executing from there." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." - compliance: - - cis_csc: "5.1" - - cis: "2.16" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/run/shm && r:noexec' + - id: 5015 + title: "Add nodev Option to /run/shm Partition" + description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" + compliance: + - cis_csc: "5.1" + - cis: "2.14" + - pci_dss: "2.2.4" + condition: any + rules: + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/media\s && r:nodev' + + - id: 5016 + title: "Add nosuid Option to /run/shm Partition" + description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." + compliance: + - cis_csc: "5.1" + - cis: "2.15" + condition: any + rules: + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:nosuid' + + - id: 5017 + title: "Add noexec Option to /run/shm Partition" + description: "Set noexec on the shared memory partition to prevent programs from executing from there." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." + compliance: + - cis_csc: "5.1" + - cis: "2.16" + condition: any + rules: + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:noexec' # Section 2.1 - Inetd services - - id: 5018 - title: "Ensure inetd is not installed" - description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." - rationale: "If there are no inetd services required, it is recommended that the daemon be removed." - remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" - compliance: - - cis_csc: "9.2" - - cis: "2.1.2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'p:inetd' - - 'f:/etc/inetd.conf -> !r:^# && r:wait' + - id: 5018 + title: "Ensure inetd is not installed" + description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no inetd services required, it is recommended that the daemon be removed." + remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" + compliance: + - cis_csc: "9.2" + - cis: "2.1.2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'c:dpkg -s inetutils-inetd -> r:install ok installed' + - 'c:dpkg -s openbsd-inetd -> r:install ok installed' # Section 2.2 - Special purpose services - - id: 5019 - title: "Ensure FTP Server is not enabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.9" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:/ftp' - - - id: 5020 - title: "Ensure FTP Server is not enabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.9" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:tftp' - - - id: 5021 - title: "Ensure IMAP and POP3 server is not enabled (IMAP)" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:imap' - - - id: 5022 - title: "Ensure IMAP and POP3 server is not enabled (POP3)" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:pop' - - - id: 5023 - title: "Ensure Samba is not enabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable smbd: # systemctl disable smbd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.12" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/samba' - - - id: 5024 - title: "Ensure NFS and RPC are not enabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" - compliance: - - cis_csc: "9.2" - - cis: "2.2.7" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/nfs-common' - - 'f:/etc/init.d/nfs-user-server' - - 'f:/etc/init.d/nfs-kernel-server' - - - id: 5025 - title: "Ensure NIS Server is not enabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable nis: # systemctl disable nis" - compliance: - - cis_csc: "9.2" - - cis: "2.2.17" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/nis' - - - id: 5026 - title: "Ensure HTTP server is not enabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable apache2: # systemctl disable apache2" - compliance: - - cis_csc: "9.2" - - cis: "2.2.10" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/apache' - - 'f:/etc/init.d/apache2' - - - id: 5027 - title: "Ensure DNS Server is not enabled" - description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable named: # systemctl disable bind9" - compliance: - - cis_csc: "9.2" - - cis: "2.2.8" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/bind' - - - id: 5028 - title: "Ensure HTTP Proxy Server is not enabled" - description: "Squid is a standard proxy server used in many distributions and environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable squid: # systemctl disable squid" - compliance: - - cis_csc: "9.2" - - cis: "2.2.13" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/init.d/squid' + - id: 5019 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" + compliance: + - cis_csc: "9.2" + - cis: "2.2.9" + - pci_dss: "2.2.3" + condition: any + rules: + - 'c:chkconfig --list vsftpd -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled vsftpd -> r:disabled' + + - id: 5021 + title: "Ensure IMAP and POP3 server is not enabled (IMAP)" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: "9.2" + - cis: "2.2.11" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:imap' + + - id: 5022 + title: "Ensure IMAP and POP3 server is not enabled (POP3)" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: "9.2" + - cis: "2.2.11" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:pop' + + - id: 5023 + title: "Ensure Samba is not enabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable smbd: # systemctl disable smbd" + compliance: + - cis_csc: "9.2" + - cis: "2.2.12" + - pci_dss: "2.2.2" + condition: any + rules: + - 'c:chkconfig --list smb -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled smb -> r:disabled' + + - id: 5024 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" + compliance: + - cis_csc: "9.2" + - cis: "2.2.7" + - pci_dss: "2.2.2" + condition: all + rules: + - 'c:systemctl is-enabled nfs -> r:disabled' + - 'c:systemctl is-enabled rpcbind -> r:disabled' + + - id: 5025 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: "9.2" + - cis: "2.2.17" + - pci_dss: "2.2.2" + condition: none + rules: + - 'f:/etc/init.d/nis' + + - id: 5026 + title: "Ensure HTTP server is not enabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable apache2: # systemctl disable apache2" + compliance: + - cis_csc: "9.2" + - cis: "2.2.10" + - pci_dss: "2.2.2" + condition: any + rules: + - 'c:chkconfig --list httpd -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled httpd -> r:disabled' + + - id: 5027 + title: "Ensure DNS Server is not enabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable named: # systemctl disable bind9" + compliance: + - cis_csc: "9.2" + - cis: "2.2.8" + - pci_dss: "2.2.2" + condition: any + rules: + - 'c:chkconfig --list named -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled named -> r:disabled' + + - id: 5028 + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable squid: # systemctl disable squid" + compliance: + - cis_csc: "9.2" + - cis: "2.2.13" + - pci_dss: "2.2.2" + condition: any + rules: + - 'c:chkconfig --list squid -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled squid -> r:disabled' # Section 2.3 - Service clients - - id: 5029 - title: "Ensure rsh client is not installed" - description: "The rsh package contains the client commands for the rsh services." - rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." - remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" - compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:shell|login' - - - id: 5030 - title: "Ensure telnet client is not installed" - description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." - remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" - compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.4" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:telnet' + - id: 5029 + title: "Ensure rsh client is not installed" + description: "The rsh package contains the client commands for the rsh services." + rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." + remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" + compliance: + - cis_csc: "2.6, 4.5" + - cis: "2.3.2" + - pci_dss: "2.2.2" + condition: none + rules: + - 'c:dpkg -s rsh -> install ok installed' + + - id: 5030 + title: "Ensure telnet client is not installed" + description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." + remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" + compliance: + - cis_csc: "2.6, 4.5" + - cis: "2.3.4" + - pci_dss: "2.2.3" + condition: none + rules: + - 'c:dpkg -s telnet -> install ok installed' # Section 3.1 - Network Parameters (Host Only) - - id: 5031 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.1.1" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 5032 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.1.1" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - id: 5031 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" + compliance: + - cis_csc: "5.1" + - cis: "3.1.1" + condition: all + rules: + - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + + - id: 5032 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" + compliance: + - cis_csc: "5.1" + - cis: "3.1.1" + condition: all + rules: + - 'f:/proc/sys/net/ipv6/ip_forward -> 0' # Section 3.2 - Network Parameters (Host and Router) - - id: 5033 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.2.1" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' - - - id: 5034 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" - compliance: - - cis_csc: "5.1" - - cis: "3.2.5" - condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - id: 5033 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" + compliance: + - cis_csc: "5.1" + - cis: "3.2.1" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> 0' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> 0' + + - id: 5034 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" + compliance: + - cis_csc: "5.1" + - cis: "3.2.5" + condition: all + rules: + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> 1' # Section 5.2 - SSH Server Configuration - - id: 5035 - title: "Ensure SSH Protocol is set to 2" - description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis_csc: "14.4" - - cis: "5.2.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' - - - id: 5036 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis_csc: "9.2" - - cis: "5.2.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+no' - - - id: 5037 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis_csc: "16.3" - - cis: "5.2.9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' - - - id: 5038 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis_csc: "4.3" - - cis: "5.2.10" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' - - - id: 5039 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis_csc: "16.3" - - cis: "5.2.11" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: none - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - id: 5035 + title: "Ensure SSH Protocol is set to 2" + description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis_csc: "14.4" + - cis: "5.2.4" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + + - id: 5036 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis_csc: "9.2" + - cis: "5.2.8" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+no' + + - id: 5037 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis_csc: "16.3" + - cis: "5.2.9" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' + + - id: 5038 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis_csc: "4.3" + - cis: "5.2.10" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' + + - id: 5039 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis_csc: "16.3" + - cis: "5.2.11" + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: none + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' # Section 6.2 - User and Group Settings - - id: 5040 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " - compliance: - - cis_csc: "4.4" - - cis: "6.2.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 5041 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis_csc: "5.1" - - cis: "6.2.5" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - id: 5040 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " + compliance: + - cis_csc: "4.4" + - cis: "6.2.1" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 5041 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis_csc: "5.1" + - cis: "6.2.5" + - pci_dss: "10.2.5" + - hipaa: "164.312.b" + - nist_800_53: "IA.10, AC.7" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' From e0604ab529d32e6502f10730113fa50a34182c63 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Fri, 7 Jun 2019 15:46:28 +0200 Subject: [PATCH 062/247] Adapt Mac Sierra rules to check if program does not exist --- sca/darwin/17/cis_apple_macOS_10.13.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 412d6e345..8ca621d0f 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -401,6 +401,7 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: "6.3" - condition: all + condition: any rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:does not exist' + - 'c:defaults read com.apple.Safari -> r:AutoOpenSafeDownloads && r:0$' From 374baf009e5680c7f4b06f3b4e364c70cdf8403c Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 7 Jun 2019 15:52:10 +0200 Subject: [PATCH 063/247] Fix some SCA rules for Debian 7-8 --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 328 ++++++++++------------- 1 file changed, 143 insertions(+), 185 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index 3de106ea5..b84275279 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -44,9 +44,9 @@ checks: - cis: "2.1" references: - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: all + condition: any rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp' + - 'c:mount -> r:\s/tmp\s' - id: 10501 title: "Set nodev option for /tmp Partition" @@ -55,9 +55,10 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - cis: "2.2" - condition: all + condition: any rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nodev' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nodev' - id: 10502 title: "Set nosuid option for /tmp Partition" @@ -66,9 +67,10 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - cis: "2.3" - condition: all + condition: any rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*nosuid' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nosuid' - id: 10503 title: "Set noexec option for /tmp Partition" @@ -77,12 +79,13 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" compliance: - cis: "2.4" - condition: all + condition: any rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+\w+\s+\.*noexec' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:noexec' - id: 10504 - title: " Create Separate Partition for /var" + title: "Create Separate Partition for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." @@ -92,7 +95,7 @@ checks: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var' + - 'c:mount -> r:\s/var\s' - id: 10505 title: "Bind Mount the /var/tmp directory to /tmp" @@ -103,7 +106,7 @@ checks: - cis: "2.6" condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/tmp\s+/var/tmp\s+none\s+\.*bind\.*0\s+0' + - 'c:findmnt -> r:/var/tmp && r:[/tmp]' - id: 10506 title: "Create Separate Partition for /var/log" @@ -116,7 +119,7 @@ checks: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log' + - 'c:mount -> r:\s/var/log\s' - id: 10507 title: "Create Separate Partition for /var/log/audit" @@ -129,7 +132,7 @@ checks: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/var/log/audit' + - 'c:mount -> r:\s/var/log/audit\s' - id: 10508 title: "Create Separate Partition for /home" @@ -142,7 +145,7 @@ checks: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home' + - 'c:mount -> r:\s/home\s' - id: 10509 title: "Add nodev Option to /home" @@ -153,40 +156,8 @@ checks: - cis: "2.10" condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/home\s+\w+\s+\.*nodev' - - - id: 10510 - title: "Add nodev Option to Removable Media Partitions" - description: "Set nodev on removable media to prevent character and block special devices that are present on the removable media from being treated as device files." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add \"nodev\" to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "2.11" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*nodev' - - - id: 10511 - title: "Add noexec Option to Removable Media Partitions" - description: "Set noexec on removable media to prevent programs from executing from the removable media." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "2.12" - condition: all - rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/media\.*\s+\w+\s+\.*noexec' - - - id: 10512 - title: "Add nosuid Option to Removable Media Partitions" - description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "2.13" - condition: all - rules: - - 'f:/etc/fstab -> r:/media\.*\s+\w+\s+\.*nosuid' + - 'not c:mount -> r:\s/home\s' + - 'c:mount -> r:\s/home\s && r:nodev' - id: 10513 title: "Add nodev Option to /run/shm Partition" @@ -197,7 +168,8 @@ checks: - cis: "2.14" condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nodev' + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:nodev' - id: 10514 title: "Add nosuid Option to /run/shm Partition" @@ -208,8 +180,8 @@ checks: - cis: "2.15" condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*nosuid' - + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:nosuid' - id: 10515 title: "Add noexec Option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." @@ -219,7 +191,8 @@ checks: - cis: "2.16" condition: all rules: - - 'f:/etc/fstab -> !r:^\s*\t*# && r:/run/shm\s+\w+\s+\.*noexec' + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:noexec' - id: 10516 title: "Disable Automounting" @@ -230,7 +203,7 @@ checks: - cis: "2.25" condition: none rules: - - 'd:$rc_dirs -> S -> r:autofsc' + - 'c:ls -1 /etc/rc*.d -> r:S\.+autofsc' # 3 Secure Boot Settings - id: 10517 @@ -266,8 +239,8 @@ checks: - cis: "4.1" condition: all rules: - - 'f:/etc/security/limits.conf -> !r:^* hard core 0' - - 'f:/etc/sysctl.conf -> !r:^fs.suid_dumpable = 0' + - 'c:ulimit -Hc -> 0' + - 'c:sysctl fs.suid_dumpable -> r:= 0$' - id: 10520 title: "Enable Randomized Virtual Memory Region Placement" @@ -290,10 +263,10 @@ checks: - cis: "5.1.1" condition: none rules: - - 'f:/etc/init.d/nis' + - 'c:dpkg -s nis -> r:install ok installed' - id: 10522 - title: "Ensure rsh server is disabled" + title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" @@ -304,7 +277,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:shell|login|exec' - id: 10523 - title: "Ensure talk server is disabled" + title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" @@ -315,7 +288,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:talk|ntalk' - id: 10524 - title: "Ensure telnet server is disabled" + title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" @@ -326,7 +299,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:telnet' - id: 10525 - title: "Ensure tftp-server is disabled" + title: "Ensure tftp-server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" @@ -337,7 +310,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:tftp' - id: 10526 - title: "Ensure xinetd is disabled" + title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Disable xinetd: # update-rc.d xinetd disable" @@ -345,10 +318,10 @@ checks: - cis: "5.1.8" condition: none rules: - - 'd:$rc_dirs -> S -> r:xinetd' + - 'c:ls -1 /etc/rc*.d -> r:S\.+xinetd' - id: 10527 - title: "Ensure chargen is disabled" + title: "Ensure chargen is not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" @@ -359,7 +332,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:chargen' - id: 10528 - title: "Ensure daytime is disabled" + title: "Ensure daytime is not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" @@ -370,7 +343,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:daytime' - id: 10529 - title: "Ensure echo is disabled" + title: "Ensure echo is not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" @@ -381,7 +354,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:echo' - id: 10530 - title: "Ensure discard is disabled" + title: "Ensure discard is not enabled" description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" @@ -392,7 +365,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:discard' - id: 10531 - title: "Ensure time is disabled" + title: "Ensure time is not enabled" description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" @@ -404,7 +377,7 @@ checks: # 6 Special Purpose Services - id: 10532 - title: "Ensure Avahi Server is disabled" + title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" @@ -412,10 +385,10 @@ checks: - cis: "6.2" condition: none rules: - - 'd:$rc_dirs -> S -> r:avahi-daemon' + - 'c:ls -1 /etc/rc*.d -> r:S\.+avahi-daemon' - id: 10533 - title: "Ensure print server is disabled" + title: "Ensure print server is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Disable cups: # update-rc.d cups disable" @@ -423,11 +396,10 @@ checks: - cis: "6.3" condition: none rules: - - 'd:$rc_dirs -> S -> r:cups' - - 'd:$rc_dirs -> S -> r:cups-browsed' + - 'c:ls -1 /etc/rc*.d -> r:S\.+cups\S*' - id: 10534 - title: "Ensure DHCP Server is disabled" + title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." remediation: "Disable isc-dhcp-server: # update-rc.d isc-dhcp-server disable" @@ -435,7 +407,7 @@ checks: - cis: "6.4" condition: none rules: - - 'd:$rc_dirs -> S -> r:disc-dhcp-server' + - 'c:ls -1 /etc/rc*.d -> r:S\.+disc-dhcp-server' - id: 10535 title: "Configure Network Time Protocol (NTP)" @@ -448,12 +420,14 @@ checks: - http://www.ntp.org/ condition: all rules: + - 'c:dpkg -s ntp -> r:install ok installed' - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' - 'f:/etc/ntp.conf -> r:^server\s\.+' + - 'f:/etc/ntp.conf -> r:RUNASUSER=ntp' - id: 10536 - title: "Ensure LDAP is disabled" + title: "Ensure LDAP is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Uninstall the slapd package: # apt-get purge slapd" @@ -463,10 +437,10 @@ checks: - http://www.openldap.org condition: none rules: - - 'd:/etc/init.d -> r:ldap' + - 'c:dpkg -s slapd -> install ok installed' - id: 10537 - title: "Ensure NFS and RPC are disabled" + title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" @@ -474,11 +448,11 @@ checks: - cis: "6.7" condition: none rules: - - 'd:$rc_dirs -> S -> r:rpcbind' - - 'd:$rc_dirs -> S -> r:nfs-kernel-server' + - 'c:ls -1 /etc/rc*.d -> r:S\.+rpcbind' + - 'c:ls -1 /etc/rc*.d -> r:S\.+nfs-kernel-server' - id: 10538 - title: "Ensure DNS Server is disabled" + title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable bind9: # update-rc.d bind9 disable" @@ -486,10 +460,10 @@ checks: - cis: "6.8" condition: none rules: - - 'd:$rc_dirs -> S -> r:bind9' + - 'c:ls -1 /etc/rc*.d -> r:S\.+bind9' - id: 10539 - title: "Ensure FTP Server is disabled" + title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable vsftpd: # update-rc.d vsftpd disable" @@ -497,10 +471,10 @@ checks: - cis: "6.9" condition: none rules: - - 'd:$rc_dirs -> S -> r:vsftpd' + - 'c:ls -1 /etc/rc*.d -> r:S\.+vsftpd' - id: 10540 - title: "Ensure HTTP Server is disabled" + title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable apache2: # update-rc.d apache2 disable" @@ -508,10 +482,10 @@ checks: - cis: "6.10" condition: none rules: - - 'd:$rc_dirs -> S -> r:apache2' + - 'c:ls -1 /etc/rc*.d -> r:S\.+apache2' - id: 10541 - title: "Ensure IMAP and POP server is disabled" + title: "Ensure IMAP and POP server is not enabled" description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "Disable dovecot: # update-rc.d dovecot disable" @@ -519,10 +493,10 @@ checks: - cis: "6.11" condition: none rules: - - 'd:$rc_dirs -> S -> r:dovecot' + - 'c:ls -1 /etc/rc*.d -> r:S\.+dovecot' - id: 10542 - title: "Ensure Samba is disabled" + title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Disable samba: # update-rc.d samba disable" @@ -530,10 +504,10 @@ checks: - cis: "6.12" condition: none rules: - - 'd:$rc_dirs -> S -> r:samba' + - 'c:ls -1 /etc/rc*.d -> r:S\.+samba' - id: 10543 - title: "Ensure HTTP Proxy Server is disabled" + title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Disable squid3: # update-rc.d squid3 disable" @@ -541,10 +515,10 @@ checks: - cis: "6.13" condition: none rules: - - 'd:$rc_dirs -> S -> r:squid3' + - 'c:ls -1 /etc/rc*.d -> r:S\.+squid3' - id: 10544 - title: "Ensure SNMP Server is disabled" + title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Disable snmpd: # update-rc.d snmpd disable" @@ -552,7 +526,7 @@ checks: - cis: "6.14" condition: none rules: - - 'd:$rc_dirs -> S -> r:snmpd' + - 'c:ls -1 /etc/rc*.d -> r:S\.+snmpd' - id: 10545 title: "Configure Mail Transfer Agent for Local-Only Mode" @@ -566,14 +540,15 @@ checks: - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' - id: 10546 - title: "Ensure rsync service is disabled" + title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" compliance: - cis: "6.16" - condition: all + condition: none rules: + - 'c:dpkg -s rsync -> install ok installed' - 'f:/etc/default/rsync -> !r:^# && r:^RSYNC_ENABLE=false' # 7 Network Configuration and Firewall @@ -586,7 +561,7 @@ checks: - cis: "7.1.1" condition: all rules: - - 'f:/etc/sysctl.conf -> !r:^\s*\t*# && r:net.ipv4.ip_forward=0' + - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:net.ipv4.ip_forward=0' - id: 10548 title: "Disable Send Packet Redirects" @@ -597,10 +572,8 @@ checks: - cis: "7.1.2" condition: all rules: - - 'c:sysctl net.ipv4.conf.all.send_redirects -> 0' - - 'c:sysctl net.ipv4.conf.default.send_redirects -> 0' - - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.all.send_redirects\s*=\s*0' - - 'f:/etc/sysctl.conf -> !r:^# && r:net.ipv4.conf.default.send_redirects\s*=\s*0' + - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:= 0$' - id: 10549 title: "Disable Source Routed Packet Acceptance" @@ -611,10 +584,8 @@ checks: - cis: "7.2.1" condition: all rules: - - 'c:sysctl net.ipv4.conf.all.accept_source_route -> 0' - - 'c:sysctl net.ipv4.conf.default.accept_source_route -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_source_route=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_source_route=0' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:= 0$' - id: 10550 title: "Disable ICMP Redirect Acceptance" @@ -625,10 +596,8 @@ checks: - cis: "7.2.2" condition: all rules: - - 'c:sysctl net.ipv4.conf.all.accept_redirects -> 0' - - 'c:sysctl net.ipv4.conf.default.accept_redirects -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.accept_redirects=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.accept_redirects=0' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:= 0$' - id: 10551 title: "Disable Secure ICMP Redirect Acceptance" @@ -639,10 +608,8 @@ checks: - cis: "7.2.3" condition: all rules: - - 'c:sysctl net.ipv4.conf.all.secure_redirects -> 0' - - 'c:sysctl net.ipv4.conf.default.secure_redirects -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.secure_redirects=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.secure_redirects=0' + - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:= 0$' - id: 10552 title: "Log Suspicious Packets" @@ -653,10 +620,8 @@ checks: - cis: "7.2.4" condition: all rules: - - 'c:sysctl net.ipv4.conf.all.log_martians -> 1' - - 'c:sysctl net.ipv4.conf.default.log_martians -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.log_martians=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.log_martians=1' + - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:= 1$' - id: 10553 title: "Enable Ignore Broadcast Requests" @@ -667,8 +632,7 @@ checks: - cis: "7.2.5" condition: all rules: - - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_echo_ignore_broadcasts=1' + - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:= 1$' - id: 10554 title: "Enable Bad Error Message Protection" @@ -679,8 +643,7 @@ checks: - cis: "7.2.6" condition: all rules: - - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.icmp_ignore_bogus_error_responses=1' + - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:= 1$' - id: 10555 title: "Enable RFC-recommended Source Route Validation" @@ -691,10 +654,8 @@ checks: - cis: "7.2.7" condition: all rules: - - 'c:sysctl net.ipv4.conf.all.rp_filter -> 1' - - 'c:sysctl net.ipv4.conf.default.rp_filter -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.all.rp_filter=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.conf.default.rp_filter=1' + - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:= 1$' - id: 10556 title: "Enable TCP SYN Cookies" @@ -705,8 +666,7 @@ checks: - cis: "7.2.8" condition: all rules: - - 'c:sysctl net.ipv4.tcp_syncookies -> 1' - - 'f:/etc/sysctl.conf -> r:^net.ipv4.tcp_syncookies=1' + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:= 1$' - id: 10557 title: "Disable IPv6 Router Advertisements" @@ -717,10 +677,8 @@ checks: - cis: "7.3.1" condition: all rules: - - 'c:sysctl net.ipv6.conf.all.accept_ra -> 0' - - 'c:sysctl net.ipv6.conf.default.accept_ra -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_ra=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_ra=0' + - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:= 0$' + - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:= 0$' - id: 10558 title: "Disable IPv6 Redirect Acceptance" @@ -731,10 +689,8 @@ checks: - cis: "7.3.2" condition: all rules: - - 'c:sysctl net.ipv6.conf.all.accept_redirects -> 0' - - 'c:sysctl net.ipv6.conf.default.accept_redirects -> 0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.accept_redirects=0' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.accept_redirects=0' + - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:= 0$' - id: 10559 title: "Disable IPv6" @@ -743,7 +699,7 @@ checks: remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" compliance: - cis: "7.3.3" - condition: all + condition: none rules: - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> 1' - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> 1' @@ -752,6 +708,8 @@ checks: - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6=1' - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6=1' + - 'c:ip addr -> r:inet6' + - id: 10560 title: "Create /etc/hosts.allow" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." @@ -783,10 +741,9 @@ checks: remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.1" - condition: all + condition: none rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install dccp /bin/true' + - 'c:lsmod -> r:dccp' - id: 10563 title: "Disable SCTP" @@ -795,10 +752,9 @@ checks: remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.2" - condition: all + condition: none rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install sctp /bin/true' + - 'c:lsmod -> r:sctp' - id: 10564 title: "Disable RDS" @@ -807,10 +763,9 @@ checks: remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.3" - condition: all + condition: none rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install rds /bin/true' + - 'c:lsmod -> r:rds' - id: 10565 title: "Disable TIPC" @@ -819,10 +774,9 @@ checks: remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - cis: "7.5.4" - condition: all + condition: none rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install tipc /bin/true' + - 'c:lsmod -> r:tipc' - id: 10566 title: "Ensure Firewall is active" @@ -833,6 +787,8 @@ checks: - cis: "7.7" condition: all rules: + - 'c:dpkg -s iptables -> r:install ok installed' + - 'c:dpkg -s iptables-persistent -> r:install ok installed' - 'f:/etc/rc2.d/S01iptables-persistent' - 'f:/etc/rc3.d/S01iptables-persistent' - 'f:/etc/rc4.d/S01iptables-persistent' @@ -864,21 +820,21 @@ checks: - rsyslog.conf(5) man page condition: all rules: - - 'f:$rsyslog_files -> r:^*.emerg\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.info\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.warning\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^mail.err\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^news.crit\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^news.err\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^news.notice\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^*.=warning;*.=err\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^*.crit\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^*.*;mail.none;news.none\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local0,local1.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local2,local3.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local4,local5.*\s*\t*\s*\S' - - 'f:$rsyslog_files -> r:^local6,local7.*\s*\t*\s*\S' + - 'c:grep -er "^*.emerg\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^mail.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^mail.info\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^mail.warning\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^mail.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^news.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^news.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^news.notice\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^*.=warning;*.=err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^*.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^*.*;mail.none;news.none\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^local0,local1.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^local2,local3.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^local4,local5.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -er "^local6,local7.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - id: 10569 title: "Configure rsyslog to Send Logs to a Remote Log Host" @@ -904,8 +860,8 @@ checks: - rsyslog.conf(8) man page condition: all rules: - - 'f:$rsyslog_files -> r:^\$ModLoad imtcp.so' - - 'f:$rsyslog_files -> r:^\$InputTCPServerRun 514' + - 'c:grep -er "^\$ModLoad imtcp.so" /etc/rsyslog.conf,/etc/rsyslog.d/' + - 'c:grep -er "^\$InputTCPServerRun 514" /etc/rsyslog.conf,/etc/rsyslog.d/' - id: 10571 title: "Configure logrotate" @@ -963,7 +919,8 @@ checks: - cis: "9.2.1" condition: all rules: - - 'f:/etc/pam.d/common-password -> r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+' + - 'c:dpkg -s libpam-cracklib -> install ok installed' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+' - id: 10575 title: " Set Lockout for Failed Password Attempts" @@ -974,7 +931,7 @@ checks: - cis: "9.2.2" condition: all rules: - - 'f:/etc/pam.d/login -> r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+' + - 'f:/etc/pam.d/login -> !r:^# && r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+' - id: 10576 title: "Limit Password Reuse" @@ -985,7 +942,7 @@ checks: - cis: "9.2.3" condition: all rules: - - 'f:/etc/pam.d/common-password -> r:password [success=1 default=ignore] pam_unix.so obscure sha512 remember=\d' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*[success=1 default=ignore]\s*\t*pam_unix.so\s*\t*obscure\s*\t*sha512\s*\t*remember=\d' - id: 10577 title: "Set SSH Protocol to 2" @@ -996,7 +953,7 @@ checks: - cis: "9.3.1" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*Protocol\s*\t*2' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' - id: 10578 title: "Set LogLevel to INFO" @@ -1007,7 +964,7 @@ checks: - cis: "9.3.2" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*LogLevel\s+INFO' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' - id: 10579 title: "Disable SSH X11 Forwarding" @@ -1018,7 +975,7 @@ checks: - cis: "9.3.4" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^X11Forwarding\s+no' - id: 10580 title: "Set SSH MaxAuthTries to 4 or Less" @@ -1029,7 +986,7 @@ checks: - cis: "9.3.5" condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^MaxAuthTries && n:(\d+) compare <= 4' - id: 10581 title: "Set SSH IgnoreRhosts to Yes" @@ -1040,7 +997,7 @@ checks: - cis: "9.3.6" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^IgnoreRhosts\s+yes' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^IgnoreRhosts\s+yes' - id: 10582 title: "Set SSH HostbasedAuthentication to No" @@ -1051,7 +1008,7 @@ checks: - cis: "9.3.7" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^HostbasedAuthentication\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^HostbasedAuthentication\s+no' - id: 10583 title: "Disable SSH Root Login" @@ -1062,7 +1019,7 @@ checks: - cis: "9.3.8" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^PermitRootLogin\s+no' - id: 10584 title: "Set SSH PermitEmptyPasswords to No" @@ -1073,7 +1030,7 @@ checks: - cis: "9.3.9" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitEmptyPasswords\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\s+no' - id: 10585 title: "Do Not Allow Users to Set Environment Options" @@ -1084,7 +1041,7 @@ checks: - cis: "9.3.10" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitUserEnvironment\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^PermitUserEnvironment\s+no' - id: 10586 title: "Set Idle Timeout Interval for User Login" @@ -1095,8 +1052,8 @@ checks: - cis: "9.3.12" condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^ClientAliveInterval\s+(\d+) compare <= 300' - - 'f:/etc/ssh/sshd_config -> r:^ClientAliveCountMax\s+0' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^ClientAliveInterval && n:(\d+) compare <= 300' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^ClientAliveCountMax\s+0' - id: 10587 title: "Limit Access via SSH" @@ -1107,7 +1064,7 @@ checks: - cis: "9.3.13" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' - id: 10588 title: "Set SSH Banner" @@ -1118,7 +1075,7 @@ checks: - cis: "9.3.14" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^Banner /etc/issue.net' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' - id: 10589 title: "Restrict Access to the su Command" @@ -1129,7 +1086,8 @@ checks: - cis: "9.5" condition: all rules: - - 'f:/etc/pam.d/su -> r:auth required pam_wheel.so use_uid' + - 'f:/etc/pam.d/su -> !r:^# && r:auth required pam_wheel.so use_uid' + - 'f:/etc/group -> !r:^# && r:^wheel' # 10 User Accounts and Environment - id: 10590 @@ -1141,7 +1099,7 @@ checks: - cis: "10.1.1" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s+(\d+) compare <= 90' + - 'f:/etc/login.defs -> !r:^# && r:^PASS_MAX_DAYS && n:(\d+) compare <= 90' - id: 10591 title: "Set Password Change Minimum Number of Days" @@ -1174,7 +1132,7 @@ checks: - cis: "10.3" condition: all rules: - - 'f:/etc/passwd -> r:^root:\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && r:^root:\w+:\w+:0:' - id: 10594 title: "Set Default umask for Users" @@ -1185,8 +1143,8 @@ checks: - cis: "10.4" condition: all rules: - - 'f:$profiledfiles -> r:^umask 077' - - 'f:/etc/bash.bashrc -> r:^umask 077' + - 'c:grep -er "^umask 077" /etc/profile.d/' + - 'f:/etc/bash.bashrc -> !r:^# && r:^umask 077' - id: 10595 title: "Lock Inactive User Accounts" From d3da6ea78e728567bb8c01fac057ffa7721cdfca Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 7 Jun 2019 16:51:07 +0200 Subject: [PATCH 064/247] Fix some Debian rules --- sca/debian/cis_debian_linux_rcl.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index f723634be..91806715b 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -56,6 +56,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: + - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -198,7 +199,7 @@ checks: condition: any rules: - 'not c:mount -> r:\s/run/shm\s' - - 'c:mount -> r:\s/media\s && r:nodev' + - 'c:mount -> r:\s/run/shm\s && r:nodev' - id: 5016 title: "Add nosuid Option to /run/shm Partition" @@ -428,8 +429,8 @@ checks: - cis: "3.2.1" condition: all rules: - - 'c:sysctl net.ipv4.conf.all.accept_source_route -> 0' - - 'c:sysctl net.ipv4.conf.default.accept_source_route -> 0' + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:= 0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:= 0$' - id: 5034 title: "Ensure broadcast ICMP requests are ignored" @@ -441,7 +442,7 @@ checks: - cis: "3.2.5" condition: all rules: - - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> 1' + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:= 1$' # Section 5.2 - SSH Server Configuration - id: 5035 From 0d683d39a3ce6a7fa75973027b08e98eea383159 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 10 Jun 2019 09:10:39 +0200 Subject: [PATCH 065/247] Fix and unify some rules with the generic policy --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 30 +++++++++++++----------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index b84275279..fe4e5d583 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -28,9 +28,6 @@ requirements: - 'f:/proc/sys/kernel/ostype -> Linux' variables: - $rc_dirs: /etc/rc0.d,/etc/rc1.d,/etc/rc2.d,/etc/rc3.d,/etc/rc4.d,/etc/rc5.d,/etc/rc6.d,/etc/rc7.d,/etc/rc8.d,/etc/rc9.d,/etc/rca.d,/etc/rcb.d,/etc/rcc.d,/etc/rcs.d,/etc/rcS.d - $rsyslog_files: /etc/rsyslog.conf,/etc/rsyslog.d/* - $profiledfiles: /etc/profile.d/* $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ checks: @@ -448,8 +445,8 @@ checks: - cis: "6.7" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+rpcbind' - - 'c:ls -1 /etc/rc*.d -> r:S\.+nfs-kernel-server' + - 'c:systemctl is-enabled nfs -> r:disabled' + - 'c:systemctl is-enabled rpcbind -> r:disabled' - id: 10538 title: "Ensure DNS Server is not enabled" @@ -460,7 +457,8 @@ checks: - cis: "6.8" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+bind9' + - 'c:chkconfig --list named -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled named -> r:disabled' - id: 10539 title: "Ensure FTP Server is not enabled" @@ -482,7 +480,8 @@ checks: - cis: "6.10" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+apache2' + - 'c:chkconfig --list httpd -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled httpd -> r:disabled' - id: 10541 title: "Ensure IMAP and POP server is not enabled" @@ -504,7 +503,8 @@ checks: - cis: "6.12" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+samba' + - 'c:chkconfig --list smb -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled smb -> r:disabled' - id: 10543 title: "Ensure HTTP Proxy Server is not enabled" @@ -515,7 +515,8 @@ checks: - cis: "6.13" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+squid3' + - 'c:chkconfig --list squid -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' + - 'c:systemctl is-enabled squid -> r:disabled' - id: 10544 title: "Ensure SNMP Server is not enabled" @@ -701,15 +702,13 @@ checks: - cis: "7.3.3" condition: none rules: - - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> 1' - - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> 1' - - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> 1' + - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:= 1$' + - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:= 1$' + - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> r:= 1$' - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6=1' - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6=1' - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6=1' - - 'c:ip addr -> r:inet6' - - id: 10560 title: "Create /etc/hosts.allow" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." @@ -1170,6 +1169,9 @@ checks: - 'f:/etc/motd' - 'f:/etc/issue' - 'f:/etc/issue.net' + - 'c:stat -c%u-%g-%a /etc/motd -> 0-0-644' + - 'c:stat -c%u-%g-%a /etc/issue -> 0-0-644' + - 'c:stat -c%u-%g-%a /etc/issue.net -> 0-0-644' - id: 10597 title: "Remove OS Information from Login Warning Banners" From 49d5fbec622dd1db07320b59fa4fd1dc7913551e Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 10 Jun 2019 09:12:51 +0200 Subject: [PATCH 066/247] Adapt Mac OS 10.12 rules --- sca/darwin/16/cis_apple_macOS_10.12.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 6278624a4..c5d7631ec 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -412,6 +412,7 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: "6.3" - condition: all + condition: any rules: + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:does not exist' - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' From 8e4c2450a0056e81245a8e2c756f76a4540d69ba Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 10 Jun 2019 11:35:27 +0200 Subject: [PATCH 067/247] Adapt mac OS El capitan policies --- sca/darwin/15/cis_apple_macOS_10.11.yml | 8 +++++--- sca/darwin/16/cis_apple_macOS_10.12.yml | 1 + sca/darwin/17/cis_apple_macOS_10.13.yml | 1 + 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 92e77ec97..dab3188a4 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -301,8 +301,9 @@ checks: remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - cis: "4.1" - condition: all + condition: any rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:does not exist' - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' # 4.4 Ensure http server is not running (Scored) @@ -449,6 +450,7 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: "6.3" - condition: all + condition: any rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$;' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:does not exist' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index c5d7631ec..16a23f189 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -289,6 +289,7 @@ checks: - cis: "4.1" condition: all rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:does not exist' - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' # 4.4 Ensure http server is not running (Scored) diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 8ca621d0f..ca454a306 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -291,6 +291,7 @@ checks: - cis: "4.1" condition: all rules: + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:does not exist' - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' # 4.4 Ensure http server is not running (Scored) From 92425f711a6342876d703d6a7c8081efb5aec1a3 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 10 Jun 2019 12:45:37 +0200 Subject: [PATCH 068/247] Change rules to match the CIS compliance --- sca/darwin/15/cis_apple_macOS_10.11.yml | 6 +++--- sca/darwin/16/cis_apple_macOS_10.12.yml | 4 ++-- sca/darwin/17/cis_apple_macOS_10.13.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index dab3188a4..75a9bdca8 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -187,10 +187,10 @@ checks: remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - cis: "2.5.1" - condition: none + condition: all rules: - - 'c:pmset -c -g -> r:womp && !r:0' - - 'c:pmset -b -g -> r:womp && !r:0' + - 'c:pmset -c -g -> r:womp && r:0' + - 'c:pmset -b -g -> r:womp && r:0' # 2.6.1 Enable FileVault (Scored) - id: 3013 diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 16a23f189..10419062b 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -175,9 +175,9 @@ checks: remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - cis: "2.5.1" - condition: none + condition: all rules: - - 'c:pmset -g -> :womp && !r:0' + - 'c:pmset -g -> :womp && r:0' # 2.6.1.1 Enable FileVault (Scored) - id: 13512 diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index ca454a306..6a17d8a0e 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -164,9 +164,9 @@ checks: remediation: "Run the following command in Terminal: sudo pmset -a womp 0" compliance: - cis: "2.5.1" - condition: none + condition: all rules: - - 'c:pmset -g -> r:womp && !r:0' + - 'c:pmset -g -> r:womp && r:0' # 2.6.1.1 Enable FileVault (Scored) - id: 14011 @@ -254,7 +254,7 @@ checks: - cis: "2.13" condition: all rules: - - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> Primary allowlist version match found. No changes detected in primary hashes' + - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes' - 'c:launchctl list -> r:-\s*\t*0\s*\t*com.apple.driver.eficheck' # 3.1 Enable security auditing (Scored) From 5e870fe683ac03b4801c7beb848d94de99f2ba54 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Mon, 10 Jun 2019 07:44:44 -0700 Subject: [PATCH 069/247] Finish review of CIS policy for RHEL7 --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 159 ++++++++++------------------- 1 file changed, 55 insertions(+), 104 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index ef61fefa8..a3bde0c0f 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -730,35 +730,25 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 6550 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0 and set the active kernel parameters." - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' + - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 6551 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1" compliance: - cis: "3.1.2" - cis_csc: "3, 11" - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.all\.send_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.default\.send_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -766,16 +756,19 @@ checks: # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - id: 6552 title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters." compliance: - cis: "3.2.1" - cis_csc: "3, 11" - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.all\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 6553 @@ -789,8 +782,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.all\.accept_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.default\.accept_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 6554 @@ -804,8 +799,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.all\.secure_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.default\.secure_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - id: 6555 @@ -819,7 +816,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep "net\.ipv4\.conf\.all\.log_martians" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep "net\.ipv4\.conf\.default\.log_martians" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 6556 @@ -832,35 +832,41 @@ checks: - cis_csc: "3, 11" - pci_dss: "2.2.4" condition: all - rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + rules:$ + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep "net\.ipv4\.icmp_echo_ignore_broadcasts" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 6557 - title: "Enable Bad Error Message Protection" + title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1; # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 and set the active kernel parameters." compliance: - cis: "3.2.6" + - cis_csc: "3, 11" - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep "net\.ipv4\.icmp_ignore_bogus_error_responses" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - id: 6558 title: "Ensure Reverse Path Filtering is enabled" - description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." - rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." - remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1; net.ipv4.conf.default.rp_filter=1. Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1; # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1; # /sbin/sysctl -w net.ipv4.route.flush=1" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." + rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1 and set the active kernel parameters." compliance: - cis: "3.2.7" + - cis_csc: "3, 11" - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' + - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep "net\.ipv4\.conf\.all\.rp_filter" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep "net\.ipv4\.conf\.default\.rp_filter" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 6559 @@ -874,7 +880,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - 'c:sysctl net.ipv4.tcp_syncookies -> r:=^net.tcp_syncookies\s*=\s*1$' + - 'c:grep "net\.ipv4\.tcp_syncookies" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization @@ -896,13 +903,13 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' + - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - id: 6561 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - cis: "5.2.3" @@ -912,7 +919,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 6562 @@ -926,7 +933,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 6563 @@ -942,7 +949,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 6564 @@ -958,13 +965,13 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' + - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - id: 6565 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - cis: "5.2.8" @@ -974,13 +981,13 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s\t**PermitRootLogin\.+no' + - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 6566 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - cis: "5.2.9" @@ -990,7 +997,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' + - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' ############################################### # 6 System Maintenance @@ -1012,60 +1019,4 @@ checks: - nist_800_53: "IA.10, AC.7" condition: none rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - -# Other/Legacy Tests - - id: 6568 - title: "Account with empty password present" - compliance: - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 6569 - title: "User-mounted removable partition allowed on the console" - condition: none - rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - - id: 6570 - title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$' - - - id: 6571 - title: "Disable standard boot services - PostgreSQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$' - - - id: 6572 - title: "Disable standard boot services - MySQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$' - - - id: 6573 - title: "Disable standard boot services - DNS server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 6574 - title: "Disable standard boot services - NetFS Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' \ No newline at end of file From 788fb8108598da06c1a3394e88b8e17ca323e0b8 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 10 Jun 2019 16:59:30 +0200 Subject: [PATCH 070/247] Fix chkconfig, ls and some commands that may fail for Debian rules --- sca/debian/cis_debian_linux_rcl.yml | 5 -- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 67 ++++++++++-------------- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 45 ++++++++-------- 3 files changed, 50 insertions(+), 67 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index 91806715b..40cbd5a94 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -254,7 +254,6 @@ checks: - pci_dss: "2.2.3" condition: any rules: - - 'c:chkconfig --list vsftpd -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - 'c:systemctl is-enabled vsftpd -> r:disabled' - id: 5021 @@ -294,7 +293,6 @@ checks: - pci_dss: "2.2.2" condition: any rules: - - 'c:chkconfig --list smb -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - 'c:systemctl is-enabled smb -> r:disabled' - id: 5024 @@ -335,7 +333,6 @@ checks: - pci_dss: "2.2.2" condition: any rules: - - 'c:chkconfig --list httpd -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - 'c:systemctl is-enabled httpd -> r:disabled' - id: 5027 @@ -349,7 +346,6 @@ checks: - pci_dss: "2.2.2" condition: any rules: - - 'c:chkconfig --list named -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - 'c:systemctl is-enabled named -> r:disabled' - id: 5028 @@ -363,7 +359,6 @@ checks: - pci_dss: "2.2.2" condition: any rules: - - 'c:chkconfig --list squid -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - 'c:systemctl is-enabled squid -> r:disabled' # Section 2.3 - Service clients diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index fe4e5d583..4b26c505f 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -27,9 +27,6 @@ requirements: - 'f:/etc/debian_version' - 'f:/proc/sys/kernel/ostype -> Linux' -variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ - checks: # 2 Filesystem Configuration - id: 10500 @@ -200,7 +197,7 @@ checks: - cis: "2.25" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+autofsc' + - 'c:ls /etc/rc*.d -> r:S\.+autofsc' # 3 Secure Boot Settings - id: 10517 @@ -222,9 +219,9 @@ checks: remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - cis: "3.4" - condition: all + condition: none rules: - - 'f:/etc/shadow -> r:^root:\$' + - 'f:/etc/shadow -> r:^root:[*\!]:' # 4 Additional Process Hardening - id: 10519 @@ -236,7 +233,7 @@ checks: - cis: "4.1" condition: all rules: - - 'c:ulimit -Hc -> 0' + - 'c:ulimit -H -c -> 0' - 'c:sysctl fs.suid_dumpable -> r:= 0$' - id: 10520 @@ -315,7 +312,7 @@ checks: - cis: "5.1.8" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+xinetd' + - 'c:ls /etc/rc*.d -> r:S\.+xinetd' - id: 10527 title: "Ensure chargen is not enabled" @@ -382,7 +379,7 @@ checks: - cis: "6.2" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+avahi-daemon' + - 'c:ls /etc/rc*.d -> r:S\.+avahi-daemon' - id: 10533 title: "Ensure print server is not enabled" @@ -393,7 +390,7 @@ checks: - cis: "6.3" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+cups\S*' + - 'c:ls /etc/rc*.d -> r:S\.+cups\S*' - id: 10534 title: "Ensure DHCP Server is not enabled" @@ -404,7 +401,7 @@ checks: - cis: "6.4" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+disc-dhcp-server' + - 'c:ls /etc/rc*.d -> r:S\.+disc-dhcp-server' - id: 10535 title: "Configure Network Time Protocol (NTP)" @@ -457,8 +454,7 @@ checks: - cis: "6.8" condition: none rules: - - 'c:chkconfig --list named -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - - 'c:systemctl is-enabled named -> r:disabled' + - 'c:find /etc -regex /etc/rc.*named -> r:named' - id: 10539 title: "Ensure FTP Server is not enabled" @@ -469,7 +465,7 @@ checks: - cis: "6.9" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+vsftpd' + - 'c:find /etc -regex /etc/rc.*vsftpd -> r:vsftpd' - id: 10540 title: "Ensure HTTP Server is not enabled" @@ -480,8 +476,7 @@ checks: - cis: "6.10" condition: none rules: - - 'c:chkconfig --list httpd -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - - 'c:systemctl is-enabled httpd -> r:disabled' + - 'c:find /etc -regex /etc/rc.*apache2 -> r:apache2' - id: 10541 title: "Ensure IMAP and POP server is not enabled" @@ -492,7 +487,7 @@ checks: - cis: "6.11" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+dovecot' + - 'c:find /etc -regex /etc/rc.*dovecot -> r:dovecot' - id: 10542 title: "Ensure Samba is not enabled" @@ -503,8 +498,7 @@ checks: - cis: "6.12" condition: none rules: - - 'c:chkconfig --list smb -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - - 'c:systemctl is-enabled smb -> r:disabled' + - 'c:find /etc -regex /etc/rc.*smb -> r:smb' - id: 10543 title: "Ensure HTTP Proxy Server is not enabled" @@ -515,8 +509,7 @@ checks: - cis: "6.13" condition: none rules: - - 'c:chkconfig --list squid -> r:0:off && r:1:off && r:2:off && r:3:off && r:4:off && r:5:off && r:6:off' - - 'c:systemctl is-enabled squid -> r:disabled' + - 'c:find /etc -regex /etc/rc.*squid -> r:squid' - id: 10544 title: "Ensure SNMP Server is not enabled" @@ -527,7 +520,7 @@ checks: - cis: "6.14" condition: none rules: - - 'c:ls -1 /etc/rc*.d -> r:S\.+snmpd' + - 'c:find /etc -regex /etc/rc.*snmpd -> r:snmpd' - id: 10545 title: "Configure Mail Transfer Agent for Local-Only Mode" @@ -562,7 +555,7 @@ checks: - cis: "7.1.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:net.ipv4.ip_forward=0' + - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:= 0$' - id: 10548 title: "Disable Send Packet Redirects" @@ -787,11 +780,6 @@ checks: condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' - - 'c:dpkg -s iptables-persistent -> r:install ok installed' - - 'f:/etc/rc2.d/S01iptables-persistent' - - 'f:/etc/rc3.d/S01iptables-persistent' - - 'f:/etc/rc4.d/S01iptables-persistent' - - 'f:/etc/rc5.d/S01iptables-persistent' # 8 Logging and Auditing - id: 10567 @@ -803,10 +791,7 @@ checks: - cis: "8.2.2" condition: all rules: - - 'f:/etc/rc2.d/S01rsyslog' - - 'f:/etc/rc3.d/S01rsyslog' - - 'f:/etc/rc4.d/S01rsyslog' - - 'f:/etc/rc5.d/S01rsyslog' + - 'c:systemctl is-enabled rsyslog.service -> enabled' - id: 10568 title: "Configure /etc/rsyslog.conf" @@ -930,7 +915,7 @@ checks: - cis: "9.2.2" condition: all rules: - - 'f:/etc/pam.d/login -> !r:^# && r:auth required pam_tally2.so onerr=fail audit silent deny=\d unlock_time=\d\d\d+' + - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d\s*\t*unlock_time=\d\d\d+' - id: 10576 title: "Limit Password Reuse" @@ -1085,7 +1070,7 @@ checks: - cis: "9.5" condition: all rules: - - 'f:/etc/pam.d/su -> !r:^# && r:auth required pam_wheel.so use_uid' + - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid' - 'f:/etc/group -> !r:^# && r:^wheel' # 10 User Accounts and Environment @@ -1120,7 +1105,7 @@ checks: - cis: "10.1.3" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_WARN_DAYS\s+(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s+(\d+) compare <= 7' - id: 10593 title: "Set Default Group for root Account" @@ -1142,7 +1127,7 @@ checks: - cis: "10.4" condition: all rules: - - 'c:grep -er "^umask 077" /etc/profile.d/' + - 'c:grep -r -e "^umask 077" /etc/profile.d/' - 'f:/etc/bash.bashrc -> !r:^# && r:^umask 077' - id: 10595 @@ -1182,7 +1167,9 @@ checks: - cis: "11.2" condition: none rules: - - 'f:/etc/motd -> r:debian|gnu|linux' + - 'c: egrep "(\\v|\\r|\\m|\\s)" /etc/issue' + - 'c: egrep "(\\v|\\r|\\m|\\s)" /etc/motd' + - 'c: egrep "(\\v|\\r|\\m|\\s)" /etc/issue.net' # 13 Review User and Group Settings - id: 10598 @@ -1248,7 +1235,7 @@ checks: - cis: "13.10" condition: none rules: - - 'd:$home_dirs -> r:^.rhosts$' + - 'd:/home -> r:^.rhosts$' - id: 10604 title: "Check for Presence of User .netrc Files" @@ -1259,7 +1246,7 @@ checks: - cis: "13.18" condition: none rules: - - 'd:$home_dirs -> r:^.netrc$' + - 'd:/home -> r:^.netrc$' - id: 10605 title: "Check for Presence of User .forward Files" @@ -1270,7 +1257,7 @@ checks: - cis: "13.19" condition: none rules: - - 'd:$home_dirs -> r:^.forward$' + - 'd:/home -> r:^.forward$' - id: 10606 title: "Ensure shadow group is empty" diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index 9efea8838..b950d84af 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -38,8 +38,8 @@ checks: - cis: "2.18" condition: all rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install cramfs /bin/true' + - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' + - 'not c:lsmod -> r:cramfs' - id: 11001 title: "Disable Mounting of freevxfs Filesystems" @@ -50,8 +50,8 @@ checks: - cis: "2.19" condition: all rules: - - f:/etc/modprobe.d/CIS.conf - - f:/etc/modprobe.d/CIS.conf -> r:^install freevxfs /bin/true + - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' + - 'not c:lsmod -> r:freevxfs' - id: 11002 title: "Disable Mounting of jffs2 Filesystems" @@ -62,8 +62,8 @@ checks: - cis: "2.20" condition: all rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install jffs2 /bin/true' + - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' + - 'not c:lsmod -> r:jffs2' - id: 11003 title: "Disable Mounting of hfs Filesystems" @@ -74,8 +74,8 @@ checks: - cis: "2.21" condition: all rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfs /bin/true' + - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' + - 'not c:lsmod -> r:hfs' - id: 11004 title: "Disable Mounting of hfsplus Filesystems" @@ -86,8 +86,8 @@ checks: - cis: "2.22" condition: all rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install hfsplus /bin/true' + - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' + - 'not c:lsmod -> r:hfsplus' - id: 11005 title: "Disable Mounting of squashfs Filesystems" @@ -98,8 +98,8 @@ checks: - cis: "2.23" condition: all rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install squashfs /bin/true' + - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' + - 'not c:lsmod -> r:squashfs' - id: 11006 title: "Disable Mounting of udf Filesystems" @@ -110,8 +110,8 @@ checks: - cis: "2.24" condition: all rules: - - 'f:/etc/modprobe.d/CIS.conf' - - 'f:/etc/modprobe.d/CIS.conf -> r:^install udf /bin/true' + - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' + - 'not c:lsmod -> r:udf' # 4 Additional Process Hardening - id: 11007 @@ -227,6 +227,7 @@ checks: - 'f:/etc/audit' - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue -p wa -k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net -p wa -k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts -p wa -k system-locale' @@ -304,11 +305,10 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - id: 11020 title: "Collect Successful File System Mounts" description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" @@ -333,8 +333,8 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' - id: 11022 title: "Collect Changes to System Administration Scope (sudoers)" @@ -402,6 +402,7 @@ checks: condition: all rules: - 'f:/usr/sbin/aideinit' + - 'c:dpkg -s aide -> r:install ok installed' - id: 11027 title: "Implement Periodic Execution of File Integrity" @@ -412,4 +413,4 @@ checks: - cis: "8.3.2" condition: all rules: - - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide --check' + - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*--check' From be7ea589c374e7b973b825a3c950c015d897dfc6 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Mon, 10 Jun 2019 08:04:40 -0700 Subject: [PATCH 071/247] Remove unused variable for RHEL7 policy --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index a3bde0c0f..270e26563 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -32,7 +32,6 @@ requirements: variables: $sshd_file: /etc/ssh/sshd_config - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # 1.1.2 /tmp: partition From c4bf317fd9d36c5af714741c2f288dec55b481cd Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 10 Jun 2019 17:11:31 +0200 Subject: [PATCH 072/247] Adapt Solaris 11 CIS policies --- sca/sunos/cis_solaris11_rcl.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml index 60ab427cc..8eeaf8d92 100644 --- a/sca/sunos/cis_solaris11_rcl.yml +++ b/sca/sunos/cis_solaris11_rcl.yml @@ -25,9 +25,6 @@ requirements: rules: - 'f:/etc/release -> r:^\s*Oracle\s+Solaris\s+11\p' -variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ - checks: # 2 Disable Unnecessary Services - id: 11500 @@ -188,7 +185,7 @@ checks: - cis: "2.13" condition: all rules: - - 'p:telnetd' + - 'p:telnet' # 3 Kernel Tuning - id: 11513 @@ -200,6 +197,7 @@ checks: - cis: "3.1" condition: all rules: + - 'f:/etc/coreadm.conf' - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_PATTERN\p\.+' - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_CONTENT\pdefault' - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_PATTERN\pcore' @@ -466,6 +464,7 @@ checks: - cis: "6.12" condition: all rules: + - 'f:/usr/share/X11/app-defaults/XScreensaver' - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*timeout:\s*\t*0:10:00' - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*0:00:00' - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true' @@ -518,6 +517,7 @@ checks: - cis: "6.17" condition: all rules: + - 'f:/rpool/boot/grub/menu.lst' - 'f:/rpool/boot/grub/menu.lst -> r:^password\s*--md5' # 7 User Accounts and Environment @@ -622,6 +622,7 @@ checks: - cis: "8.3" condition: all rules: + - 'f:/etc/gdm/Init/Default' - 'f:/etc/gdm/Init/Default -> r:^/usr/bin/zenity\s\.' - id: 11545 @@ -741,7 +742,7 @@ checks: - cis: "9.10" condition: none rules: - - 'd:$home_dirs -> ^.rhosts$' + - 'd:/home -> ^.rhosts$' - id: 11552 title: "Check That Users Are Assigned Home Directories" @@ -763,7 +764,7 @@ checks: - cis: "9.20" condition: none rules: - - 'd:$home_dirs -> ^.netrc$' + - 'd:/home -> ^.netrc$' - id: 11554 title: "Check for Presence of User .forward Files" @@ -774,4 +775,4 @@ checks: - cis: "9.21" condition: none rules: - - 'd:$home_dirs -> ^.forward$' + - 'd:/home -> ^.forward$' From 913e8ebd5306b6878cc71cc1b4a51407bf0728d8 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 10 Jun 2019 17:42:33 +0200 Subject: [PATCH 073/247] Fix comments and spaces between rules --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 38 ++++++++++++------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index 4b26c505f..a856e8e13 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -543,7 +543,7 @@ checks: condition: none rules: - 'c:dpkg -s rsync -> install ok installed' - - 'f:/etc/default/rsync -> !r:^# && r:^RSYNC_ENABLE=false' + - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE=false' # 7 Network Configuration and Firewall - id: 10547 @@ -959,7 +959,7 @@ checks: - cis: "9.3.4" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^X11Forwarding\s+no' + - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' - id: 10580 title: "Set SSH MaxAuthTries to 4 or Less" @@ -970,7 +970,7 @@ checks: - cis: "9.3.5" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^MaxAuthTries && n:(\d+) compare <= 4' + - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - id: 10581 title: "Set SSH IgnoreRhosts to Yes" @@ -981,7 +981,7 @@ checks: - cis: "9.3.6" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^IgnoreRhosts\s+yes' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - id: 10582 title: "Set SSH HostbasedAuthentication to No" @@ -992,7 +992,7 @@ checks: - cis: "9.3.7" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^HostbasedAuthentication\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - id: 10583 title: "Disable SSH Root Login" @@ -1003,7 +1003,7 @@ checks: - cis: "9.3.8" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^PermitRootLogin\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' - id: 10584 title: "Set SSH PermitEmptyPasswords to No" @@ -1014,7 +1014,7 @@ checks: - cis: "9.3.9" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^PermitEmptyPasswords\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - id: 10585 title: "Do Not Allow Users to Set Environment Options" @@ -1025,7 +1025,7 @@ checks: - cis: "9.3.10" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^PermitUserEnvironment\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - id: 10586 title: "Set Idle Timeout Interval for User Login" @@ -1036,8 +1036,8 @@ checks: - cis: "9.3.12" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^ClientAliveInterval && n:(\d+) compare <= 300' - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^ClientAliveCountMax\s+0' + - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:ClientAliveCountMax\s+0' - id: 10587 title: "Limit Access via SSH" @@ -1048,7 +1048,7 @@ checks: - cis: "9.3.13" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' - id: 10588 title: "Set SSH Banner" @@ -1059,7 +1059,7 @@ checks: - cis: "9.3.14" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' - id: 10589 title: "Restrict Access to the su Command" @@ -1071,7 +1071,7 @@ checks: condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid' - - 'f:/etc/group -> !r:^# && r:^wheel' + - 'f:/etc/group -> !r:^# && r:wheel' # 10 User Accounts and Environment - id: 10590 @@ -1083,7 +1083,7 @@ checks: - cis: "10.1.1" condition: all rules: - - 'f:/etc/login.defs -> !r:^# && r:^PASS_MAX_DAYS && n:(\d+) compare <= 90' + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' - id: 10591 title: "Set Password Change Minimum Number of Days" @@ -1094,7 +1094,7 @@ checks: - cis: "10.1.2" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s+(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' - id: 10592 title: "Set Password Expiring Warning Days" @@ -1105,7 +1105,7 @@ checks: - cis: "10.1.3" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s+(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare <= 7' - id: 10593 title: "Set Default Group for root Account" @@ -1116,7 +1116,7 @@ checks: - cis: "10.3" condition: all rules: - - 'f:/etc/passwd -> !r:^# && r:^root:\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - id: 10594 title: "Set Default umask for Users" @@ -1128,7 +1128,7 @@ checks: condition: all rules: - 'c:grep -r -e "^umask 077" /etc/profile.d/' - - 'f:/etc/bash.bashrc -> !r:^# && r:^umask 077' + - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' - id: 10595 title: "Lock Inactive User Accounts" @@ -1224,7 +1224,7 @@ checks: - cis: "13.5" condition: none rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - id: 10603 title: "Check for Presence of User .rhosts Files" From 1c9da3f1ce0d3eae5cc3c1f6cda4d02f067adffd Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 11 Jun 2019 14:05:28 +0200 Subject: [PATCH 074/247] Fix some Debian rules --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index a856e8e13..b0d06ef05 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -49,7 +49,7 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - cis: "2.2" - condition: any + condition: all rules: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -61,7 +61,7 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - cis: "2.3" - condition: any + condition: all rules: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -73,7 +73,7 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" compliance: - cis: "2.4" - condition: any + condition: all rules: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -176,6 +176,7 @@ checks: rules: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nosuid' + - id: 10515 title: "Add noexec Option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." @@ -415,8 +416,8 @@ checks: condition: all rules: - 'c:dpkg -s ntp -> r:install ok installed' - - 'f:/etc/ntp.conf -> r:^restrict -4 default kod nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^restrict -6 default kod nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:^restrict -4 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' + - 'f:/etc/ntp.conf -> r:^restrict -6 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/ntp.conf -> r:RUNASUSER=ntp' @@ -1127,7 +1128,7 @@ checks: - cis: "10.4" condition: all rules: - - 'c:grep -r -e "^umask 077" /etc/profile.d/' + - 'c:grep -R -e "^umask 077" /etc/profile.d/' - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' - id: 10595 From 9a4ded29e939e2664a9226449015fcdc4b538842 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 11 Jun 2019 14:06:04 +0200 Subject: [PATCH 075/247] Fix SLES 11 rules --- sca/sles/11/cis_sles11_linux_rcl.yml | 227 ++++++++++++--------------- 1 file changed, 97 insertions(+), 130 deletions(-) diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index 34862b1f1..e555ce6cc 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -42,8 +42,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - 'c:mount -> r:\s/tmp\s' - id: 7001 title: "Ensure nodev option set on /tmp partition" @@ -55,8 +54,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nodev' - id: 7002 title: "Ensure nosuid option set on /tmp partition" @@ -68,7 +67,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - id: 7003 @@ -82,7 +82,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - id: 7004 @@ -96,8 +97,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' + - 'c:mount -> r:\s/var\s' - id: 7005 title: "Ensure separate partition exists for /var/log" @@ -111,7 +111,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - id: 7006 @@ -126,7 +126,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - id: 7007 @@ -140,7 +140,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - 'c:mount -> r:\s/home\s' - id: 7008 title: "Ensure nodev option set on /home partition" @@ -152,47 +152,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' - - # 1.1.18 nodev on removable media partitions (not scored) - - id: 7012 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' - - # 1.1.19 nosuid on removable media partitions (not scored) - - id: 7013 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' - -# 1.1.20 noexec on removable media partitions (not scored) - - id: 7014 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - 'not c:mount -> r:\s/home\s' + - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - id: 7009 @@ -205,7 +166,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - id: 7010 @@ -218,7 +180,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - id: 7011 @@ -232,7 +195,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - 'not c:mount -> r:\s/dev/shm\s' + - 'c:mount -> r:\s/dev/shm\s && r:noexec' ############################################### # 1.4 Secure Boot Settings @@ -265,7 +229,8 @@ checks: - cis_csc: "13" condition: all rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - 'c:ulimit -H -c -> 0' + - 'c:sysctl fs.suid_dumpable -> r:= 0$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7017 @@ -278,6 +243,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'c:grep -R "kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 2$' - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' ############################################### @@ -297,8 +263,8 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*chargen:\s*\t*on' + - 'c:chkconfig --list -> \s*\t*chargen-udp:\s*\t*on' - id: 7019 title: "Ensure daytime services are not enabled" @@ -310,8 +276,8 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*daytime:\s*\t*on' + - 'c:chkconfig --list -> \s*\t*daytime-udp:\s*\t*on' - id: 7020 title: "Ensure discard services are not enabled" @@ -323,8 +289,8 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*discard:\s*\t*on' + - 'c:chkconfig --list -> \s*\t*discard-udp:\s*\t*on' - id: 7021 title: "Ensure echo services are not enabled" @@ -336,8 +302,8 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*echo:\s*\t*on' + - 'c:chkconfig --list -> \s*\t*echo-udp:\s*\t*on' - id: 7022 title: "Ensure time services are not enabled" @@ -349,8 +315,8 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*time:\s*\t*on' + - 'c:chkconfig --list -> \s*\t*time-udp:\s*\t*on' - id: 7023 title: "Ensure rsh server is not enabled" @@ -364,9 +330,9 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*rexec:\s*\t*on' + - 'c:chkconfig --list -> \s*\t*rlogin:\s*\t*on' + - 'c:chkconfig --list -> \s*\t*rsh:\s*\t*on' - id: 7024 title: "Ensure talk server is not enabled" @@ -380,7 +346,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*talk:\s*\t*on' - id: 7025 title: "Ensure telnet server is not enabled" @@ -394,7 +360,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*telnet:\s*\t*on' - id: 7026 title: "Ensure tftp server is not enabled" @@ -408,7 +374,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> \s*\t*tftp:\s*\t*:on' - id: 7027 title: "Ensure rsync service is not enabled" @@ -418,9 +384,9 @@ checks: compliance: - cis: "2.1.10, 2.2.17" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\drsyncd$' + - 'c:chkconfig --list -> \s*\t*rsyncd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' ############################################### # 2 Special Purpose Services @@ -436,8 +402,8 @@ checks: - pci_dss: "2.2.2" condition: any rules: - - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' + - 'f:/etc/ntp.conf -> r:restrict -4 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' + - 'f:/etc/ntp.conf -> r:restrict -6 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' - 'f:/etc/ntp.conf -> r:^server|^pool' - 'f:/etc/sysconfig/ntpd -> r:NTPD_OPTIONS="-u ntp:ntp"' @@ -453,7 +419,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/inittab -> IN !r:^# && r:id:5' + - 'c:rpm -qa xorg-x11* -> r:^xorg-x11' # 2.2.3 Disable Avahi Server (Scored) - id: 7030 @@ -477,10 +443,9 @@ checks: compliance: - cis: "2.2.5" - cis_csc: "9.1" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dhcpd$' - - 'd:$rc_dirs -> ^S\d\dhcpd6$' + - 'c:chkconfig --list dhcpd -> \s*\t*dhcpd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' # 2.2.7 Disable NFS and RPC (Not Scored) - id: 7032 @@ -492,10 +457,10 @@ checks: - cis: "2.2.7" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - 'c:chkconfig --list nfs -> \s*\t*nfs\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list rpcbind -> \s*\t*rpcbind\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' - id: 7033 title: "Ensure DNS Server is not enabled" @@ -506,9 +471,9 @@ checks: - cis: "2.2.8" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' + - 'c:chkconfig --list named -> \s*\t*named\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' - id: 7034 title: "Ensure FTP Server is not enabled" @@ -519,9 +484,9 @@ checks: - cis: "2.2.9" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list vsftpd -> \s*\t*vsftpd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' # 2.2.10 Remove HTTP Server (Not Scored) - id: 7035 @@ -532,9 +497,9 @@ checks: compliance: - cis: "2.2.10" - cis_csc: "9.1" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dapache2$' + - 'c:chkconfig --list apache2 -> \s*\t*apache2\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' - id: 7036 title: "Ensure IMAP and POP3 server is not enabled" @@ -547,8 +512,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list cyrus -> \s*\t*cyrus\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' # 2.2.12 Remove Samba (Not Scored) - id: 7037 @@ -560,10 +524,9 @@ checks: - cis: "2.2.12" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - 'c:chkconfig --list smb -> \s*\t*smb\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' - id: 7038 title: "Ensure HTTP Proxy Server is not enabled" @@ -574,9 +537,9 @@ checks: - cis: "2.2.13" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - 'c:chkconfig --list squid -> \s*\t*squid\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' - id: 7039 title: "Ensure SNMP Server is not enabled" @@ -587,9 +550,9 @@ checks: - cis: "2.2.14" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - 'c:chkconfig --list snmpd -> \s*\t*snmpd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' - id: 7040 title: "Ensure NIS Server is not enabled" @@ -603,7 +566,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' + - 'c:chkconfig --list ypserv -> \s*\t*ypserv\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' # Section 2.3 - Service Clients - id: 7041 @@ -618,7 +581,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' + - 'c:rpm -q ybind -> r:^ypbind-\S*' ############################################### # 3 Network Configuration and Firewalls @@ -638,20 +601,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 7043 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - 'c:grep -R "net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:= 0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 7044 @@ -665,8 +616,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - 'c:grep -R "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:= 0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -683,7 +636,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - 'c:grep -R "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:= 0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 7046 @@ -697,8 +653,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - 'c:grep -R "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:= 0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 7047 @@ -712,8 +670,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - 'c:grep -R "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:= 0$' - id: 7048 title: "Ensure suspicious packets are logged" @@ -726,8 +686,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + - 'c:grep -R "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' + - 'c:grep -R "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:= 1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 7049 @@ -741,7 +703,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - 'c:grep -R "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.icpm_echo_ignore_broadcasts -> r:= 1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7050 @@ -755,7 +718,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:= 1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 7051 @@ -769,8 +733,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - 'c:grep -R "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' + - 'c:grep -R "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:= 1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 7052 @@ -784,7 +750,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - 'c:grep -R "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:= 1$' ############################################### # 5 System Access, Authentication and Authorization @@ -806,7 +773,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - id: 7054 @@ -922,7 +889,7 @@ checks: - nist_800_53: "IA.10, AC.7" condition: none rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - id: 7060 title: "Ensure password fields are not empty" From 3890248d3f5224726eadd09ca1dba0a53bc4e3d1 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 11 Jun 2019 06:59:28 -0700 Subject: [PATCH 076/247] Reorder RHEL7 policy IDs --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 102 ++++++++++++++--------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 270e26563..09c095446 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -176,7 +176,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - - id: 6513 + - id: 6510 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -190,7 +190,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 6514 + - id: 6511 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -204,7 +204,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 6515 + - id: 6512 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -222,7 +222,7 @@ checks: # 1.6 Configure SELinux ############################################### # 1.6.1.2 Set selinux state - - id: 6517 + - id: 6513 title: "Ensure the SELinux state is enforcing" description: "Set SELinux to enable when the system is booted." rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." @@ -239,7 +239,7 @@ checks: - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing' # 1.6.1.3 Set selinux policy - - id: 6518 + - id: 6514 title: "Ensure SELinux policy is configured" description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." @@ -253,7 +253,7 @@ checks: - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls' # 1.6.1.4 Remove SETroubleshoot - - id: 6519 + - id: 6515 title: "Ensure SETroubleshoot is not installed" description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." @@ -266,7 +266,7 @@ checks: - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' # 1.6.1.5 Disable MCS Translation service mcstrans - - id: 6520 + - id: 6516 title: "Ensure the MCS Translation Service (mcstrans) is not installed" description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." @@ -282,7 +282,7 @@ checks: # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 6521 + - id: 6517 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -299,7 +299,7 @@ checks: # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 6522 + - id: 6518 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -316,7 +316,7 @@ checks: - 'd:/etc/sysctl.d -> r:^\.+ -> !r:^# && r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 6523 + - id: 6519 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -335,7 +335,7 @@ checks: # 2.2 Remove Legacy Services ############################################### # 2.2.16 Remove NIS Server (Scored) - - id: 6527 + - id: 6520 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" @@ -350,7 +350,7 @@ checks: - 'c:systemctl is-enabled ypserv -> r:^enabled' # 2.2.17 Remove rsh-server (Scored) - - id: 6525 + - id: 6521 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." @@ -367,7 +367,7 @@ checks: - 'c:systemctl is-enabled rexec.socket -> r:^enabled' # 2.2.18 Remove talk server (Scored) - - id: 6525 + - id: 6522 title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -382,7 +382,7 @@ checks: - 'c:systemctl is-enabled ntalk -> r:^enabled' # 2.2.19 Remove telnet-server (Scored) - - id: 6524 + - id: 6523 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." @@ -397,7 +397,7 @@ checks: - 'c:systemctl is-enabled telnet.socket -> r:^enabled' # 2.2.20 Remove tftp server (Scored) - - id: 6525 + - id: 6524 title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -442,7 +442,7 @@ checks: - 'c:rpm -q ypbind -> r:^package ypbind is not installed$' # 2.1.7 Remove xinetd (Scored) - - id: 6530 + - id: 6527 title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." @@ -457,7 +457,7 @@ checks: - 'c:systemctl is-enabled xinetd -> r:^enabled' # 2.1.1 Disable chargen services (Scored) - - id: 6531 + - id: 6528 title: "Ensure chargen services are not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -473,7 +473,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*chargen-stream:\s*\t*on' # 2.1.2 Disable daytime services (Scored) - - id: 6533 + - id: 6529 title: "Ensure daytime services are not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -487,7 +487,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*daytime-stream:\s*\t*on' # 2.1.3 Disable discard services (Scored) - - id: 6534 + - id: 6530 title: "Ensure discard services are not enabled" description: "discardis a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -503,7 +503,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*discard-stream:\s*\t*on' # 2.1.4 Disable echo-dgram (Scored) - - id: 6535 + - id: 6531 title: "Ensure echo services are not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -519,7 +519,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*echo-stream:\s*\t*on' # 2.1.5 Disable time-stream (Scored) - - id: 6536 + - id: 6532 title: "Ensure time services are not enabled" description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -535,7 +535,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*time-stream:\s*\t*on' # 2.2.2 Remove X Windows (Scored) - - id: 6537 + - id: 6533 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -549,7 +549,7 @@ checks: - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' # 2.2.3 Disable Avahi Server (Scored) - - id: 6538 + - id: 6534 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." @@ -563,7 +563,7 @@ checks: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' # 2.2.5 Remove DHCP Server (Scored) - - id: 6539 + - id: 6535 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -579,7 +579,7 @@ checks: - 'c:systemctl is-enabled dhcpd -> r:^enabled' # 2.2.6 Remove LDAP Server (Scored) - - id: 6539 + - id: 6536 title: "Ensure LDAP Server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -595,7 +595,7 @@ checks: - 'c:systemctl is-enabled sladp -> r:^enabled' # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored) - - id: 6540 + - id: 6537 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -613,7 +613,7 @@ checks: - 'f:/usr/lib/systemd/system/ntpd.service -> r:^Execstart\s*=\s*/usr/sbin/ntpd\s+-u\s+ntp:ntp' # 2.2.7 Disable NFS and RPC (Scored) - - id: 6541 + - id: 6538 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -629,7 +629,7 @@ checks: - 'c:systemctl is-enabled rpcbind -> r:^enabled' # 2.2.9 Remove FTP Server (Scored) - - id: 6542 + - id: 6539 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." @@ -643,7 +643,7 @@ checks: - 'c:systemctl is-enabled vsftpd -> r:^enabled' # 2.2.10 Remove HTTP Server (Scored) - - id: 6543 + - id: 6540 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -656,7 +656,7 @@ checks: - 'c:systemctl is-enabled httpd -> r:^enabled' # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored) - - id: 6544 + - id: 6541 title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." @@ -670,7 +670,7 @@ checks: - 'c:systemctl is-enabled dovecot -> r:^enabled' # 2.2.12 Remove Samba (Scored) - - id: 6546 + - id: 6542 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." @@ -684,7 +684,7 @@ checks: - 'c:systemctl is-enabled smb -> r:^enabled' # 2.2.13 Remove HTTP Proxy Server (Scored) - - id: 6547 + - id: 6543 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." @@ -698,7 +698,7 @@ checks: - 'c:systemctl is-enabled squid -> r:^enabled' # 2.2.14 Remove SNMP Server (Not Scored) - - id: 6548 + - id: 6544 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -718,7 +718,7 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 6549 + - id: 6545 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -733,7 +733,7 @@ checks: - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 6551 + - id: 6546 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -753,7 +753,7 @@ checks: # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 6552 + - id: 6547 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -770,7 +770,7 @@ checks: - 'c:grep "net\.ipv4\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 6553 + - id: 6548 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -787,7 +787,7 @@ checks: - 'c:grep "net\.ipv4\.conf\.default\.accept_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 6554 + - id: 6549 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -804,7 +804,7 @@ checks: - 'c:grep "net\.ipv4\.conf\.default\.secure_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - - id: 6555 + - id: 6550 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -821,7 +821,7 @@ checks: - 'c:grep "net\.ipv4\.conf\.default\.log_martians" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6556 + - id: 6551 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -836,7 +836,7 @@ checks: - 'c:grep "net\.ipv4\.icmp_echo_ignore_broadcasts" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6557 + - id: 6552 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -851,7 +851,7 @@ checks: - 'c:grep "net\.ipv4\.icmp_ignore_bogus_error_responses" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - - id: 6558 + - id: 6553 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." @@ -868,7 +868,7 @@ checks: - 'c:grep "net\.ipv4\.conf\.default\.rp_filter" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6559 + - id: 6554 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -889,7 +889,7 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6560 + - id: 6555 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -905,7 +905,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 6561 + - id: 6556 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -921,7 +921,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 6562 + - id: 6557 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -935,7 +935,7 @@ checks: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6563 + - id: 6558 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -951,7 +951,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6564 + - id: 6559 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -967,7 +967,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 6565 + - id: 6560 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -983,7 +983,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6566 + - id: 6561 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." @@ -1005,7 +1005,7 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6567 + - id: 6562 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." From 1ae2e57d8a821e7c9f825f60518741220082f0ae Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 12 Jun 2019 09:01:16 +0200 Subject: [PATCH 077/247] Fix generic Debian policy --- sca/debian/cis_debian_linux_rcl.yml | 98 +++++++++++++---------------- 1 file changed, 45 insertions(+), 53 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index 40cbd5a94..5546d87e9 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -59,21 +59,6 @@ checks: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' - - - id: 5002 - title: "Ensure separate partition exists for /opt" - description: "The /opt directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /opt directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /opt. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.6" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'c:mount -> r:\s/opt\s' - - id: 5003 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." @@ -179,16 +164,13 @@ checks: - pci_dss: "2.2.2" condition: all rules: - - 'f:/etc/dconf/profile/gdm -> r:user-db:user' - - 'f:/etc/dconf/profile/gdm -> r:system-db:gdm' - - 'f:/etc/dconf/profile/gdm -> r:file-db:/usr/share/gdm/greeter-dconf-defaults' - - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:[org/gnome/login-screen]' - - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-enable=true' - - 'd:/etc/dconf/db/gdm.d -> r:\.+ -> r:banner-message-text=\p\.+\p$' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\'\'' # Section 2 - Filesystem Configuration - Debian 7 - id: 5015 - title: "Add nodev Option to /run/shm Partition" + title: "Add nodev option to /run/shm Partition" description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" @@ -202,7 +184,7 @@ checks: - 'c:mount -> r:\s/run/shm\s && r:nodev' - id: 5016 - title: "Add nosuid Option to /run/shm Partition" + title: "Add nosuid option to /run/shm Partition" description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." @@ -215,7 +197,7 @@ checks: - 'c:mount -> r:\s/run/shm\s && r:nosuid' - id: 5017 - title: "Add noexec Option to /run/shm Partition" + title: "Add noexec option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." @@ -267,7 +249,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:imap' + - 'c:dpkg -s exim4 -> install ok installed' - id: 5022 title: "Ensure IMAP and POP3 server is not enabled (POP3)" @@ -280,7 +262,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:pop' + - 'c:dpkg -s exim4 -> install ok installed' - id: 5023 title: "Ensure Samba is not enabled" @@ -291,9 +273,9 @@ checks: - cis_csc: "9.2" - cis: "2.2.12" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'c:systemctl is-enabled smb -> r:disabled' + - 'c:systemctl is-enabled smb -> r:^enabled' - id: 5024 title: "Ensure NFS and RPC are not enabled" @@ -304,10 +286,10 @@ checks: - cis_csc: "9.2" - cis: "2.2.7" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'c:systemctl is-enabled nfs -> r:disabled' - - 'c:systemctl is-enabled rpcbind -> r:disabled' + - 'c:systemctl is-enabled nfs-server -> r:^enabled' + - 'c:systemctl is-enabled rpcbind -> r:^enabled' - id: 5025 title: "Ensure NIS Server is not enabled" @@ -320,7 +302,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/init.d/nis' + - 'c:systemctl is-enabled nis -> r:^enabled' - id: 5026 title: "Ensure HTTP server is not enabled" @@ -331,9 +313,9 @@ checks: - cis_csc: "9.2" - cis: "2.2.10" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'c:systemctl is-enabled httpd -> r:disabled' + - 'c:systemctl is-enabled apache2 -> r:^enabled' - id: 5027 title: "Ensure DNS Server is not enabled" @@ -344,9 +326,9 @@ checks: - cis_csc: "9.2" - cis: "2.2.8" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'c:systemctl is-enabled named -> r:disabled' + - 'c:systemctl is-enabled bind9 -> r:^enabled' - id: 5028 title: "Ensure HTTP Proxy Server is not enabled" @@ -357,9 +339,9 @@ checks: - cis_csc: "9.2" - cis: "2.2.13" - pci_dss: "2.2.2" - condition: any + condition: none rules: - - 'c:systemctl is-enabled squid -> r:disabled' + - 'c:systemctl is-enabled squid -> r:^enabled' # Section 2.3 - Service clients - id: 5029 @@ -373,7 +355,8 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:dpkg -s rsh -> install ok installed' + - 'c:dpkg -s rsh-client -> install ok installed' + - 'c:dpkg -s rsh-redone-client -> install ok installed' - id: 5030 title: "Ensure telnet client is not installed" @@ -399,7 +382,8 @@ checks: - cis: "3.1.1" condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' + - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' - id: 5032 title: "Ensure IPv6 forwarding is disabled" @@ -411,7 +395,8 @@ checks: - cis: "3.1.1" condition: all rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' + - 'c:grep "net\.ipv6\.ip_forward\.conf\.all\.forwarding" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' # Section 3.2 - Network Parameters (Host and Router) - id: 5033 @@ -422,10 +407,16 @@ checks: compliance: - cis_csc: "5.1" - cis: "3.2.1" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:= 0$' - - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:= 0$' + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.all\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep "net\.ipv4\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep "net\.ipv6\.conf\.all\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep "net\.ipv6\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - id: 5034 title: "Ensure broadcast ICMP requests are ignored" @@ -437,7 +428,8 @@ checks: - cis: "3.2.5" condition: all rules: - - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:= 1$' + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -R "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' # Section 5.2 - SSH Server Configuration - id: 5035 @@ -453,7 +445,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - id: 5036 title: "Ensure SSH IgnoreRhosts is enabled" @@ -466,9 +458,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+no' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+yes' - id: 5037 title: "Ensure SSH HostbasedAuthentication is disabled" @@ -481,9 +473,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+no' - id: 5038 title: "Ensure SSH root login is disabled" @@ -511,9 +503,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' # Section 6.2 - User and Group Settings - id: 5040 From 3c8f0520292881c57ebb3c0e053bb04f77ee5c72 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 12 Jun 2019 04:11:36 -0700 Subject: [PATCH 078/247] Fix 2 checks of the RHEL7 policy --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 09c095446..c601fc96f 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -307,13 +307,11 @@ checks: compliance: - cis: "1.5.1" - cis_csc: "13" - condition: any + condition: all rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' - - 'd:/etc/security/limits.d -> r:^\.+ -> !r:^# && r:hard\.+core\.+0' + - 'c:grep -e "*\s\+hard\s\+core\s\+" -R /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' - - 'f:/etc/sysctl.conf -> !r:^# && r:^\s*fs.suid_dumpable\s*=\s*0\s*$' - - 'd:/etc/sysctl.d -> r:^\.+ -> !r:^# && r:^\s*fs.suid_dumpable\s*=\s*0\s*$' + - 'c:grep "fs\.suid_dumpable" -R /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6519 @@ -326,6 +324,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'c:grep -e "^\s*kernel\.randomize_va_space\s\+" -R /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### From 2275f8f49cd4c11842d09abbaa5b6a3ce22d5197 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 12 Jun 2019 13:54:09 +0200 Subject: [PATCH 079/247] Add Debian fixes --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 195 ++++++++++++----------- 1 file changed, 100 insertions(+), 95 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index b0d06ef05..a491ef65e 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -43,31 +43,31 @@ checks: - 'c:mount -> r:\s/tmp\s' - id: 10501 - title: "Set nodev option for /tmp Partition" + title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - - cis: "2.2" + - cis: "1.1.3" condition: all rules: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' - id: 10502 - title: "Set nosuid option for /tmp Partition" + title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - - cis: "2.3" + - cis: "1.1.4" condition: all rules: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nosuid' - id: 10503 - title: "Set noexec option for /tmp Partition" + title: "Set noexec option for /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" @@ -79,12 +79,12 @@ checks: - 'c:mount -> r:\s/tmp\s && r:noexec' - id: 10504 - title: "Create Separate Partition for /var" + title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.5" + - cis: "1.1.5" references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -92,7 +92,7 @@ checks: - 'c:mount -> r:\s/var\s' - id: 10505 - title: "Bind Mount the /var/tmp directory to /tmp" + title: "Bind mount the /var/tmp directory to /tmp" description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" @@ -101,14 +101,16 @@ checks: condition: all rules: - 'c:findmnt -> r:/var/tmp && r:[/tmp]' + - 'c:grep -e "^/tmp" /etc/fstab -> r:^/tmp && r:\s*/var/tmp\s*' + - 'c:mount -> r:^/tmp && r:\s*/var/tmp\s*' - id: 10506 - title: "Create Separate Partition for /var/log" + title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.7" + - cis: "1.1.10" references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -116,12 +118,12 @@ checks: - 'c:mount -> r:\s/var/log\s' - id: 10507 - title: "Create Separate Partition for /var/log/audit" + title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.8" + - cis: "1.1.11" references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -129,12 +131,12 @@ checks: - 'c:mount -> r:\s/var/log/audit\s' - id: 10508 - title: "Create Separate Partition for /home" + title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.9" + - cis: "1.1.12" references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -142,12 +144,12 @@ checks: - 'c:mount -> r:\s/home\s' - id: 10509 - title: "Add nodev Option to /home" + title: "Ensure nodev option set on /home partition" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "2.10" + - cis: "1.1.13" condition: all rules: - 'not c:mount -> r:\s/home\s' @@ -198,7 +200,7 @@ checks: - cis: "2.25" condition: none rules: - - 'c:ls /etc/rc*.d -> r:S\.+autofsc' + - 'c:find /etc -regex /etc/rc.*autofsc -> r:S\.*autofsc' # 3 Secure Boot Settings - id: 10517 @@ -214,7 +216,7 @@ checks: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - id: 10518 - title: "Require Authentication for Single-User Mode" + title: "Require authentication for Single-User mode" description: "Setting a password for the root user will force authentication in single user mode." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" @@ -235,7 +237,9 @@ checks: condition: all rules: - 'c:ulimit -H -c -> 0' - - 'c:sysctl fs.suid_dumpable -> r:= 0$' + - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' + - 'c:grep -e "hard\s*\t*core" /etc/security/limits.conf -> !r:^# && r:\s*\t*hard\s*\t*core\s*\t*0' + - 'c:grep -R -e"^*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - id: 10520 title: "Enable Randomized Virtual Memory Region Placement" @@ -246,16 +250,16 @@ checks: - cis: "4.3" condition: all rules: - - 'f:/etc/sysctl.conf -> r:^kernel.randomize_va_space = 2' + - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' # 5 OS Services - id: 10521 - title: "Ensure NIS is not installed" + title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get purge nis" compliance: - - cis: "5.1.1" + - cis: "2.3.1" condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -269,7 +273,7 @@ checks: - cis: "5.1.2" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:shell|login|exec' + - 'f:/etc/inetd.conf -> r:^shell|^login|^exec' - id: 10523 title: "Ensure talk server is not enabled" @@ -280,18 +284,18 @@ checks: - cis: "5.1.4" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:talk|ntalk' + - 'f:/etc/inetd.conf -> r:^talk|^ntalk' - id: 10524 - title: "Ensure telnet server is not enabled" - description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." - remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" + title: "Ensure telnet client is not installed" + description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." + remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - - cis: "5.1.6" + - cis: "2.3.4" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:telnet' + - 'c:dpkg -s telnet -> r:install ok installed' - id: 10525 title: "Ensure tftp-server is not enabled" @@ -313,7 +317,7 @@ checks: - cis: "5.1.8" condition: none rules: - - 'c:ls /etc/rc*.d -> r:S\.+xinetd' + - 'c:find /etc -regex /etc/rc.*xinetd -> r:S\.+xinetd' - id: 10527 title: "Ensure chargen is not enabled" @@ -380,7 +384,7 @@ checks: - cis: "6.2" condition: none rules: - - 'c:ls /etc/rc*.d -> r:S\.+avahi-daemon' + - 'c:find /etc -regex /etc/rc.*avahi-daemon -> r:S\.*avahi-daemon' - id: 10533 title: "Ensure print server is not enabled" @@ -391,7 +395,7 @@ checks: - cis: "6.3" condition: none rules: - - 'c:ls /etc/rc*.d -> r:S\.+cups\S*' + - 'c:find /etc -regex /etc/rc.*cups -> r:S\.*cups' - id: 10534 title: "Ensure DHCP Server is not enabled" @@ -402,7 +406,7 @@ checks: - cis: "6.4" condition: none rules: - - 'c:ls /etc/rc*.d -> r:S\.+disc-dhcp-server' + - 'c:find /etc -regex /etc/rc.*isc-dhcp-server -> r:S\.*isc-dhcp-server' - id: 10535 title: "Configure Network Time Protocol (NTP)" @@ -419,7 +423,7 @@ checks: - 'f:/etc/ntp.conf -> r:^restrict -4 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' - 'f:/etc/ntp.conf -> r:^restrict -6 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' - 'f:/etc/ntp.conf -> r:^server\s\.+' - - 'f:/etc/ntp.conf -> r:RUNASUSER=ntp' + - 'f:/etc/ntp.conf -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - id: 10536 title: "Ensure LDAP is not enabled" @@ -443,8 +447,8 @@ checks: - cis: "6.7" condition: none rules: - - 'c:systemctl is-enabled nfs -> r:disabled' - - 'c:systemctl is-enabled rpcbind -> r:disabled' + - 'c:find /etc -regex /etc/rc.*rpcbind -> r:S\.*rpcbind' + - 'c:find /etc -regex /etc/rc.*nfs-kernel-server -> r:S\.*nfs-kernel-server' - id: 10538 title: "Ensure DNS Server is not enabled" @@ -455,7 +459,7 @@ checks: - cis: "6.8" condition: none rules: - - 'c:find /etc -regex /etc/rc.*named -> r:named' + - 'c:find /etc -regex /etc/rc.*bind9 -> r:S\.*bind9' - id: 10539 title: "Ensure FTP Server is not enabled" @@ -466,7 +470,7 @@ checks: - cis: "6.9" condition: none rules: - - 'c:find /etc -regex /etc/rc.*vsftpd -> r:vsftpd' + - 'c:find /etc -regex /etc/rc.*vsftpd -> r:S\.*vsftpd' - id: 10540 title: "Ensure HTTP Server is not enabled" @@ -477,7 +481,7 @@ checks: - cis: "6.10" condition: none rules: - - 'c:find /etc -regex /etc/rc.*apache2 -> r:apache2' + - 'c:find /etc -regex /etc/rc.*apache2 -> r:S\.*apache2' - id: 10541 title: "Ensure IMAP and POP server is not enabled" @@ -488,7 +492,7 @@ checks: - cis: "6.11" condition: none rules: - - 'c:find /etc -regex /etc/rc.*dovecot -> r:dovecot' + - 'c:find /etc -regex /etc/rc.*dovecot -> r:S\.*dovecot' - id: 10542 title: "Ensure Samba is not enabled" @@ -499,7 +503,7 @@ checks: - cis: "6.12" condition: none rules: - - 'c:find /etc -regex /etc/rc.*smb -> r:smb' + - 'c:find /etc -regex /etc/rc.*smb -> r:S\.*smb' - id: 10543 title: "Ensure HTTP Proxy Server is not enabled" @@ -510,7 +514,7 @@ checks: - cis: "6.13" condition: none rules: - - 'c:find /etc -regex /etc/rc.*squid -> r:squid' + - 'c:find /etc -regex /etc/rc.*squid -> r:S\.*squid' - id: 10544 title: "Ensure SNMP Server is not enabled" @@ -521,7 +525,7 @@ checks: - cis: "6.14" condition: none rules: - - 'c:find /etc -regex /etc/rc.*snmpd -> r:snmpd' + - 'c:find /etc -regex /etc/rc.*snmpd -> r:S\.*snmpd' - id: 10545 title: "Configure Mail Transfer Agent for Local-Only Mode" @@ -544,7 +548,7 @@ checks: condition: none rules: - 'c:dpkg -s rsync -> install ok installed' - - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE=false' + - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE\s*\t*=\s*\t*false' # 7 Network Configuration and Firewall - id: 10547 @@ -556,7 +560,7 @@ checks: - cis: "7.1.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' - id: 10548 title: "Disable Send Packet Redirects" @@ -567,8 +571,8 @@ checks: - cis: "7.1.2" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$' - id: 10549 title: "Disable Source Routed Packet Acceptance" @@ -579,8 +583,8 @@ checks: - cis: "7.2.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$' - id: 10550 title: "Disable ICMP Redirect Acceptance" @@ -591,8 +595,8 @@ checks: - cis: "7.2.2" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$' - id: 10551 title: "Disable Secure ICMP Redirect Acceptance" @@ -603,8 +607,8 @@ checks: - cis: "7.2.3" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$' - id: 10552 title: "Log Suspicious Packets" @@ -615,8 +619,8 @@ checks: - cis: "7.2.4" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$' - id: 10553 title: "Enable Ignore Broadcast Requests" @@ -627,7 +631,7 @@ checks: - cis: "7.2.5" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - id: 10554 title: "Enable Bad Error Message Protection" @@ -638,7 +642,7 @@ checks: - cis: "7.2.6" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - id: 10555 title: "Enable RFC-recommended Source Route Validation" @@ -649,8 +653,8 @@ checks: - cis: "7.2.7" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$' - id: 10556 title: "Enable TCP SYN Cookies" @@ -661,7 +665,7 @@ checks: - cis: "7.2.8" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:= 1$' + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - id: 10557 title: "Disable IPv6 Router Advertisements" @@ -672,8 +676,8 @@ checks: - cis: "7.3.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:= 0$' - - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:= 0$' + - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$' - id: 10558 title: "Disable IPv6 Redirect Acceptance" @@ -684,8 +688,8 @@ checks: - cis: "7.3.2" condition: all rules: - - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:= 0$' - - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:= 0$' + - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$' - id: 10559 title: "Disable IPv6" @@ -696,12 +700,12 @@ checks: - cis: "7.3.3" condition: none rules: - - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:= 1$' - - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:= 1$' - - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> r:= 1$' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6=1' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6=1' + - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:=\s*\t*1$' + - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:=\s*\t*1$' + - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> r:=\s*\t*1$' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6\s*\t*=\s*\t*1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6\s*\t*=\s*\t*1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6\s*\t*=\s*\t*1' - id: 10560 title: "Create /etc/hosts.allow" @@ -713,7 +717,6 @@ checks: condition: all rules: - 'f:/etc/hosts.allow' - - 'f:/etc/hosts.allow -> r:^ALL:\.*' - id: 10561 title: "Create /etc/hosts.deny" @@ -781,6 +784,8 @@ checks: condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' + - 'c:dpkg -s iptables-persistent -> r:install ok installed' + - 'c:find /etc -regex "/etc/rc.*iptables-persistent" -> r:S\.*iptables-persistent' # 8 Logging and Auditing - id: 10567 @@ -792,7 +797,7 @@ checks: - cis: "8.2.2" condition: all rules: - - 'c:systemctl is-enabled rsyslog.service -> enabled' + - 'c:find /etc -regex "/etc/rc.*rsyslog" -> r:S\.*rsyslog' - id: 10568 title: "Configure /etc/rsyslog.conf" @@ -805,21 +810,21 @@ checks: - rsyslog.conf(5) man page condition: all rules: - - 'c:grep -er "^*.emerg\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^mail.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^mail.info\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^mail.warning\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^mail.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^news.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^news.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^news.notice\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^*.=warning;*.=err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^*.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^*.*;mail.none;news.none\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^local0,local1.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^local2,local3.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^local4,local5.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -er "^local6,local7.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^*.emerg\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^mail.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^mail.info\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^mail.warning\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^mail.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^news.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^news.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^news.notice\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^*.=warning;*.=err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^*.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^*.*;mail.none;news.none\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^local0,local1.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^local2,local3.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^local4,local5.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R -e "^local6,local7.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - id: 10569 title: "Configure rsyslog to Send Logs to a Remote Log Host" @@ -845,8 +850,8 @@ checks: - rsyslog.conf(8) man page condition: all rules: - - 'c:grep -er "^\$ModLoad imtcp.so" /etc/rsyslog.conf,/etc/rsyslog.d/' - - 'c:grep -er "^\$InputTCPServerRun 514" /etc/rsyslog.conf,/etc/rsyslog.d/' + - 'c:grep -R -e "^\$ModLoad imtcp.so" /etc/rsyslog.conf,/etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' + - 'c:grep -R -e "^\$InputTCPServerRun 514" /etc/rsyslog.conf,/etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' - id: 10571 title: "Configure logrotate" @@ -905,10 +910,10 @@ checks: condition: all rules: - 'c:dpkg -s libpam-cracklib -> install ok installed' - - 'f:/etc/pam.d/common-password -> !r:^# && r:password required pam_cracklib.so retry=\d minlen=\d\d+ dcredit=-\d+ ucredit=-\d+ ocredit=-\d+ lcredit=-\d+' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so\s*\t*retry=\d\s*\t*minlen=\d\d+\s*\t*dcredit=-\d+\s*\t*ucredit=-\d+\s*\t*ocredit=-\d+\s*\t*lcredit=-\d+' - id: 10575 - title: " Set Lockout for Failed Password Attempts" + title: "Set Lockout for Failed Password Attempts" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." @@ -1168,9 +1173,9 @@ checks: - cis: "11.2" condition: none rules: - - 'c: egrep "(\\v|\\r|\\m|\\s)" /etc/issue' - - 'c: egrep "(\\v|\\r|\\m|\\s)" /etc/motd' - - 'c: egrep "(\\v|\\r|\\m|\\s)" /etc/issue.net' + - 'c:grep -e "(\\v|\\r|\\m|\\s)" /etc/issue' + - 'c:grep -e "(\\v|\\r|\\m|\\s)" /etc/motd' + - 'c:grep -e "(\\v|\\r|\\m|\\s)" /etc/issue.net' # 13 Review User and Group Settings - id: 10598 From ff70eff1a17fcb24bb62d3fdba05b34fcdab4ca7 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 12 Jun 2019 14:05:14 +0200 Subject: [PATCH 080/247] Fix some Debian rules --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index a491ef65e..65e868012 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -30,12 +30,12 @@ requirements: checks: # 2 Filesystem Configuration - id: 10500 - title: "Create Separate Partition for /tmp" + title: "Ensure /tmp is configured" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "2.1" + - cis: "1.1.2" references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: any @@ -885,20 +885,20 @@ checks: - 'f:/etc/rc5.d/S15cron' - id: 10573 - title: "Restrict at/cron to Authorized Users" + title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "9.1.8" + - cis: "5.1.8" condition: all rules: - 'f:/etc/cron.allow' - 'f:/etc/at.allow' - 'not f:/etc/cron.deny' - 'not f:/etc/at.deny' - - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-\d00' - - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-\d00' + - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' + - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - id: 10574 title: "Set Password Creation Requirement Parameters Using pam_cracklib" From 4382816d20b61dee5d8714f07d51fc7ce3593e6c Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 12 Jun 2019 14:05:14 +0200 Subject: [PATCH 081/247] Fix some Debian rules --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index a491ef65e..dc8e77bd1 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -30,12 +30,12 @@ requirements: checks: # 2 Filesystem Configuration - id: 10500 - title: "Create Separate Partition for /tmp" + title: "Ensure /tmp is configured" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "2.1" + - cis: "1.1.2" references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: any @@ -102,7 +102,6 @@ checks: rules: - 'c:findmnt -> r:/var/tmp && r:[/tmp]' - 'c:grep -e "^/tmp" /etc/fstab -> r:^/tmp && r:\s*/var/tmp\s*' - - 'c:mount -> r:^/tmp && r:\s*/var/tmp\s*' - id: 10506 title: "Ensure separate partition exists for /var/log" @@ -885,20 +884,20 @@ checks: - 'f:/etc/rc5.d/S15cron' - id: 10573 - title: "Restrict at/cron to Authorized Users" + title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "9.1.8" + - cis: "5.1.8" condition: all rules: - 'f:/etc/cron.allow' - 'f:/etc/at.allow' - 'not f:/etc/cron.deny' - 'not f:/etc/at.deny' - - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-\d00' - - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-\d00' + - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' + - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - id: 10574 title: "Set Password Creation Requirement Parameters Using pam_cracklib" From 7f090e7435e3e2e893fbb02b7750c436afa839ba Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 12 Jun 2019 15:48:21 +0200 Subject: [PATCH 082/247] Add fixes to Debian L2 policy --- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index b950d84af..c398649ad 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -123,7 +123,9 @@ checks: - cis: "4.5" condition: all rules: - - 'f:/etc/default/grub -> r:apparmor=1 && r:security=apparmor' + - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0' + - 'c:apparmor_status -> r:^0\s*profiles are in complain mode' + - 'c:apparmor_status -> r:^0\s*profiles are unconfined' # 8.1 Configure System Accounting (auditd) - id: 11008 @@ -153,8 +155,6 @@ checks: - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' - - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*ignore|syslog|suspend|single|halt' - - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*ignore|syslog|email|suspend|single' - id: 11010 title: "Keep All Auditing Information" @@ -168,7 +168,6 @@ checks: - 'd:/etc/audit' - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' - - 'not f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*ignore|syslog|suspend|rotate' - id: 11011 title: "Enable Auditing for Processes That Start Prior to auditd" @@ -401,7 +400,6 @@ checks: - cis: "8.3.1" condition: all rules: - - 'f:/usr/sbin/aideinit' - 'c:dpkg -s aide -> r:install ok installed' - id: 11027 From fe1e05ed9a11fc9644597d38718bf1f823387823 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 12 Jun 2019 16:05:42 +0200 Subject: [PATCH 083/247] Adapt Debian checks id --- sca/debian/cis_debian_linux_rcl.yml | 68 ++++---- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 188 +++++++++++------------ 2 files changed, 128 insertions(+), 128 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index 5546d87e9..f8b1ea359 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -59,7 +59,7 @@ checks: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' - - id: 5003 + - id: 5002 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -73,7 +73,7 @@ checks: rules: - 'c:mount -> r:\s/var\s' - - id: 5004 + - id: 5003 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." @@ -85,7 +85,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s' - - id: 5005 + - id: 5004 title: "Ensure nodev option set on /var/tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." @@ -99,7 +99,7 @@ checks: - 'not c:mount -> r:\s/var/tmp\s' - 'c:mount -> r:\s/var/tmp\s && r:nodev' - - id: 5006 + - id: 5005 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." @@ -113,7 +113,7 @@ checks: - 'not c:mount -> r:\s/home\s' - 'c:mount -> r:\s/home\s && r:nodev' - - id: 5007 + - id: 5006 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -126,7 +126,7 @@ checks: - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nodev' - - id: 5008 + - id: 5007 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -139,7 +139,7 @@ checks: - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - - id: 5009 + - id: 5008 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -153,7 +153,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:noexec' # Section 1.7 - Warning banners - - id: 5014 + - id: 5009 title: "Ensure GDM login banner is configured" description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." @@ -169,7 +169,7 @@ checks: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\'\'' # Section 2 - Filesystem Configuration - Debian 7 - - id: 5015 + - id: 5010 title: "Add nodev option to /run/shm Partition" description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." @@ -183,7 +183,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nodev' - - id: 5016 + - id: 5011 title: "Add nosuid option to /run/shm Partition" description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -196,7 +196,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nosuid' - - id: 5017 + - id: 5012 title: "Add noexec option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -210,7 +210,7 @@ checks: - 'c:mount -> r:\s/run/shm\s && r:noexec' # Section 2.1 - Inetd services - - id: 5018 + - id: 5013 title: "Ensure inetd is not installed" description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no inetd services required, it is recommended that the daemon be removed." @@ -225,7 +225,7 @@ checks: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' # Section 2.2 - Special purpose services - - id: 5019 + - id: 5014 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -238,7 +238,7 @@ checks: rules: - 'c:systemctl is-enabled vsftpd -> r:disabled' - - id: 5021 + - id: 5015 title: "Ensure IMAP and POP3 server is not enabled (IMAP)" description: "exim is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." @@ -251,7 +251,7 @@ checks: rules: - 'c:dpkg -s exim4 -> install ok installed' - - id: 5022 + - id: 5016 title: "Ensure IMAP and POP3 server is not enabled (POP3)" description: "exim is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." @@ -264,7 +264,7 @@ checks: rules: - 'c:dpkg -s exim4 -> install ok installed' - - id: 5023 + - id: 5017 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -277,7 +277,7 @@ checks: rules: - 'c:systemctl is-enabled smb -> r:^enabled' - - id: 5024 + - id: 5018 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -291,7 +291,7 @@ checks: - 'c:systemctl is-enabled nfs-server -> r:^enabled' - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - id: 5025 + - id: 5019 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" @@ -304,7 +304,7 @@ checks: rules: - 'c:systemctl is-enabled nis -> r:^enabled' - - id: 5026 + - id: 5020 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -317,7 +317,7 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' - - id: 5027 + - id: 5021 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -330,7 +330,7 @@ checks: rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' - - id: 5028 + - id: 5022 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -344,7 +344,7 @@ checks: - 'c:systemctl is-enabled squid -> r:^enabled' # Section 2.3 - Service clients - - id: 5029 + - id: 5023 title: "Ensure rsh client is not installed" description: "The rsh package contains the client commands for the rsh services." rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." @@ -358,7 +358,7 @@ checks: - 'c:dpkg -s rsh-client -> install ok installed' - 'c:dpkg -s rsh-redone-client -> install ok installed' - - id: 5030 + - id: 5024 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -372,7 +372,7 @@ checks: - 'c:dpkg -s telnet -> install ok installed' # Section 3.1 - Network Parameters (Host Only) - - id: 5031 + - id: 5025 title: "Ensure IPv4 forwarding is disabled" description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -385,7 +385,7 @@ checks: - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' - - id: 5032 + - id: 5026 title: "Ensure IPv6 forwarding is disabled" description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -399,7 +399,7 @@ checks: - 'c:grep "net\.ipv6\.ip_forward\.conf\.all\.forwarding" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' # Section 3.2 - Network Parameters (Host and Router) - - id: 5033 + - id: 5027 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -418,7 +418,7 @@ checks: - 'c:grep "net\.ipv6\.conf\.all\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:grep "net\.ipv6\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - id: 5034 + - id: 5028 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -432,7 +432,7 @@ checks: - 'c:grep -R "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' # Section 5.2 - SSH Server Configuration - - id: 5035 + - id: 5029 title: "Ensure SSH Protocol is set to 2" description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -447,7 +447,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 5036 + - id: 5030 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -462,7 +462,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+yes' - - id: 5037 + - id: 5031 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -477,7 +477,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+no' - - id: 5038 + - id: 5032 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -492,7 +492,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' - - id: 5039 + - id: 5033 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -508,7 +508,7 @@ checks: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' # Section 6.2 - User and Group Settings - - id: 5040 + - id: 5034 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -523,7 +523,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 5041 + - id: 5035 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index dc8e77bd1..e82b521e5 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -154,7 +154,7 @@ checks: - 'not c:mount -> r:\s/home\s' - 'c:mount -> r:\s/home\s && r:nodev' - - id: 10513 + - id: 10510 title: "Add nodev Option to /run/shm Partition" description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." @@ -166,7 +166,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nodev' - - id: 10514 + - id: 10511 title: "Add nosuid Option to /run/shm Partition" description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -178,7 +178,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nosuid' - - id: 10515 + - id: 10512 title: "Add noexec Option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -190,7 +190,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:noexec' - - id: 10516 + - id: 10513 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -202,7 +202,7 @@ checks: - 'c:find /etc -regex /etc/rc.*autofsc -> r:S\.*autofsc' # 3 Secure Boot Settings - - id: 10517 + - id: 10514 title: "Set Boot Loader Password" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -214,7 +214,7 @@ checks: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - - id: 10518 + - id: 10515 title: "Require authentication for Single-User mode" description: "Setting a password for the root user will force authentication in single user mode." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -226,7 +226,7 @@ checks: - 'f:/etc/shadow -> r:^root:[*\!]:' # 4 Additional Process Hardening - - id: 10519 + - id: 10516 title: "Restrict Core Dumps" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -240,7 +240,7 @@ checks: - 'c:grep -e "hard\s*\t*core" /etc/security/limits.conf -> !r:^# && r:\s*\t*hard\s*\t*core\s*\t*0' - 'c:grep -R -e"^*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - - id: 10520 + - id: 10517 title: "Enable Randomized Virtual Memory Region Placement" description: "Set the system flag to force randomized virtual memory region placement." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -252,7 +252,7 @@ checks: - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' # 5 OS Services - - id: 10521 + - id: 10518 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -263,7 +263,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 10522 + - id: 10519 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." @@ -274,7 +274,7 @@ checks: rules: - 'f:/etc/inetd.conf -> r:^shell|^login|^exec' - - id: 10523 + - id: 10520 title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -285,7 +285,7 @@ checks: rules: - 'f:/etc/inetd.conf -> r:^talk|^ntalk' - - id: 10524 + - id: 10521 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -296,7 +296,7 @@ checks: rules: - 'c:dpkg -s telnet -> r:install ok installed' - - id: 10525 + - id: 10522 title: "Ensure tftp-server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -307,7 +307,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:tftp' - - id: 10526 + - id: 10523 title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." @@ -318,7 +318,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*xinetd -> r:S\.+xinetd' - - id: 10527 + - id: 10524 title: "Ensure chargen is not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -329,7 +329,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:chargen' - - id: 10528 + - id: 10525 title: "Ensure daytime is not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -340,7 +340,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:daytime' - - id: 10529 + - id: 10526 title: "Ensure echo is not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -351,7 +351,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:echo' - - id: 10530 + - id: 10527 title: "Ensure discard is not enabled" description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -362,7 +362,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:discard' - - id: 10531 + - id: 10528 title: "Ensure time is not enabled" description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -374,7 +374,7 @@ checks: - 'f:/etc/inetd.conf -> !r:^# && r:time' # 6 Special Purpose Services - - id: 10532 + - id: 10529 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." @@ -385,7 +385,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*avahi-daemon -> r:S\.*avahi-daemon' - - id: 10533 + - id: 10530 title: "Ensure print server is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -396,7 +396,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*cups -> r:S\.*cups' - - id: 10534 + - id: 10531 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." @@ -407,7 +407,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*isc-dhcp-server -> r:S\.*isc-dhcp-server' - - id: 10535 + - id: 10532 title: "Configure Network Time Protocol (NTP)" description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." @@ -424,7 +424,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/ntp.conf -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 10536 + - id: 10533 title: "Ensure LDAP is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -437,7 +437,7 @@ checks: rules: - 'c:dpkg -s slapd -> install ok installed' - - id: 10537 + - id: 10534 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -449,7 +449,7 @@ checks: - 'c:find /etc -regex /etc/rc.*rpcbind -> r:S\.*rpcbind' - 'c:find /etc -regex /etc/rc.*nfs-kernel-server -> r:S\.*nfs-kernel-server' - - id: 10538 + - id: 10535 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -460,7 +460,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*bind9 -> r:S\.*bind9' - - id: 10539 + - id: 10536 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -471,7 +471,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*vsftpd -> r:S\.*vsftpd' - - id: 10540 + - id: 10537 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -482,7 +482,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*apache2 -> r:S\.*apache2' - - id: 10541 + - id: 10538 title: "Ensure IMAP and POP server is not enabled" description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." @@ -493,7 +493,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*dovecot -> r:S\.*dovecot' - - id: 10542 + - id: 10539 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -504,7 +504,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*smb -> r:S\.*smb' - - id: 10543 + - id: 10540 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -515,7 +515,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*squid -> r:S\.*squid' - - id: 10544 + - id: 10541 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." @@ -526,7 +526,7 @@ checks: rules: - 'c:find /etc -regex /etc/rc.*snmpd -> r:S\.*snmpd' - - id: 10545 + - id: 10542 title: "Configure Mail Transfer Agent for Local-Only Mode" description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." @@ -537,7 +537,7 @@ checks: rules: - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' - - id: 10546 + - id: 10543 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -550,7 +550,7 @@ checks: - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE\s*\t*=\s*\t*false' # 7 Network Configuration and Firewall - - id: 10547 + - id: 10544 title: "Disable IP Forwarding" description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -561,7 +561,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' - - id: 10548 + - id: 10545 title: "Disable Send Packet Redirects" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -573,7 +573,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$' - - id: 10549 + - id: 10546 title: "Disable Source Routed Packet Acceptance" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -585,7 +585,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$' - - id: 10550 + - id: 10547 title: "Disable ICMP Redirect Acceptance" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -597,7 +597,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$' - - id: 10551 + - id: 10548 title: "Disable Secure ICMP Redirect Acceptance" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -609,7 +609,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$' - - id: 10552 + - id: 10549 title: "Log Suspicious Packets" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -621,7 +621,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$' - - id: 10553 + - id: 10550 title: "Enable Ignore Broadcast Requests" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -632,7 +632,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - - id: 10554 + - id: 10551 title: "Enable Bad Error Message Protection" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -643,7 +643,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - - id: 10555 + - id: 10552 title: "Enable RFC-recommended Source Route Validation" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." @@ -655,7 +655,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$' - - id: 10556 + - id: 10553 title: "Enable TCP SYN Cookies" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." @@ -666,7 +666,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - - id: 10557 + - id: 10554 title: "Disable IPv6 Router Advertisements" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -678,7 +678,7 @@ checks: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$' - - id: 10558 + - id: 10555 title: "Disable IPv6 Redirect Acceptance" description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -690,7 +690,7 @@ checks: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$' - - id: 10559 + - id: 10556 title: "Disable IPv6" description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." @@ -706,7 +706,7 @@ checks: - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6\s*\t*=\s*\t*1' - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6\s*\t*=\s*\t*1' - - id: 10560 + - id: 10557 title: "Create /etc/hosts.allow" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." @@ -717,7 +717,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 10561 + - id: 10558 title: "Create /etc/hosts.deny" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -729,7 +729,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 10562 + - id: 10559 title: "Disable DCCP" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -740,7 +740,7 @@ checks: rules: - 'c:lsmod -> r:dccp' - - id: 10563 + - id: 10560 title: "Disable SCTP" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -751,7 +751,7 @@ checks: rules: - 'c:lsmod -> r:sctp' - - id: 10564 + - id: 10561 title: "Disable RDS" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -762,7 +762,7 @@ checks: rules: - 'c:lsmod -> r:rds' - - id: 10565 + - id: 10562 title: "Disable TIPC" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -773,7 +773,7 @@ checks: rules: - 'c:lsmod -> r:tipc' - - id: 10566 + - id: 10563 title: "Ensure Firewall is active" description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules. Other methods are available which may be in use in your environment and may conflict with these steps." rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." @@ -787,7 +787,7 @@ checks: - 'c:find /etc -regex "/etc/rc.*iptables-persistent" -> r:S\.*iptables-persistent' # 8 Logging and Auditing - - id: 10567 + - id: 10564 title: "Ensure the rsyslog Service is activated" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -798,7 +798,7 @@ checks: rules: - 'c:find /etc -regex "/etc/rc.*rsyslog" -> r:S\.*rsyslog' - - id: 10568 + - id: 10565 title: "Configure /etc/rsyslog.conf" description: "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." rationale: "A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)." @@ -825,7 +825,7 @@ checks: - 'c:grep -R -e "^local4,local5.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - 'c:grep -R -e "^local6,local7.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - id: 10569 + - id: 10566 title: "Configure rsyslog to Send Logs to a Remote Log Host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" @@ -838,7 +838,7 @@ checks: rules: - 'f:/etc/rsyslog.conf -> r:^*.* @@\w+.\w+.\w+' - - id: 10570 + - id: 10567 title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -852,7 +852,7 @@ checks: - 'c:grep -R -e "^\$ModLoad imtcp.so" /etc/rsyslog.conf,/etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' - 'c:grep -R -e "^\$InputTCPServerRun 514" /etc/rsyslog.conf,/etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' - - id: 10571 + - id: 10568 title: "Configure logrotate" description: "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog." rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files." @@ -865,7 +865,7 @@ checks: - 'f:/etc/logrotate.d/rsyslog -> r:\S+' # 9 System Access, Authentication and Authorization - - id: 10572 + - id: 10569 title: "Enable cron Daemon" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." @@ -883,7 +883,7 @@ checks: - 'f:/etc/rc5.d/S15anacron' - 'f:/etc/rc5.d/S15cron' - - id: 10573 + - id: 10570 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -899,7 +899,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 10574 + - id: 10571 title: "Set Password Creation Requirement Parameters Using pam_cracklib" description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -911,7 +911,7 @@ checks: - 'c:dpkg -s libpam-cracklib -> install ok installed' - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so\s*\t*retry=\d\s*\t*minlen=\d\d+\s*\t*dcredit=-\d+\s*\t*ucredit=-\d+\s*\t*ocredit=-\d+\s*\t*lcredit=-\d+' - - id: 10575 + - id: 10572 title: "Set Lockout for Failed Password Attempts" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -922,7 +922,7 @@ checks: rules: - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d\s*\t*unlock_time=\d\d\d+' - - id: 10576 + - id: 10573 title: "Limit Password Reuse" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -933,7 +933,7 @@ checks: rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*[success=1 default=ignore]\s*\t*pam_unix.so\s*\t*obscure\s*\t*sha512\s*\t*remember=\d' - - id: 10577 + - id: 10574 title: "Set SSH Protocol to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -944,7 +944,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' - - id: 10578 + - id: 10575 title: "Set LogLevel to INFO" description: "The INFO parameter specifices that record login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -955,7 +955,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' - - id: 10579 + - id: 10576 title: "Disable SSH X11 Forwarding" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -966,7 +966,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' - - id: 10580 + - id: 10577 title: "Set SSH MaxAuthTries to 4 or Less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." @@ -977,7 +977,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 10581 + - id: 10578 title: "Set SSH IgnoreRhosts to Yes" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -988,7 +988,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 10582 + - id: 10579 title: "Set SSH HostbasedAuthentication to No" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -999,7 +999,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 10583 + - id: 10580 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -1010,7 +1010,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' - - id: 10584 + - id: 10581 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -1021,7 +1021,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 10585 + - id: 10582 title: "Do Not Allow Users to Set Environment Options" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -1032,7 +1032,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 10586 + - id: 10583 title: "Set Idle Timeout Interval for User Login" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1044,7 +1044,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' - 'f:/etc/ssh/sshd_config -> !r:^# && r:ClientAliveCountMax\s+0' - - id: 10587 + - id: 10584 title: "Limit Access via SSH" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1055,7 +1055,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' - - id: 10588 + - id: 10585 title: "Set SSH Banner" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." @@ -1066,7 +1066,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' - - id: 10589 + - id: 10586 title: "Restrict Access to the su Command" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1079,7 +1079,7 @@ checks: - 'f:/etc/group -> !r:^# && r:wheel' # 10 User Accounts and Environment - - id: 10590 + - id: 10587 title: "Set Password Expiration Days" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1090,7 +1090,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' - - id: 10591 + - id: 10588 title: "Set Password Change Minimum Number of Days" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1101,7 +1101,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' - - id: 10592 + - id: 10589 title: "Set Password Expiring Warning Days" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1112,7 +1112,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare <= 7' - - id: 10593 + - id: 10590 title: "Set Default Group for root Account" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1123,7 +1123,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 10594 + - id: 10591 title: "Set Default umask for Users" description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." @@ -1135,7 +1135,7 @@ checks: - 'c:grep -R -e "^umask 077" /etc/profile.d/' - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' - - id: 10595 + - id: 10592 title: "Lock Inactive User Accounts" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1147,7 +1147,7 @@ checks: - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' # 11 Warning Banners - - id: 10596 + - id: 10593 title: "Set Warning Banner for Standard Login Services" description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." @@ -1163,7 +1163,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/issue -> 0-0-644' - 'c:stat -c%u-%g-%a /etc/issue.net -> 0-0-644' - - id: 10597 + - id: 10594 title: "Remove OS Information from Login Warning Banners" description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." @@ -1177,7 +1177,7 @@ checks: - 'c:grep -e "(\\v|\\r|\\m|\\s)" /etc/issue.net' # 13 Review User and Group Settings - - id: 10598 + - id: 10595 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1188,7 +1188,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 10599 + - id: 10596 title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1199,7 +1199,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 10600 + - id: 10597 title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1209,7 +1209,7 @@ checks: condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 10601 + - id: 10598 title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1220,7 +1220,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 10602 + - id: 10599 title: "Verify No UID 0 Accounts Exist Other Than root" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." @@ -1231,7 +1231,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 10603 + - id: 10600 title: "Check for Presence of User .rhosts Files" description: "While no .rhosts files are shipped by default, users can easily create them." rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." @@ -1242,7 +1242,7 @@ checks: rules: - 'd:/home -> r:^.rhosts$' - - id: 10604 + - id: 10601 title: "Check for Presence of User .netrc Files" description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." @@ -1253,7 +1253,7 @@ checks: rules: - 'd:/home -> r:^.netrc$' - - id: 10605 + - id: 10602 title: "Check for Presence of User .forward Files" description: "The .forward file specifies an email address to forward the user's mail to." rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." @@ -1264,7 +1264,7 @@ checks: rules: - 'd:/home -> r:^.forward$' - - id: 10606 + - id: 10603 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." From 6f0b8d73a571190bd9147e43420117cb3d94260b Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 12 Jun 2019 16:15:46 +0200 Subject: [PATCH 084/247] Use commands for SUSE12 checks --- sca/sles/12/cis_sles12_linux_rcl.yml | 251 ++++++++++++--------------- 1 file changed, 109 insertions(+), 142 deletions(-) diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index bb8749170..47c85d23b 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -27,7 +27,6 @@ requirements: variables: $sshd_file: /etc/ssh/sshd_config - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # Section 1.1 - Filesystem Configuration @@ -42,8 +41,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - 'c:mount -> r:\s/tmp\s' - id: 7501 title: "Ensure nodev option set on /tmp partition" @@ -55,8 +53,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - 'c:mount -> r:\s/tmp\s && r:nodev' - id: 7502 title: "Ensure nosuid option set on /tmp partition" @@ -68,7 +65,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - 'c:mount -> r:\s/tmp\s && r:nousid' # 1.1.5 /tmp: noexec - id: 7503 @@ -82,7 +79,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - id: 7504 @@ -96,8 +93,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' + - 'c:mount -> r:\s/var\s' - id: 7505 title: "Ensure separate partition exists for /var/log" @@ -111,7 +107,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - id: 7506 @@ -126,7 +122,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - id: 7507 @@ -140,7 +136,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - 'c:mount -> r:\s/home\s' # 1.1.14 /home: nodev - id: 7508 @@ -153,7 +149,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' + - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.18 nodev on removable media partitions (not scored) - id: 7512 @@ -166,7 +162,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' + - 'c:mount -> r:\s/media\s && r:nodev' # 1.1.19 nosuid on removable media partitions (not scored) - id: 7513 @@ -179,7 +175,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' + - 'c:mount -> r:\s/media\s && r:nosuid' # 1.1.20 noexec on removable media partitions (not scored) - id: 7514 @@ -193,7 +189,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - 'c:mount -> r:\s/media\s && r:noexec' # 1.1.15 /dev/shm: nodev - id: 7509 @@ -206,7 +202,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - id: 7510 @@ -219,7 +215,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - id: 7511 @@ -233,24 +229,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' - -############################################### -# 1.4 Secure Boot Settings -############################################### -# 1.4.2 Set Boot Loader Password (Scored) - - id: 7515 - title: "Ensure bootloader password is set" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" - rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2 : # grub2-mkpasswd-pbkdf2. The final message is 'Your PBKDF2 is '. Add the following into /etc/grub.d/01_users or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Run the following command to update the grub2 configuration: # grub2-mkconfig > /boot/grub2/grub.cfg Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." - compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + - 'c:mount -> r:\s/dev/shm\s && r:noexec' ############################################### # 1.5 Additional Process Hardening @@ -266,7 +245,9 @@ checks: - cis_csc: "13" condition: all rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - 'c:sysctl fs.suid_dumpable -> r:\s0$' + - 'c:ulimit -Hc -> 0' + - 'c:grep -R -e"^\*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7517 @@ -279,7 +260,8 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - 'c:sysctl kernel.randomize_va_space -> r:\s2$|\t2$' + - 'c:grep -R -e"^\s*kernel\.randomize_va_space\s\+" /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' ############################################### # 2 OS Services @@ -298,8 +280,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/chargen -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/chargen-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r:on' - id: 7519 title: "Ensure daytime services are not enabled" @@ -311,8 +292,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/daytime -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/daytime-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:daytime:|daytime-udp && r:on' - id: 7520 title: "Ensure discard services are not enabled" @@ -324,8 +304,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/discard -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/discard-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:discard:|discard-udp: && r:on' - id: 7521 title: "Ensure echo services are not enabled" @@ -337,8 +316,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/echo -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/echo-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:echo:|echo-udp: && r:on' - id: 7522 title: "Ensure time services are not enabled" @@ -350,12 +328,11 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/etc/xinetd.d/time -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/time-udp -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:time:|time-udp && r:on' - id: 7523 - title: "Ensure rsh server is disabled" - description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." + title: "Ensure rsh server is not enabled" + description: "The Berkeley rsh-server (rsh, rlogin, rexec) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: @@ -365,15 +342,10 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/rexec@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rlogin@.service -> r:ExecStart' - - 'f:/usr/lib/systemd/system/rsh@.service -> r:ExecStart' + - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r:on' - id: 7524 - title: "Ensure talk server is disabled" + title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" @@ -384,11 +356,10 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/ntalk.service -> r:Exec' + - 'c:chkconfig --list -> r:talk: && r:on' - id: 7525 - title: "Ensure telnet server is disabled" + title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" @@ -399,11 +370,10 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/telnet@.service -> r:ExecStart=-/usr/sbin/in.telnetd' + - 'c:chkconfig --list -> r:telnet: && r:on' - id: 7526 - title: "Ensure tftp server is disabled" + title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable atftpd" @@ -414,11 +384,10 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' - - 'f:/usr/lib/systemd/system/tftp.service -> r:Exec' + - 'c:chkconfig --list -> r:tftp: && r:on' - id: 7527 - title: "Ensure rsync service is disabled" + title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" @@ -427,10 +396,10 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\drsyncd$' + - 'c:chkconfig --list -> r:rsync: && r:on' - id: 7528 - title: "Ensure xinetd is disabled" + title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd : # systemctl disable xinetd" @@ -439,8 +408,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/usr/lib/systemd/system/xinetd.service -> r:Exec' - + - 'c:systemctl is-enabled xinetd -> r:enabled' ############################################### # 2 Special Purpose Services @@ -454,11 +422,11 @@ checks: - cis: "2.2.1.2" - cis_csc: "6.1" - pci_dss: "2.2.2" - condition: any + condition: all rules: - - 'f:/etc/ntp.conf -> r:restrict -4 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:restrict -6 default kod limited nomodify notrap nopeer noquery' - - 'f:/etc/ntp.conf -> r:^server|^pool' + - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' # 2.2.2 Remove X Windows (Scored) @@ -473,12 +441,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/usr/lib/systemd/system/default.target -> r:Graphical' - - 'p:gdm-x-session' + - 'c:rpm -qa xorg-x11* -> r:\.' # 2.2.3 Disable Avahi Server (Scored) - id: 7531 - title: "Ensure Avahi Server is disabled" + title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon" @@ -488,10 +455,10 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'p:avahi-daemon' + - 'c:systemctl is-enabled avahi-daemon -> r:enabled' - id: 7532 - title: "Ensure DHCP Server is disabled" + title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd" @@ -500,7 +467,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'f:/usr/lib/systemd/system/dhcpd.service -> r:Exec' + - 'c:systemctl is-enabled dhcpd -> r:enabled' # 2.2.7 Disable NFS and RPC (Not Scored) - id: 7533 @@ -514,11 +481,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - 'c:systemctl is-enabled nfs -> r:enabled' + - 'c:systemctl is-enabled rpcbind -> r:enabled' - id: 7534 - title: "Ensure DNS Server is disabled" + title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # systemctl disable named" @@ -528,10 +495,10 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' + - 'c:systemctl is-enabled named -> r:enabled' - id: 7535 - title: "Ensure FTP Server is disabled" + title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd Notes: Additional FTP servers also exist and should be audited." @@ -541,11 +508,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - 'c:systemctl is-enabled vsftpd -> r:enabled' # 2.2.10 Remove HTTP Server (Not Scored) - id: 7536 - title: "Ensure HTTP server is disabled" + title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable apache2 : # systemctl disable apache2 Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." @@ -554,10 +521,10 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dapache2$' + - 'c:systemctl is-enabled apache2 -> r:enabled' - id: 7537 - title: "Ensure IMAP and POP3 server is disabled" + title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot : # systemctl disable dovecot Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited." @@ -567,12 +534,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - 'c:systemctl is-enabled dovecot -> r:enabled' # 2.2.12 Remove Samba (Not Scored) - id: 7538 - title: "Ensure Samba is disabled" + title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # systemctl disable smb" @@ -582,11 +548,10 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - 'c:systemctl is-enabled smb -> r:enabled' - id: 7539 - title: "Ensure HTTP Proxy Server is disabled" + title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # systemctl disable squid Notes: Several HTTP proxy servers exist. These and other services should be checked." @@ -596,10 +561,10 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - 'c:systemctl is-enabled squid -> r:enabled' - id: 7540 - title: "Ensure SNMP Server is disabled" + title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." @@ -609,10 +574,10 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - 'c:systemctl is-enabled snmpd -> r:enabled' - id: 7541 - title: "Ensure NIS Server is disabled" + title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv : # systemctl disable ypserv" @@ -623,8 +588,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' - - 'f:/usr/lib/systemd/system/ypserv.service -> r:Exec' + - 'c:systemctl is-enabled ypserv -> r:enabled' # Section 2.3 - Service Clients - id: 7542 @@ -637,10 +601,9 @@ checks: - cis_csc: "2" - pci_dss: "2.2.3" - nist_800_53: "CM.1" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' - - 'f:/usr/lib/systemd/system/ypbind.service -> r:Exec' + - 'c:rpm -q ypbind -> r:not installed$' ############################################### # 3 Network Configuration and Firewalls @@ -650,7 +613,7 @@ checks: ############################################### # 3.1.1 Disable IP Forwarding (Scored) - id: 7543 - title: "Ensure IPv4 forwarding is disabled" + title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" @@ -660,20 +623,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 7544 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' + - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 7545 @@ -687,8 +638,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -705,7 +658,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 7547 @@ -719,8 +675,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 7548 @@ -734,8 +692,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - id: 7549 title: "Ensure suspicious packets are logged" @@ -748,8 +708,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -R "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -R "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 7550 @@ -763,7 +725,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7551 @@ -777,7 +740,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 7552 @@ -791,8 +755,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' + - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -R "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -R "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 7553 @@ -806,7 +772,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:grep -R "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization @@ -828,7 +795,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' + - 'f:$sshd_file -> !r:^\s*\t*# && r:Protocol\s*\t*2$' # 5.2.3 Set LogLevel to INFO (Scored) - id: 7555 @@ -844,7 +811,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 7556 @@ -858,7 +825,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 7557 @@ -872,9 +839,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - 'f:$sshd_file -> !r:^\s*\t*# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 7558 @@ -888,9 +855,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:$sshd_file -> !r:^\s*\t*# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - id: 7559 @@ -906,7 +873,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 7560 @@ -922,7 +889,7 @@ checks: - nist_800_53: "SC.8" condition: none rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitEmptyPasswords\s*\t*no' ############################################### # 6 System Maintenance From 5b6d8493ac267db24c4cc0310bd1196b1c702763 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 12 Jun 2019 16:44:28 +0200 Subject: [PATCH 085/247] Fix typo in Debian L2 rules --- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index c398649ad..80493dba6 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -124,8 +124,8 @@ checks: condition: all rules: - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0' - - 'c:apparmor_status -> r:^0\s*profiles are in complain mode' - - 'c:apparmor_status -> r:^0\s*profiles are unconfined' + - 'c:apparmor_status -> r:^0\s*processes are in complain mode' + - 'c:apparmor_status -> r:^0\s*processes are unconfined' # 8.1 Configure System Accounting (auditd) - id: 11008 From f992e20799b6a4f9e2f3c8e95bb4e852f3b2d60e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 12 Jun 2019 17:46:55 +0200 Subject: [PATCH 086/247] Add comment exclusion --- sca/sles/12/cis_sles12_linux_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index 47c85d23b..95b1146dc 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -911,7 +911,7 @@ checks: - nist_800_53: "IA.10, AC.7" condition: none rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - id: 7561 title: "Ensure password fields are not empty" From 0d36e3b8029ac920e27ac56d4bab9fe4fb24e2e3 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 12 Jun 2019 10:34:46 -0700 Subject: [PATCH 087/247] Review MAC OS X policies --- sca/darwin/15/cis_apple_macOS_10.11.yml | 190 +++++++++++------------- sca/darwin/16/cis_apple_macOS_10.12.yml | 168 ++++++++++----------- sca/darwin/17/cis_apple_macOS_10.13.yml | 108 +++++++------- 3 files changed, 218 insertions(+), 248 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 75a9bdca8..101a00443 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -14,7 +14,7 @@ policy: id: "cis_apple_macos_10_11" file: "cis_apple_macOS_10.11.yml" name: "CIS Apple OSX 10.11 Benchmark" - description: "This document, CIS Apple OSX 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple OSX 10.11. This guide was tested against Apple OSX 10.11. To obtain the latest version of this guide, please visit https://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org." + description: "This document, CIS Apple OSX 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple OSX 10.11. This guide was tested against Apple OSX 10.11." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -23,14 +23,14 @@ requirements: description: "Requirements for running the SCA scan against MacOS 10.11 (El Capitan)." condition: any rules: - - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p11' - 'c:sw_vers -> r:^ProductVersion:\t*10\p11' - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:.*10\p11' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p11' checks: # 1.1 Verify all Apple provided software is current (Scored) - id: 3000 - title: "Verify all Apple provided software is current (Scored)" + title: "Verify all Apple provided software is current" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" @@ -42,7 +42,7 @@ checks: # 1.2 Enable Auto Update (Scored) - id: 3001 - title: "Enable Auto Update (Scored)" + title: "Enable Auto Update" description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" @@ -53,11 +53,11 @@ checks: - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1' # 1.3 Enable app update installs (Scored) - id: 3002 - title: "Enable app update installs (Scored)" + title: "Enable app update installs" description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." @@ -65,11 +65,11 @@ checks: - cis: "1.3" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' # 1.4 Enable system data files and security update installs (Scored) - id: 3003 - title: "Enable system data files and security update installs (Scored)" + title: "Enable system data files and security update installs" description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" @@ -80,12 +80,12 @@ checks: - https://support.apple.com/en-us/HT202491 condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1' # 1.5 Enable OS X update installs (Scored) - id: 3004 - title: "Enable OS X update installs (Scored)" + title: "Enable OS X update installs" description: "Ensure that OS X updates are installed after they are available from Apple. This setting enables OS X updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" @@ -93,23 +93,11 @@ checks: - cis: "1.5" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' - -# 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) - - id: 3005 - title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" - description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." - rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." - remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." - compliance: - - cis: "2.1.2" - condition: all - rules: - - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' # 2.2.1 Enable "Set time and date automatically" (Not Scored) - - id: 3006 - title: "Enable \"Set time and date automatically\" (Not Scored)" + - id: 3005 + title: "Enable \"Set time and date automatically\"" description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Apple's automatic time update solution will enable an NTP server that is not controlled by the Application Firewall. Turning on \"Set time and date automatically\" allows other computers to connect to set their time and allows for exploit attempts against ntpd. It also allows for more accurate network detection and OS fingerprinting." rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" @@ -120,8 +108,8 @@ checks: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.2.3 Restrict NTP server to loopback interface (Scored) - - id: 3007 - title: "Restrict NTP server to loopback interface (Scored)" + - id: 3006 + title: "Restrict NTP server to loopback interface" description: "The Apple System Preference setting to \"Set date and time automatically\" enables both an NTP client that can synchronize the time from known time server(s) and an open listening NTP server that can be used by any other computer that can connect to port 123 on the time syncing computer. This open listening service can allow for both exploits of future NTP vulnerabilities and allow for open ports that can be used for fingerprinting to target exploits. Access to this port should be restricted. Editing the /etc/ntp-restrict.conf file by adding a control on the loopback interface limits external access." rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." remediation: "1. Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo" @@ -132,8 +120,8 @@ checks: - 'f:/etc/ntp-restrict.conf -> r:restrict lo' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 3008 - title: "Disable Remote Apple Events (Scored)" + - id: 3007 + title: "Disable Remote Apple Events" description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" @@ -144,8 +132,8 @@ checks: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 3009 - title: "Disable Printer Sharing (Scored)" + - id: 3008 + title: "Disable Printer Sharing" description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" @@ -156,8 +144,8 @@ checks: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 3010 - title: "Disable Remote Login (Scored)" + - id: 3009 + title: "Disable Remote Login" description: "Remote Login allows an interactive terminal connection to a computer." rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" @@ -168,8 +156,8 @@ checks: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 3011 - title: "Disable File Sharing (Scored)" + - id: 3010 + title: "Disable File Sharing" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" @@ -178,23 +166,24 @@ checks: condition: none rules: - 'c:launchctl list -> r:AppleFileServer' + - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\ r:womp && r:0' - - 'c:pmset -b -g -> r:womp && r:0' + - 'c:pmset -c -g -> r:womp && !r:\s0$' + - 'c:pmset -b -g -> r:womp && !r:\s0$' # 2.6.1 Enable FileVault (Scored) - - id: 3013 - title: "Enable FileVault (Scored)" + - id: 3012 + title: "Enable FileVault" description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" @@ -202,12 +191,12 @@ checks: - cis: "2.6.1" condition: all rules: - - 'c:diskutil cs list -> r:Encryption Status && r:Unlocked' - - 'c:diskutil cs list -> r:Encryption Type && r:AES-XTS' + - 'c:diskutil cs list -> r:^Encryption Status && r:Unlocked' + - 'c:diskutil cs list -> r:^Encryption Type && r:AES-XTS' # 2.6.2 Enable Gatekeeper (Scored) - - id: 3014 - title: "Enable Gatekeeper (Scored)" + - id: 3013 + title: "Enable Gatekeeper" description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" @@ -215,11 +204,11 @@ checks: - cis: "2.6.2" condition: all rules: - - 'c:spctl --status -> r:assessments enabled' + - 'c:spctl --status -> r:^assessments\s*\t*enabled$' # 2.6.3 Enable Firewall (Scored) - - id: 3015 - title: "Enable Firewall (Scored)" + - id: 3014 + title: "Enable Firewall" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" @@ -232,8 +221,8 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 3016 - title: "Enable Firewall Stealth Mode (Scored)" + - id: 3015 + title: "Enable Firewall Stealth Mode" description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" @@ -243,11 +232,11 @@ checks: - https://support.apple.com/en-us/HT201642 condition: all rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 3017 - title: "Enable Secure Keyboard Entry in terminal.app (Scored)" + - id: 3016 + title: "Enable Secure Keyboard Entry in terminal.app" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" @@ -255,11 +244,11 @@ checks: - cis: "2.10" condition: all rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 3018 - title: "Java 6 is not the default Java runtime (Scored)" + - id: 3017 + title: "Java 6 is not the default Java runtime" description: "Apple had made Java part of the core Operating System for OS X. Apple is no longer providing Java updates for OS X and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used." @@ -270,8 +259,8 @@ checks: - 'c:java -version -> r:1.6.0' # 3.2 Enable security auditing (Scored) - - id: 3019 - title: "Enable security auditing (Scored)" + - id: 3018 + title: "Enable security auditing" description: "OSX's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" @@ -282,8 +271,8 @@ checks: - 'c:launchctl list -> r:com.apple.auditd' # 3.3 Configure Security Auditing Flags (Scored) - - id: 3020 - title: "Configure Security Auditing Flags (Scored)" + - id: 3019 + title: "Configure Security Auditing Flags" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." @@ -294,8 +283,8 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 3021 - title: "Disable Bonjour advertising service (Scored)" + - id: 3020 + title: "Disable Bonjour advertising service" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on Mac OS X is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" @@ -303,12 +292,11 @@ checks: - cis: "4.1" condition: any rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:does not exist' - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' # 4.4 Ensure http server is not running (Scored) - - id: 3022 - title: "Ensure http server is not running (Scored)" + - id: 3021 + title: "Ensure http server is not running" description: "Mac OS X used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" @@ -316,14 +304,12 @@ checks: - cis: "4.4" condition: none rules: - - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' - 'p:httpd' - 'p:/usr/sbin/httpd' - - 'p:/usr/sbin/httpd -D FOREGROUND' # 4.5 Ensure ftp server is not running (Scored) - - id: 3023 - title: "Ensure ftp server is not running (Scored)" + - id: 3022 + title: "Ensure ftp server is not running" description: "Mac OS X used to have a graphical front-end to the embedded ftp server in the Operating System. Ftp sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an Ftp server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The Ftp server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Ftp servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" @@ -331,11 +317,11 @@ checks: - cis: "4.5" condition: none rules: - - 'c:launchctl list -> r:ftp' + - 'c:launchctl list -> r:com.apple.ftpd' # 4.6 Ensure nfs server is not running (Scored) - - id: 3024 - title: "Ensure nfs server is not running (Scored)" + - id: 3023 + title: "Ensure nfs server is not running" description: "Mac OS X can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" @@ -344,11 +330,12 @@ checks: condition: none rules: - 'p:nfsd' + - 'p:/sbin/nfsd' - 'f:/etc/exports' # 5.7 Do not enable the "root" account (Scored) - - id: 3025 - title: "Do not enable the \"root\" account (Scored)" + - id: 3024 + title: "Do not enable the \"root\" account" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. In the UNIX/Linux world, the system administrator commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." @@ -356,11 +343,11 @@ checks: - cis: "5.7" condition: all rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' # 5.8 Disable automatic login (Scored) - - id: 3026 - title: "Disable automatic login (Scored)" + - id: 3025 + title: "Disable automatic login" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" @@ -371,8 +358,8 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' # 5.9 Require a password to wake the computer from sleep or screen saver (Scored) - - id: 3027 - title: "Require a password to wake the computer from sleep or screen saver (Scored)" + - id: 3026 + title: "Require a password to wake the computer from sleep or screen saver" description: "Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use." rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." @@ -380,11 +367,11 @@ checks: - cis: "5.9" condition: rules: - - 'c:defaults read com.apple.screensaver askForPassword -> r:^1$' + - 'c:defaults read com.apple.screensaver askForPassword -> 1' # 5.11 Disable ability to login to another user's active and locked session (Scored) - - id: 3028 - title: "Disable ability to login to another user's active and locked session (Scored)" + - id: 3027 + title: "Disable ability to login to another user's active and locked session" description: "OSX has a privilege that can be granted to any user that will allow that user to unlock active user's sessions." rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." remediation: "1. Run the following command in Terminal: sudo vi /etc/pam.d/screensaver 2. Locate \"account required pam_group.so no_warn group=admin,wheel fail_safe\" 3. Remove \"admin,\" 4. Save" @@ -392,11 +379,11 @@ checks: - cis: "5.11" condition: none rules: - - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel fail_safe' + - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel && r:fail_safe' # 5.18 System Integrity Protection status (Scored) - - id: 3029 - title: "System Integrity Protection status (Scored)" + - id: 3028 + title: "System Integrity Protection status" description: "System Integrity Protection is a new security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." @@ -404,11 +391,11 @@ checks: - cis: "5.18" condition: all rules: - - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 3030 - title: "Disable guest account login (Scored)" + - id: 3029 + title: "Disable guest account login" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" @@ -416,11 +403,11 @@ checks: - cis: "6.1.3" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' # 6.1.5 Remove Guest home folder (Scored) - - id: 3031 - title: "Remove Guest home folder (Scored)" + - id: 3030 + title: "Remove Guest home folder" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" @@ -431,8 +418,8 @@ checks: - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 3032 - title: "Turn on filename extensions (Scored)" + - id: 3031 + title: "Turn on filename extensions" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" @@ -440,11 +427,11 @@ checks: - cis: "6.2" condition: all rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 3033 - title: "Disable the automatic run of safe files in Safari (Scored)" + - id: 3032 + title: "Disable the automatic run of safe files in Safari" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" @@ -452,5 +439,4 @@ checks: - cis: "6.3" condition: any rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:does not exist' - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 10419062b..4900134d0 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -14,7 +14,7 @@ policy: id: "cis_apple_macos_10_12" file: "cis_apple_macOS_10.12.yml" name: "CIS Apple macOS 10.12 Benchmark" - description: "This document, CIS Apple macOS 10.12 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.12. This guide was tested against Apple macOS 10.12. To obtain the latest version of this guide, please visit https://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org." + description: "This document, CIS Apple macOS 10.12 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.12. This guide was tested against Apple macOS 10.12." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -23,14 +23,14 @@ requirements: description: "Requirements for running the SCA scan against MacOS 10.12 (Sierra)." condition: any rules: - - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p12' - 'c:sw_vers -> r:^ProductVersion:\t*10\p12' - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p12' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p12' checks: # 1.1 Verify all Apple provided software is current (Scored) - id: 13500 - title: "Verify all Apple provided software is current (Scored)" + title: "Verify all Apple provided software is current" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" @@ -42,7 +42,7 @@ checks: # 1.2 Enable Auto Update (Scored) - id: 13501 - title: "Enable Auto Update (Scored)" + title: "Enable Auto Update" description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" @@ -53,11 +53,11 @@ checks: - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1' # 1.3 Enable app update installs (Scored) - id: 13502 - title: "Enable app update installs (Scored)" + title: "Enable app update installs" description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." @@ -65,11 +65,11 @@ checks: - cis: "1.3" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' # 1.4 Enable system data files and security update installs (Scored) - id: 13503 - title: "Enable system data files and security update installs (Scored)" + title: "Enable system data files and security update installs" description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" @@ -80,12 +80,12 @@ checks: - https://support.apple.com/en-us/HT202491 condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1' # 1.5 Enable macOS update installs (Scored) - id: 13504 - title: "Enable macOS update installs (Scored)" + title: "Enable macOS update installs" description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" @@ -93,23 +93,11 @@ checks: - cis: "1.5" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' - -# 2.1.2 Turn off Bluetooth "Discoverable" mode when not pairing devices (Scored) - - id: 13505 - title: "Turn off Bluetooth \"Discoverable\" mode when not pairing devices (Scored)" - description: "When Bluetooth is set to discoverable mode, the Mac sends a signal indicating that it's available to pair with another Bluetooth device. When a device is \"discoverable\" it broadcasts information about itself and its location. Starting with OS X 10.9 Discoverable mode is enabled while the Bluetooth System Preference is open and turned off once closed. Systems that have the Bluetooth System Preference open at the time of audit will show as Discoverable." - rationale: "When in the discoverable state an unauthorized user could gain access to the system by pairing it with a remote device." - remediation: "Starting with OS X (10.9) Bluetooth is only set to Discoverable when the Bluetooth System Preference is selected. To ensure that the computer is not Discoverable do not leave that preference open." - compliance: - - cis: "2.1.2" - condition: all - rules: - - 'c:/usr/sbin/system_profiler SPBluetoothDataType -> r:Discoverable:\s*\t*Off' + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' # 2.2.1 Enable "Set time and date automatically" (Scored) - - id: 13506 - title: "Enable \"Set time and date automatically\" (Scored)" + - id: 13505 + title: "Enable \"Set time and date automatically\"" description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space." rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" @@ -120,8 +108,8 @@ checks: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 13507 - title: "Disable Remote Apple Events (Scored)" + - id: 13506 + title: "Disable Remote Apple Events" description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" @@ -132,8 +120,8 @@ checks: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 13508 - title: "Disable Printer Sharing (Scored)" + - id: 13507 + title: "Disable Printer Sharing" description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" @@ -144,8 +132,8 @@ checks: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 13509 - title: "Disable Remote Login (Scored)" + - id: 13508 + title: "Disable Remote Login" description: "Remote Login allows an interactive terminal connection to a computer." rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" @@ -156,8 +144,8 @@ checks: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 13510 - title: "Disable File Sharing (Scored)" + - id: 13509 + title: "Disable File Sharing" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" @@ -166,22 +154,23 @@ checks: condition: none rules: - 'c:launchctl list -> r:AppleFileServer' + - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\ :womp && r:0' + - 'c:pmset -g -> r:womp && !r:\s0$' # 2.6.1.1 Enable FileVault (Scored) - - id: 13512 - title: "Enable FileVault (Scored)" + - id: 13511 + title: "Enable FileVault" description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" @@ -189,11 +178,11 @@ checks: - cis: "2.6.1.1" condition: all rules: - - 'c:fdesetup status -> r:FileVault is\s*\t*On' + - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' # 2.6.2 Enable Gatekeeper (Scored) - - id: 13513 - title: "Enable Gatekeeper (Scored)" + - id: 13512 + title: "Enable Gatekeeper" description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" @@ -201,11 +190,11 @@ checks: - cis: "2.6.2" condition: all rules: - - 'c:spctl --status -> r:assessments enabled' + - 'c:spctl --status -> r:^assessments\s*\t*enabled$' # 2.6.3 Enable Firewall (Scored) - - id: 13514 - title: "Enable Firewall (Scored)" + - id: 13513 + title: "Enable Firewall" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" @@ -218,8 +207,8 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 13515 - title: "Enable Firewall Stealth Mode (Scored)" + - id: 13514 + title: "Enable Firewall Stealth Mode" description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" @@ -229,11 +218,11 @@ checks: - https://support.apple.com/en-us/HT201642 condition: all rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 13516 - title: "Enable Secure Keyboard Entry in terminal.app (Scored)" + - id: 13515 + title: "Enable Secure Keyboard Entry in terminal.app" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" @@ -241,11 +230,11 @@ checks: - cis: "2.10" condition: all rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 13517 - title: "Java 6 is not the default Java runtime (Scored)" + - id: 13516 + title: "Java 6 is not the default Java runtime" description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." @@ -256,8 +245,8 @@ checks: - 'c:java -version -> r:1.6.0' # 3.1 Enable security auditing (Scored) - - id: 13518 - title: "Enable security auditing (Scored)" + - id: 13517 + title: "Enable security auditing" description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" @@ -268,8 +257,8 @@ checks: - 'c:launchctl list -> r:com.apple.auditd' # 3.2 Configure Security Auditing Flags (Scored) - - id: 13519 - title: "Configure Security Auditing Flags (Scored)" + - id: 13518 + title: "Configure Security Auditing Flags" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." @@ -280,8 +269,8 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 13520 - title: "Disable Bonjour advertising service (Scored)" + - id: 13519 + title: "Disable Bonjour advertising service" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" @@ -289,12 +278,11 @@ checks: - cis: "4.1" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:does not exist' - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' # 4.4 Ensure http server is not running (Scored) - - id: 13521 - title: "Ensure http server is not running (Scored)" + - id: 13520 + title: "Ensure http server is not running" description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" @@ -302,14 +290,12 @@ checks: - cis: "4.4" condition: none rules: - - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' - 'p:httpd' - 'p:/usr/sbin/httpd' - - 'p:/usr/sbin/httpd -D FOREGROUND' # 4.5 Ensure FTP server is not running (Scored) - - id: 13522 - title: "Ensure FTP server is not running (Scored)" + - id: 13521 + title: "Ensure FTP server is not running" description: "macOS used to have a graphical front-end to the embedded FTP server in the Operating System. FTP sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an FTP server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The FTP server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. FTP servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" @@ -317,11 +303,11 @@ checks: - cis: "4.5" condition: none rules: - - 'c:launchctl list -> r:ftp' + - 'c:launchctl list -> r:com.apple.ftpd' # 4.6 Ensure nfs server is not running (Scored) - - id: 13523 - title: "Ensure nfs server is not running (Scored)" + - id: 13522 + title: "Ensure nfs server is not running" description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" @@ -330,11 +316,12 @@ checks: condition: none rules: - 'p:nfsd' + - 'p:/sbin/nfsd' - 'f:/etc/exports' # 5.8 Do not enable the "root" account (Scored) - - id: 13524 - title: "Do not enable the \"root\" account (Scored)" + - id: 13523 + title: "Do not enable the \"root\" account" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." @@ -342,11 +329,11 @@ checks: - cis: "5.8" condition: all rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' # 5.9 Disable automatic login (Scored) - - id: 13525 - title: "Disable automatic login (Scored)" + - id: 13524 + title: "Disable automatic login" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" @@ -358,8 +345,8 @@ checks: # 5.20 System Integrity Protection status (Scored) - - id: 13526 - title: "System Integrity Protection status (Scored)" + - id: 13525 + title: "System Integrity Protection status" description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." @@ -367,11 +354,11 @@ checks: - cis: "5.20" condition: all rules: - - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 13527 - title: "Disable guest account login (Scored)" + - id: 13526 + title: "Disable guest account login" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" @@ -379,11 +366,11 @@ checks: - cis: "6.1.3" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' # 6.1.5 Remove Guest home folder (Scored) - - id: 13528 - title: "Remove Guest home folder (Scored)" + - id: 13527 + title: "Remove Guest home folder" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" @@ -394,8 +381,8 @@ checks: - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 13529 - title: "Turn on filename extensions (Scored)" + - id: 13528 + title: "Turn on filename extensions" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" @@ -403,11 +390,11 @@ checks: - cis: "6.2" condition: all rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 13530 - title: "Disable the automatic run of safe files in Safari (Scored)" + - id: 13529 + title: "Disable the automatic run of safe files in Safari" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" @@ -415,5 +402,4 @@ checks: - cis: "6.3" condition: any rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:does not exist' - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:^0$' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 6a17d8a0e..4b4cb7e4e 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -14,7 +14,7 @@ policy: id: "cis_apple_macos_10_13" file: "cis_apple_macOS_10.13.yml" name: "CIS Apple macOS 10.13 Benchmark" - description: "This document, CIS Apple macOS 10.13 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.13. This guide was tested against Apple macOS 10.13. To obtain the latest version of this guide, please visit https://benchmarks.cisecurity.org. If you have questions, comments, or have identified ways to improve this guide, please write us at feedback@cisecurity.org" + description: "This document, CIS Apple macOS 10.13 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.13. This guide was tested against Apple macOS 10.13." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -23,14 +23,14 @@ requirements: description: "Requirements for running the SCA scan against MacOS 10.13 (High Sierra)." condition: any rules: - - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p13' - 'c:sw_vers -> r:^ProductVersion:\t*10\p13' - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p13' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p13' checks: # 1.1 Verify all Apple provided software is current (Scored) - id: 14000 - title: "Verify all Apple provided software is current (Scored)" + title: "Verify all Apple provided software is current" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" @@ -42,7 +42,7 @@ checks: # 1.2 Enable Auto Update (Scored) - id: 14001 - title: "Enable Auto Update (Scored)" + title: "Enable Auto Update" description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" @@ -53,11 +53,11 @@ checks: - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:AutomaticCheckEnabled\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1' # 1.3 Enable app update installs (Scored) - id: 14002 - title: "Enable app update installs (Scored)" + title: "Enable app update installs" description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." @@ -65,11 +65,11 @@ checks: - cis: "1.3" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdate\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' # 1.4 Enable system data files and security update installs (Scored) - id: 14003 - title: "Enable system data files and security update installs (Scored)" + title: "Enable system data files and security update installs" description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" @@ -80,12 +80,12 @@ checks: - https://support.apple.com/en-us/HT202491 condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:ConfigDataInstall\s*\t*=\s*\t*1' - - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate -> r:CriticalUpdateInstall\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -> 1' + - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1' # 1.5 Enable macOS update installs (Scored) - id: 14004 - title: "Enable macOS update installs (Scored)" + title: "Enable macOS update installs" description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" @@ -93,12 +93,12 @@ checks: - cis: "1.5" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.commerce -> r:AutoUpdateRestartRequired\s*\t*=\s*\t*1' + - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' # 2.2.1 Enable "Set time and date automatically" (Scored) - id: 14005 - title: "Enable \"Set time and date automatically\" (Scored)" + title: "Enable \"Set time and date automatically\"" description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries." rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" @@ -110,7 +110,7 @@ checks: # 2.4.1 Disable Remote Apple Events (Scored) - id: 14006 - title: "Disable Remote Apple Events (Scored)" + title: "Disable Remote Apple Events" description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" @@ -122,7 +122,7 @@ checks: # 2.4.4 Disable Printer Sharing (Scored) - id: 14007 - title: "Disable Printer Sharing (Scored)" + title: "Disable Printer Sharing" description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" @@ -134,7 +134,7 @@ checks: # 2.4.5 Disable Remote Login (Scored) - id: 14008 - title: "Disable Remote Login (Scored)" + title: "Disable Remote Login" description: "Remote Login allows an interactive terminal connection to a computer." rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" @@ -146,7 +146,7 @@ checks: # 2.4.8 Disable File Sharing (Scored) - id: 14009 - title: "Disable File Sharing (Scored)" + title: "Disable File Sharing" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" @@ -155,22 +155,23 @@ checks: condition: none rules: - 'c:launchctl list -> r:AppleFileServer' + - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\ r:womp && r:0' + - 'c:pmset -g -> r:womp && !r:\s0$' # 2.6.1.1 Enable FileVault (Scored) - id: 14011 - title: "Enable FileVault (Scored)" + title: "Enable FileVault" description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" @@ -178,11 +179,11 @@ checks: - cis: "2.6.1.1" condition: all rules: - - 'c:fdesetup status -> r:FileVault is\s*\t*On' + - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' # 2.6.2 Enable Gatekeeper (Scored) - id: 14012 - title: "Enable Gatekeeper (Scored)" + title: "Enable Gatekeeper" description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" @@ -190,11 +191,11 @@ checks: - cis: "2.6.2" condition: all rules: - - 'c:spctl --status -> r:assessments enabled' + - 'c:spctl --status -> r:^assessments\s*\t*enabled$' # 2.6.3 Enable Firewall (Scored) - id: 14013 - title: "Enable Firewall (Scored)" + title: "Enable Firewall" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services " @@ -208,7 +209,7 @@ checks: # 2.6.4 Enable Firewall Stealth Mode (Scored) - id: 14014 - title: "Enable Firewall Stealth Mode (Scored)" + title: "Enable Firewall Stealth Mode" description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" @@ -218,11 +219,11 @@ checks: - https://support.apple.com/en-us/HT201642 condition: all rules: - - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:Stealth mode enabled' + - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - id: 14015 - title: "Enable Secure Keyboard Entry in terminal.app (Scored)" + title: "Enable Secure Keyboard Entry in terminal.app" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" @@ -230,11 +231,11 @@ checks: - cis: "2.10" condition: all rules: - - 'c:defaults read -app Terminal SecureKeyboardEntry -> r:^1$' + - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' # 2.11 Java 6 is not the default Java runtime (Scored) - id: 14016 - title: "Java 6 is not the default Java runtime (Scored)" + title: "Java 6 is not the default Java runtime" description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming MacOS versions so any applications that still require Java 6 will likely soon be unavailable." @@ -246,7 +247,7 @@ checks: # 2.13 Ensure EFI version is valid and being regularly checked (Scored) - id: 14017 - title: "Ensure EFI version is valid and being regularly checked (Scored)" + title: "Ensure EFI version is valid and being regularly checked" description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days." rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." @@ -255,11 +256,11 @@ checks: condition: all rules: - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes' - - 'c:launchctl list -> r:-\s*\t*0\s*\t*com.apple.driver.eficheck' + - 'c:launchctl list -> r:^-\s*\t*0\s*\t*com.apple.driver.eficheck$' # 3.1 Enable security auditing (Scored) - id: 14018 - title: "Enable security auditing (Scored)" + title: "Enable security auditing" description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" @@ -271,7 +272,7 @@ checks: # 3.2 Configure Security Auditing Flags (Scored) - id: 14019 - title: "Configure Security Auditing Flags (Scored)" + title: "Configure Security Auditing Flags" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." @@ -283,7 +284,7 @@ checks: # 4.1 Disable Bonjour advertising service (Scored) - id: 14020 - title: "Disable Bonjour advertising service (Scored)" + title: "Disable Bonjour advertising service" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" @@ -291,12 +292,11 @@ checks: - cis: "4.1" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:does not exist' - - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> r:^1$' + - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' # 4.4 Ensure http server is not running (Scored) - id: 14021 - title: "Ensure http server is not running (Scored)" + title: "Ensure http server is not running" description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" @@ -304,14 +304,12 @@ checks: - cis: "4.4" condition: none rules: - - 'c:defaults read /System/Library/LaunchDaemons/org.apache.httpd -> r:Disabled && !r:1' - 'p:httpd' - 'p:/usr/sbin/httpd' - - 'p:/usr/sbin/httpd -D FOREGROUND' # 4.5 Ensure nfs server is not running (Scored) - id: 14022 - title: "Ensure nfs server is not running (Scored)" + title: "Ensure nfs server is not running" description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" @@ -320,11 +318,12 @@ checks: condition: none rules: - 'p:nfsd' + - 'p:/sbin/nfsd' - 'f:/etc/exports' # 5.11 Do not enable the "root" account (Scored) - id: 14023 - title: "Do not enable the \"root\" account (Scored)" + title: "Do not enable the \"root\" account" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." @@ -332,11 +331,11 @@ checks: - cis: "5.11" condition: all rules: - - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:No such key: AuthenticationAuthority' + - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' # 5.12 Disable automatic login (Scored) - id: 14024 - title: "Disable automatic login (Scored)" + title: "Disable automatic login" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" @@ -348,7 +347,7 @@ checks: # 5.23 System Integrity Protection status (Scored) - id: 14025 - title: "System Integrity Protection status (Scored)" + title: "System Integrity Protection status" description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." @@ -356,11 +355,11 @@ checks: - cis: "5.23" condition: all rules: - - 'c:/usr/bin/csrutil status -> r:System Integrity Protection status: enabled' + - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - id: 14026 - title: "Disable guest account login (Scored)" + title: "Disable guest account login" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" @@ -368,11 +367,11 @@ checks: - cis: "6.1.3" condition: all rules: - - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> r:^0$' + - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' # 6.1.5 Remove Guest home folder (Scored) - id: 14027 - title: "Remove Guest home folder (Scored)" + title: "Remove Guest home folder" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" @@ -384,7 +383,7 @@ checks: # 6.2 Turn on filename extensions (Scored) - id: 14028 - title: "Turn on filename extensions (Scored)" + title: "Turn on filename extensions" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" @@ -392,17 +391,16 @@ checks: - cis: "6.2" condition: all rules: - - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> r:^1$' + - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' # 6.3 Disable the automatic run of safe files in Safari (Scored) - id: 14029 - title: "Disable the automatic run of safe files in Safari (Scored)" + title: "Disable the automatic run of safe files in Safari" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: "6.3" - condition: any + condition: all rules: - - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> r:does not exist' - - 'c:defaults read com.apple.Safari -> r:AutoOpenSafeDownloads && r:0$' + - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' From d2f88cf60fd6efdc9e97af87f1404309f77eb9d8 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 12 Jun 2019 10:35:28 -0700 Subject: [PATCH 088/247] Fix typo in RHEL7 policy --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index c601fc96f..ccd65c215 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -607,7 +607,7 @@ checks: rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' - - 'f:/etc/ntp.conf -> r:^server\.+$' + - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' - 'f:/etc/sysconfig/ntpd -> r:^OPTIONS\s*=\s* && r:-u ntp:ntp' - 'f:/usr/lib/systemd/system/ntpd.service -> r:^Execstart\s*=\s*/usr/sbin/ntpd\s+-u\s+ntp:ntp' @@ -728,7 +728,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' + - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4_forward\s*=\s*0$' - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) @@ -878,7 +878,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:sysctl net.ipv4.tcp_syncookies -> r:=^net.tcp_syncookies\s*=\s*1$' + - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - 'c:grep "net\.ipv4\.tcp_syncookies" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### From d490f951b2abe6f3a49fe266b43040079d90ccf2 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Thu, 13 Jun 2019 10:55:17 +0200 Subject: [PATCH 089/247] Review SUSE policies --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 3 +- sca/sles/11/cis_sles11_linux_rcl.yml | 131 ++++++++++++----------- sca/sles/12/cis_sles12_linux_rcl.yml | 4 +- 3 files changed, 69 insertions(+), 69 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index e82b521e5..204f8face 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -237,8 +237,7 @@ checks: rules: - 'c:ulimit -H -c -> 0' - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' - - 'c:grep -e "hard\s*\t*core" /etc/security/limits.conf -> !r:^# && r:\s*\t*hard\s*\t*core\s*\t*0' - - 'c:grep -R -e"^*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -R -e"^\*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - id: 10517 title: "Enable Randomized Virtual Memory Region Placement" diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index e555ce6cc..fd8d39f49 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -213,7 +213,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub2/grub.cfg -> !r:^# && r:password' + - 'f:/boot/grub/menu.lst -> !r:^# && r:password --med5' ############################################### # 1.5 Additional Process Hardening @@ -231,6 +231,7 @@ checks: rules: - 'c:ulimit -H -c -> 0' - 'c:sysctl fs.suid_dumpable -> r:= 0$' + - 'c:grep -R -e"^\*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7017 @@ -244,7 +245,7 @@ checks: condition: all rules: - 'c:grep -R "kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 2$' - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - 'c:/sbin/sysctl kernel.randomize_va_space -> r:=\s*2$' ############################################### # 2 OS Services @@ -384,9 +385,9 @@ checks: compliance: - cis: "2.1.10, 2.2.17" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'c:chkconfig --list -> \s*\t*rsyncd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list -> r:rsync: && r:on' ############################################### # 2 Special Purpose Services @@ -419,7 +420,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:rpm -qa xorg-x11* -> r:^xorg-x11' + - 'c:rpm -qa xorg-x11* -> r:\.' # 2.2.3 Disable Avahi Server (Scored) - id: 7030 @@ -433,7 +434,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'p:avahi-daemon' + - 'c:systemctl is-enabled avahi-daemon -> r:enabled' - id: 7031 title: "Ensure DHCP Server is not enabled" @@ -443,9 +444,9 @@ checks: compliance: - cis: "2.2.5" - cis_csc: "9.1" - condition: all + condition: none rules: - - 'c:chkconfig --list dhcpd -> \s*\t*dhcpd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list dhcpd -> r:dhcpd && r:on' # 2.2.7 Disable NFS and RPC (Not Scored) - id: 7032 @@ -457,10 +458,10 @@ checks: - cis: "2.2.7" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'c:chkconfig --list nfs -> \s*\t*nfs\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' - - 'c:chkconfig --list rpcbind -> \s*\t*rpcbind\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list nfs -> r:nfs && r:on' + - 'c:chkconfig --list rpcbind -> r:rpcbind && r:on' - id: 7033 title: "Ensure DNS Server is not enabled" @@ -471,9 +472,9 @@ checks: - cis: "2.2.8" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'c:chkconfig --list named -> \s*\t*named\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list named -> r:named && r:on' - id: 7034 title: "Ensure FTP Server is not enabled" @@ -484,9 +485,9 @@ checks: - cis: "2.2.9" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'c:chkconfig --list vsftpd -> \s*\t*vsftpd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list vsftpd -> r:vsftpd && r:on' # 2.2.10 Remove HTTP Server (Not Scored) - id: 7035 @@ -497,9 +498,9 @@ checks: compliance: - cis: "2.2.10" - cis_csc: "9.1" - condition: all + condition: none rules: - - 'c:chkconfig --list apache2 -> \s*\t*apache2\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list apache2 -> r:apache2 && r:on' - id: 7036 title: "Ensure IMAP and POP3 server is not enabled" @@ -512,7 +513,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list cyrus -> \s*\t*cyrus\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list cyrus -> r:cyrus && r:on' # 2.2.12 Remove Samba (Not Scored) - id: 7037 @@ -524,9 +525,9 @@ checks: - cis: "2.2.12" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'c:chkconfig --list smb -> \s*\t*smb\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list smb -> r:smb && r:on' - id: 7038 title: "Ensure HTTP Proxy Server is not enabled" @@ -537,9 +538,9 @@ checks: - cis: "2.2.13" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: all + condition: none rules: - - 'c:chkconfig --list squid -> \s*\t*squid\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list squid -> r:squid && r:on' - id: 7039 title: "Ensure SNMP Server is not enabled" @@ -550,9 +551,9 @@ checks: - cis: "2.2.14" - cis_csc: "9.1" - pci_dss: "2.2.2" - condition: all + condition: node rules: - - 'c:chkconfig --list snmpd -> \s*\t*snmpd\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list snmpd -> r:snmpd && r:on' - id: 7040 title: "Ensure NIS Server is not enabled" @@ -566,7 +567,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list ypserv -> \s*\t*ypserv\s*\t*0:off\s*\t*1:off\s*\t*2:off\s*\t*3:off\s*\t*4:off\s*\t*5:off\s*\t*6:off' + - 'c:chkconfig --list ypserv -> r:ypserv && r:on' # Section 2.3 - Service Clients - id: 7041 @@ -581,7 +582,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:rpm -q ybind -> r:^ypbind-\S*' + - 'c:rpm -qa ypbind -> r:\.' ############################################### # 3 Network Configuration and Firewalls @@ -601,8 +602,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:= 0$' + - 'c:grep -R "net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 7044 @@ -616,10 +617,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -636,10 +637,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 7046 @@ -653,10 +654,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 7047 @@ -670,10 +671,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:= 0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:= 0$' + - 'c:grep -R "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*0$' - id: 7048 title: "Ensure suspicious packets are logged" @@ -686,10 +687,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' - - 'c:grep -R "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:= 1$' + - 'c:grep -R "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 7049 @@ -703,8 +704,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.icpm_echo_ignore_broadcasts -> r:= 1$' + - 'c:grep -R "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.icpm_echo_ignore_broadcasts -> r:=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7050 @@ -718,8 +719,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:= 1$' + - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 7051 @@ -733,10 +734,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' - - 'c:grep -R "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:= 1$' + - 'c:grep -R "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 7052 @@ -750,8 +751,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 1$' - - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:= 1$' + - 'c:grep -R "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*1$' ############################################### # 5 System Access, Authentication and Authorization @@ -773,7 +774,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' + - 'f:$sshd_file -> !r:^# && r:^\s*\t*Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - id: 7054 @@ -817,9 +818,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 7057 @@ -833,9 +834,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' # 5.2.8 Disable SSH Root Login (Scored) - id: 7058 @@ -865,9 +866,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' ############################################### # 6 System Maintenance diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index 95b1146dc..dec284cdd 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -601,9 +601,9 @@ checks: - cis_csc: "2" - pci_dss: "2.2.3" - nist_800_53: "CM.1" - condition: all + condition: none rules: - - 'c:rpm -q ypbind -> r:not installed$' + - 'c:rpm -qa ypbind -> r:\.' ############################################### # 3 Network Configuration and Firewalls From 2dbc1ef6e74d5d4838158a104c6c32ef4c8cd450 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 13 Jun 2019 12:27:12 +0200 Subject: [PATCH 090/247] Update mysql enterprise SCA rules --- .../cis_mysql5-6_enterprise_rcl.yml | 83 +++++++++---------- 1 file changed, 39 insertions(+), 44 deletions(-) diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index dc83403f5..c4375a752 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -25,11 +25,6 @@ requirements: rules: - 'd:/etc/mysql' -variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ - $enviroment_files: /*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile - $mysql-cnfs: /etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf - checks: #1 Operating System Level Configuration - id: 4500 @@ -44,7 +39,7 @@ checks: - https://bugs.mysql.com/bug.php?id=72158 condition: none rules: - - 'd:$home_dirs -> ^.mysql_history$' + - 'd:/home -> ^.mysql_history$' - id: 4501 title: "Disable Interactive Login" @@ -53,9 +48,9 @@ checks: remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - cis: "1.5" - condition: all + condition: none rules: - - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' + - 'c:getent passwd mysql -> r:^\s$' - id: 4502 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" @@ -68,7 +63,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none rules: - - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' + - 'c:find /home -maxdepth 2 -type f -regex "/home/.*/\(\.bashrc\|\.profile\|.bash_profile\)" -exec grep MYSQL_PWD {} + -> r:MYSQL_PWD' #4 General - id: 4503 @@ -83,10 +78,10 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs condition: none rules: - - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' + - 'c:my_print_defaults mysqld -> r:allow-suspicious-udfs' - id: 4504 - title: "Ensure 'local_infile is Disabled" + title: "Ensure 'local_infile' is Disabled" description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." @@ -95,9 +90,9 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html - condition: all + condition: any rules: - - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' + - 'c:grep -R "local_inside" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local_inside=0' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -110,7 +105,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all rules: - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' + - 'c:grep -R "skip-grant-tables" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" @@ -124,7 +119,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links condition: all rules: - - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' + - 'c:grep -R "skip_symbolic_links" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' - id: 4507 title: "Ensure 'secure_file_priv' is not empty" @@ -137,7 +132,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' + - 'c:grep -R "secure_file_priv" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv=\s*\S+\s*' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -148,7 +143,7 @@ checks: - cis: "4.9" condition: all rules: - - 'f:$mysql-cnfs -> r:strict_all_tables' + - 'c:grep -R "strict_all_tables" /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' #6 Auditing and Logging - id: 4509 @@ -162,7 +157,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all rules: - - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' + - 'c:grep -R "log_error" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' - id: 4510 title: "Ensure Log Files are not Stored on a non-system partition" @@ -174,9 +169,9 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html - condition: all + condition: none rules: - - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - 'c:grep -R "log_bin" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - id: 4511 title: "Ensure 'log_warning' is set to 2" @@ -189,7 +184,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' + - 'c:grep -R "log_warnings" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' - id: 4512 title: "Ensure 'log_raw' is set to 'OFF'" @@ -203,7 +198,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' + - 'c:grep -R "log-raw" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' #7 Authentication - id: 4513 @@ -220,8 +215,8 @@ checks: - https://www.cvedetails.com/cve/CVE-2003-1480/ condition: none rules: - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' + - 'c:grep -R "old_passwords" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' + - 'c:grep -R "old_passwords" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' - id: 4514 title: "Ensure 'secure_auth' is set to 'ON'" @@ -234,7 +229,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all rules: - - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' + - 'c:grep -R "secure_auth" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' - id: 4515 title: "Ensure Passwords Are Not Stored in the Global Configuration" @@ -247,7 +242,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none rules: - - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' + - 'c:grep -R "password" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' - id: 4516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" @@ -258,7 +253,7 @@ checks: - cis: "7.4" condition: all rules: - - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' + - 'c:grep -R "no_auto_create_user" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' - id: 4517 title: "Ensure Password Policy is in Place" @@ -269,15 +264,15 @@ checks: - cis: "7.6" references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html - condition: none + condition: all rules: - - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' - - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' - - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' - - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' - - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' + - 'c:grep -R "plugin-load" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'c:grep -R "validate-password" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'c:grep -R "validate_password_length" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' + - 'c:grep -R "validate_password_mixed_case_count" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -R "validate_password_number_count" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -R "validate_password_special_char_count" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' + - 'c:grep -R "validate_password_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' #9 Replication - id: 4518 @@ -291,7 +286,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all rules: - - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' + - 'c:grep -R "master_info_repository" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' #10 Enterprise rules - id: 4519 @@ -303,7 +298,7 @@ checks: - cis: "6.5" condition: none rules: - - 'f:$mysql-cnfs -> !r:^# && r::audit_log_connection_policy\s*=\s*none' + - 'c:grep -R "audit_log_connection_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s*none|audit_log_connection_policy\s*=\s*NONE' - id: 4520 title: "Ensure audit_log_exclude_account is set to NULL" @@ -314,7 +309,7 @@ checks: - cis: "6.6" condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$' + - 'c:grep -R "audit_log_exclude_accounts" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' - id: 4521 title: "Ensure audit_log_include_accounts is set to NULL" @@ -325,7 +320,7 @@ checks: - cis: "6.7" condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_include_accounts\s*=\s* && r:null\s*$' + - 'c:grep -R "audit_log_include_accounts" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' - id: 4522 title: "Ensure audit_log_policy is set to log logins and connections" @@ -334,9 +329,9 @@ checks: remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" compliance: - cis: "6.9" - condition: any + condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:audit_log_policy=ALL' + - 'c:grep -R "audit_log_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy=ALL|audit_log_policy=LOGINS|audit_log_policy=all|audit_log_policy=logins' - id: 4523 title: "Ensure audit_log_statement_policy is set to ALL" @@ -347,7 +342,7 @@ checks: - cis: "6.10" condition: all rules: - - 'f:$mysql-cnfs -> r:audit_log_statement_policy\s*all$' + - 'c:grep -R "audit_log_statement_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*all$|audit_log_statement_policy\s*ALL$' - id: 4524 title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" @@ -358,7 +353,7 @@ checks: - cis: "6.11" condition: all rules: - - 'f:$mysql-cnfs -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous' + - 'c:grep -R "audit_log_strategy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' - id: 4525 title: "Make sure the audit plugin can't be unloaded" @@ -369,4 +364,4 @@ checks: - cis: "6.12" condition: all rules: - - 'f:$mysql-cnfs -> !r:^audit_log\s*=\s*force_plus_permanent' + - 'c:grep -R "force_plus_permanent" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' From a26b601925cc22d14f03147625f5b432d527570a Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 13 Jun 2019 15:18:44 +0200 Subject: [PATCH 091/247] Remove quotes from mySQL policy --- .../cis_mysql5-6_enterprise_rcl.yml | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index c4375a752..42711aeed 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -92,7 +92,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: any rules: - - 'c:grep -R "local_inside" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local_inside=0' + - 'c:grep -R local_inside /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local_inside=0' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -105,7 +105,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all rules: - - 'c:grep -R "skip-grant-tables" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' + - 'c:grep -R skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" @@ -119,7 +119,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links condition: all rules: - - 'c:grep -R "skip_symbolic_links" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' + - 'c:grep -R skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' - id: 4507 title: "Ensure 'secure_file_priv' is not empty" @@ -132,7 +132,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'c:grep -R "secure_file_priv" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv=\s*\S+\s*' + - 'c:grep -R secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv=\s*\S+\s*' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -143,7 +143,7 @@ checks: - cis: "4.9" condition: all rules: - - 'c:grep -R "strict_all_tables" /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' + - 'c:grep -R strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' #6 Auditing and Logging - id: 4509 @@ -157,7 +157,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all rules: - - 'c:grep -R "log_error" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' + - 'c:grep -R log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' - id: 4510 title: "Ensure Log Files are not Stored on a non-system partition" @@ -171,7 +171,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html condition: none rules: - - 'c:grep -R "log_bin" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - 'c:grep -R log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - id: 4511 title: "Ensure 'log_warning' is set to 2" @@ -184,7 +184,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all rules: - - 'c:grep -R "log_warnings" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' + - 'c:grep -R log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' - id: 4512 title: "Ensure 'log_raw' is set to 'OFF'" @@ -198,7 +198,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw condition: all rules: - - 'c:grep -R "log-raw" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' + - 'c:grep -R log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' #7 Authentication - id: 4513 @@ -215,8 +215,8 @@ checks: - https://www.cvedetails.com/cve/CVE-2003-1480/ condition: none rules: - - 'c:grep -R "old_passwords" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' - - 'c:grep -R "old_passwords" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' + - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' + - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' - id: 4514 title: "Ensure 'secure_auth' is set to 'ON'" @@ -229,7 +229,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all rules: - - 'c:grep -R "secure_auth" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' + - 'c:grep -R secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' - id: 4515 title: "Ensure Passwords Are Not Stored in the Global Configuration" @@ -242,7 +242,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none rules: - - 'c:grep -R "password" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' + - 'c:grep -R password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' - id: 4516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" @@ -253,7 +253,7 @@ checks: - cis: "7.4" condition: all rules: - - 'c:grep -R "no_auto_create_user" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' + - 'c:grep -R no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' - id: 4517 title: "Ensure Password Policy is in Place" @@ -266,13 +266,13 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all rules: - - 'c:grep -R "plugin-load" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' - - 'c:grep -R "validate-password" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' - - 'c:grep -R "validate_password_length" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' - - 'c:grep -R "validate_password_mixed_case_count" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' - - 'c:grep -R "validate_password_number_count" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' - - 'c:grep -R "validate_password_special_char_count" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' - - 'c:grep -R "validate_password_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' + - 'c:grep -R plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'c:grep -R validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'c:grep -R validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' + - 'c:grep -R validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -R validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -R validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' + - 'c:grep -R validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' #9 Replication - id: 4518 @@ -286,7 +286,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all rules: - - 'c:grep -R "master_info_repository" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' + - 'c:grep -R master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' #10 Enterprise rules - id: 4519 @@ -298,7 +298,7 @@ checks: - cis: "6.5" condition: none rules: - - 'c:grep -R "audit_log_connection_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s*none|audit_log_connection_policy\s*=\s*NONE' + - 'c:grep -R audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE' - id: 4520 title: "Ensure audit_log_exclude_account is set to NULL" @@ -309,7 +309,7 @@ checks: - cis: "6.6" condition: all rules: - - 'c:grep -R "audit_log_exclude_accounts" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' + - 'c:grep -R audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' - id: 4521 title: "Ensure audit_log_include_accounts is set to NULL" @@ -320,7 +320,7 @@ checks: - cis: "6.7" condition: all rules: - - 'c:grep -R "audit_log_include_accounts" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' + - 'c:grep -R audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' - id: 4522 title: "Ensure audit_log_policy is set to log logins and connections" @@ -331,7 +331,7 @@ checks: - cis: "6.9" condition: all rules: - - 'c:grep -R "audit_log_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy=ALL|audit_log_policy=LOGINS|audit_log_policy=all|audit_log_policy=logins' + - 'c:grep -R audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins' - id: 4523 title: "Ensure audit_log_statement_policy is set to ALL" @@ -342,7 +342,7 @@ checks: - cis: "6.10" condition: all rules: - - 'c:grep -R "audit_log_statement_policy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*all$|audit_log_statement_policy\s*ALL$' + - 'c:grep -R audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$' - id: 4524 title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" @@ -353,7 +353,7 @@ checks: - cis: "6.11" condition: all rules: - - 'c:grep -R "audit_log_strategy" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' + - 'c:grep -R audit_log_strategy /etc/mysql/my.cnf -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' - id: 4525 title: "Make sure the audit plugin can't be unloaded" @@ -364,4 +364,4 @@ checks: - cis: "6.12" condition: all rules: - - 'c:grep -R "force_plus_permanent" /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' + - 'c:grep -R force_plus_permanent /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' From 3ffe186f4bd75287381fe2464f1093c32cb2658c Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 13 Jun 2019 15:45:19 +0200 Subject: [PATCH 092/247] Adapt mysql Community policy --- .../cis_mysql5-6_community_rcl.yml | 65 +++++++++---------- .../cis_mysql5-6_enterprise_rcl.yml | 8 +-- 2 files changed, 34 insertions(+), 39 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index 89a0f1fe4..59a5c14c5 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -25,11 +25,6 @@ requirements: rules: - 'd:/etc/mysql' -variables: - $home_dirs: /usr2/home/*,/home/*,/home,/*/home/*,/*/home,/ - $enviroment_files: /*/home/*/\.bashrc,/*/home/*/\.profile,/*/home/*/\.bash_profile,/home/*/\.bashrc,/home/*/\.profile,/home/*/\.bash_profile - $mysql-cnfs: /etc/mysql/my.cnf,/etc/mysql/mariadb.cnf,/etc/mysql/conf.d/*.cnf,/etc/mysql/mariadb.conf.d/*.cnf,~/.my.cnf - checks: #1 Operating System Level Configuration - id: 4500 @@ -44,7 +39,7 @@ checks: - https://bugs.mysql.com/bug.php?id=72158 condition: none rules: - - 'd:$home_dirs -> ^.mysql_history$' + - 'd:/home -> ^.mysql_history$' - id: 4501 title: "Disable Interactive Login" @@ -53,9 +48,9 @@ checks: remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - cis: "1.5" - condition: all + condition: none rules: - - 'f:/etc/passwd -> r:^mysql && r:\.*/bin/false$|/sbin/nologin$' + - 'c:getent passwd mysql -> r:^\s$' - id: 4502 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" @@ -68,7 +63,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none rules: - - 'f:$enviroment_files -> r:\.*MYSQL_PWD\.*' + - 'c:find /home -maxdepth 2 -type f -regex "/home/.*/\(\.bashrc\|\.profile\|.bash_profile\)" -exec grep MYSQL_PWD {} + -> r:MYSQL_PWD' #4 General - id: 4503 @@ -83,10 +78,10 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs condition: none rules: - - 'f:$mysql-cnfs -> r:allow-suspicious-udfs' + - 'c:my_print_defaults mysqld -> r:allow-suspicious-udfs' - id: 4504 - title: "Ensure 'local_infile is Disabled" + title: "Ensure 'local_infile' is Disabled" description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." @@ -97,7 +92,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: all rules: - - 'f:$mysql-cnfs -> r:local-infile\s*=\*0$' + - 'c:grep -R local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -110,7 +105,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all rules: - - 'f:$mysql-cnfs -> r:skip-grant-tables\s*=\s*false' + - 'c:grep -R skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" @@ -124,7 +119,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links condition: all rules: - - 'f:$mysql-cnfs -> r:skip_symbolic_links\s*=\s*yes' + - 'c:grep -R skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' - id: 4507 title: "Ensure 'secure_file_priv' is not empty" @@ -137,7 +132,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'f:$mysql-cnfs -> !r:secure_file_priv=\s*\S+\s*' + - 'c:grep -R secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -148,7 +143,7 @@ checks: - cis: "4.9" condition: all rules: - - 'f:$mysql-cnfs -> r:strict_all_tables' + - 'c:grep -R strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' #6 Auditing and Logging - id: 4509 @@ -162,7 +157,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all rules: - - 'f:$mysql-cnfs -> !r:log_error\s*=\s*\S+\s*' + - 'c:grep -R log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' - id: 4510 title: "Ensure Log Files are not Stored on a non-system partition" @@ -174,9 +169,9 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html - condition: all + condition: none rules: - - 'f:$mysql-cnfs -> r:log_bin\s*\t*.+\s*\t*$ && !r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - 'c:grep -R log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - id: 4511 title: "Ensure 'log_warning' is set to 2" @@ -189,7 +184,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:log_warnings\s*=\s*2' + - 'c:grep -R log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' - id: 4512 title: "Ensure 'log_raw' is set to 'OFF'" @@ -203,7 +198,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw condition: all rules: - - 'f:$mysql-cnfs -> !r:^# && r:log-raw\s*off$' + - 'c:grep -R log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' #7 Authentication - id: 4513 @@ -220,8 +215,8 @@ checks: - https://www.cvedetails.com/cve/CVE-2003-1480/ condition: none rules: - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*1' - - 'f:$mysql-cnfs -> !r:^# && r:old_passwords\s*=\s*on' + - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' + - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' - id: 4514 title: "Ensure 'secure_auth' is set to 'ON'" @@ -234,7 +229,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all rules: - - 'f:$mysql-cnfs -> r:secure_auth\s*=\s*on' + - 'c:grep -R secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' - id: 4515 title: "Ensure Passwords Are Not Stored in the Global Configuration" @@ -247,7 +242,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none rules: - - 'f:$mysql-cnfs -> !r:^# && r:^\s*password\.*' + - 'c:grep -R password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' - id: 4516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" @@ -258,7 +253,7 @@ checks: - cis: "7.4" condition: all rules: - - 'f:$mysql-cnfs -> r:^# && r:\s*no_auto_create_user\s*$' + - 'c:grep -R no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' - id: 4517 title: "Ensure Password Policy is in Place" @@ -269,15 +264,15 @@ checks: - cis: "7.6" references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html - condition: none + condition: all rules: - - 'f:$mysql-cnfs -> r:plugin-load\s*=\s*validate_password.so\s*$' - - 'f:$mysql-cnfs -> r:validate-password\s*=\s*force_plus_permanent\s*$' - - 'f:$mysql-cnfs -> r:validate_password_length\s*=\s*14\s$' - - 'f:$mysql-cnfs -> r:validate_password_mixed_case_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_number_count\s*=\s*1\s*$' - - 'f:$mysql-cnfs -> r:validate_password_special_char_count\s*=\s*1' - - 'f:$mysql-cnfs -> r:validate_password_policy\s*=\s*medium\s*' + - 'c:grep -R plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'c:grep -R validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'c:grep -R validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' + - 'c:grep -R validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -R validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -R validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' + - 'c:grep -R validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' #9 Replication - id: 4518 @@ -291,4 +286,4 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all rules: - - 'f:$mysql-cnfs -> r:master_info_repository\s*=\s*table' + - 'c:grep -R master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 42711aeed..6e721dfde 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -90,9 +90,9 @@ checks: references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html - condition: any + condition: all rules: - - 'c:grep -R local_inside /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local_inside=0' + - 'c:grep -R local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -132,7 +132,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'c:grep -R secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv=\s*\S+\s*' + - 'c:grep -R secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -353,7 +353,7 @@ checks: - cis: "6.11" condition: all rules: - - 'c:grep -R audit_log_strategy /etc/mysql/my.cnf -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' + - 'c:grep -R audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' - id: 4525 title: "Make sure the audit plugin can't be unloaded" From 9f9aff7e1f39bd11f87a7c7ed8ec5ef88933d297 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 14 Jun 2019 11:15:09 +0200 Subject: [PATCH 093/247] Remove quotes from grep --- sca/sles/11/cis_sles11_linux_rcl.yml | 36 +++++++++++++------------- sca/sles/12/cis_sles12_linux_rcl.yml | 38 ++++++++++++++-------------- 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index fd8d39f49..dc3d62098 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -231,7 +231,7 @@ checks: rules: - 'c:ulimit -H -c -> 0' - 'c:sysctl fs.suid_dumpable -> r:= 0$' - - 'c:grep -R -e"^\*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -R ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7017 @@ -244,7 +244,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -R "kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/ -> r:= 2$' + - 'c:grep -R kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/ -> r:= 2$' - 'c:/sbin/sysctl kernel.randomize_va_space -> r:=\s*2$' ############################################### @@ -602,7 +602,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.ip_forward" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) @@ -617,8 +617,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*0$' @@ -637,8 +637,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*0$' @@ -654,8 +654,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*0$' @@ -671,8 +671,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*0$' @@ -687,8 +687,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - - 'c:grep -R "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*1$' @@ -704,7 +704,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.icpm_echo_ignore_broadcasts -> r:=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) @@ -719,7 +719,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) @@ -734,8 +734,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - - 'c:grep -R "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*1$' @@ -751,7 +751,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*1$' ############################################### diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index dec284cdd..0f5592cb8 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -247,7 +247,7 @@ checks: rules: - 'c:sysctl fs.suid_dumpable -> r:\s0$' - 'c:ulimit -Hc -> 0' - - 'c:grep -R -e"^\*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -R ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7517 @@ -261,7 +261,7 @@ checks: condition: all rules: - 'c:sysctl kernel.randomize_va_space -> r:\s2$|\t2$' - - 'c:grep -R -e"^\s*kernel\.randomize_va_space\s\+" /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' + - 'c:grep -R ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' ############################################### # 2 OS Services @@ -624,7 +624,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' - - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 7545 @@ -640,8 +640,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -660,8 +660,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 7547 @@ -677,8 +677,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 7548 @@ -694,8 +694,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - - 'c:grep -R "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - id: 7549 title: "Ensure suspicious packets are logged" @@ -710,8 +710,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - 'c:grep -R "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - - 'c:grep -R "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 7550 @@ -726,7 +726,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7551 @@ -741,7 +741,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - 'c:grep -R "net\.ipv4\.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 7552 @@ -757,8 +757,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -R "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' - - 'c:grep -R "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 7553 @@ -773,8 +773,8 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -R "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' - + - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + ############################################### # 5 System Access, Authentication and Authorization ############################################### From d998860af6f950c7d92650e6f02dc5f9b9e201f1 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 14 Jun 2019 11:41:15 +0200 Subject: [PATCH 094/247] Remove quotes from grep and move -R parameter --- sca/debian/cis_debian_linux_rcl.yml | 14 ++++---- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 46 ++++++++++++------------ sca/rhel/7/cis_rhel7_linux_rcl.yml | 38 ++++++++++---------- 3 files changed, 49 insertions(+), 49 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index f8b1ea359..094af1fa9 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -383,7 +383,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' - - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' - id: 5026 title: "Ensure IPv6 forwarding is disabled" @@ -396,7 +396,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' - - 'c:grep "net\.ipv6\.ip_forward\.conf\.all\.forwarding" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' + - 'c:grep -R net\.ipv6\.ip_forward\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' # Section 3.2 - Network Parameters (Host and Router) - id: 5027 @@ -411,12 +411,12 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.all\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep "net\.ipv6\.conf\.all\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep "net\.ipv6\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - id: 5028 title: "Ensure broadcast ICMP requests are ignored" @@ -429,7 +429,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - 'c:grep -R "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' + - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' # Section 5.2 - SSH Server Configuration - id: 5029 diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index 204f8face..764a5fafb 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -101,7 +101,7 @@ checks: condition: all rules: - 'c:findmnt -> r:/var/tmp && r:[/tmp]' - - 'c:grep -e "^/tmp" /etc/fstab -> r:^/tmp && r:\s*/var/tmp\s*' + - 'c:grep ^/tmp /etc/fstab -> r:^/tmp && r:\s*/var/tmp\s*' - id: 10506 title: "Ensure separate partition exists for /var/log" @@ -237,7 +237,7 @@ checks: rules: - 'c:ulimit -H -c -> 0' - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' - - 'c:grep -R -e"^\*\s\+hard\s\+core\s\+" /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -R ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - id: 10517 title: "Enable Randomized Virtual Memory Region Placement" @@ -808,21 +808,21 @@ checks: - rsyslog.conf(5) man page condition: all rules: - - 'c:grep -R -e "^*.emerg\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^mail.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^mail.info\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^mail.warning\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^mail.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^news.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^news.err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^news.notice\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^*.=warning;*.=err\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^*.crit\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^*.*;mail.none;news.none\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^local0,local1.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^local2,local3.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^local4,local5.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R -e "^local6,local7.*\s*\t*\s*\S" /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^*.emerg\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.info\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.warning\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^news.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^news.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^news.notice\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^*.=warning;*.=err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^*.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^*.*;mail.none;news.none\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local0,local1.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local2,local3.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local4,local5.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local6,local7.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - id: 10566 title: "Configure rsyslog to Send Logs to a Remote Log Host" @@ -848,8 +848,8 @@ checks: - rsyslog.conf(8) man page condition: all rules: - - 'c:grep -R -e "^\$ModLoad imtcp.so" /etc/rsyslog.conf,/etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' - - 'c:grep -R -e "^\$InputTCPServerRun 514" /etc/rsyslog.conf,/etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' + - 'c:grep -R ^\$ModLoad imtcp.so /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' + - 'c:grep -R ^\$InputTCPServerRun 514 /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' - id: 10568 title: "Configure logrotate" @@ -1131,7 +1131,7 @@ checks: - cis: "10.4" condition: all rules: - - 'c:grep -R -e "^umask 077" /etc/profile.d/' + - 'c:grep -R ^umask 077 /etc/profile.d/' - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' - id: 10592 @@ -1171,9 +1171,9 @@ checks: - cis: "11.2" condition: none rules: - - 'c:grep -e "(\\v|\\r|\\m|\\s)" /etc/issue' - - 'c:grep -e "(\\v|\\r|\\m|\\s)" /etc/motd' - - 'c:grep -e "(\\v|\\r|\\m|\\s)" /etc/issue.net' + - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' + - 'c:grep (\\v|\\r|\\m|\\s) /etc/motd' + - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue.net' # 13 Review User and Group Settings - id: 10595 diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index ccd65c215..d98e2f370 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -309,9 +309,9 @@ checks: - cis_csc: "13" condition: all rules: - - 'c:grep -e "*\s\+hard\s\+core\s\+" -R /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -R *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' - - 'c:grep "fs\.suid_dumpable" -R /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' + - 'c:grep -R fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6519 @@ -324,7 +324,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -e "^\s*kernel\.randomize_va_space\s\+" -R /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ + - 'c:grep -R ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### @@ -729,7 +729,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4_forward\s*=\s*0$' - - 'c:grep "net\.ipv4\.ip_forward" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 6546 @@ -745,8 +745,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.all\.send_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.default\.send_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -765,8 +765,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.all\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.default\.accept_source_route" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 6548 @@ -782,8 +782,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.all\.accept_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.default\.accept_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 6549 @@ -799,8 +799,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.all\.secure_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - - 'c:grep "net\.ipv4\.conf\.default\.secure_redirects" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - id: 6550 @@ -816,8 +816,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - 'c:grep "net\.ipv4\.conf\.all\.log_martians" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - - 'c:grep "net\.ipv4\.conf\.default\.log_martians" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 6551 @@ -832,7 +832,7 @@ checks: condition: all rules:$ - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - 'c:grep "net\.ipv4\.icmp_echo_ignore_broadcasts" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 6552 @@ -847,7 +847,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - 'c:grep "net\.ipv4\.icmp_ignore_bogus_error_responses" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - id: 6553 @@ -863,8 +863,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep "net\.ipv4\.conf\.all\.rp_filter" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' - - 'c:grep "net\.ipv4\.conf\.default\.rp_filter" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 6554 @@ -879,7 +879,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep "net\.ipv4\.tcp_syncookies" -R /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization From 6a3729f96dab4bcaabfbbbabe0e051134d73f8e6 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 14 Jun 2019 16:03:06 +0200 Subject: [PATCH 095/247] Change RHEL6 policy to use commands --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 294 +++++++++++------------------ sca/rhel/7/cis_rhel7_linux_rcl.yml | 15 +- 2 files changed, 111 insertions(+), 198 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 4cc6f03bf..8381c66f4 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -46,8 +46,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - 'c:mount -> r:\s/tmp\s' # 1.1.3 /tmp: nodev - id: 6001 @@ -60,8 +59,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - 'c:mount -> r:\s/tmp\s && r:nodev' # 1.1.4 /tmp: nosuid - id: 6002 @@ -74,7 +72,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - id: 6003 @@ -88,7 +86,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - id: 6004 @@ -102,10 +100,9 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'd:/var' - - 'f:/etc/fstab -> !r:^# && r:/var' + - 'c:mount -> r:\s/var\s' + -# 1.1.7 bind mount /var/tmp to /tmp - id: 6005 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." @@ -115,7 +112,7 @@ checks: - cis: "1.1.7" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' + - 'c:mount -> r:\s/var/tmp\s' # 1.1.11 /var/log: partition - id: 6006 @@ -130,7 +127,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - id: 6007 @@ -145,7 +142,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - id: 6008 @@ -225,7 +222,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - id: 6014 @@ -238,7 +235,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - id: 6015 @@ -252,7 +249,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - 'c:mount -> r:\s/dev/shm\s && r:noexec' ############################################### # 1.4 Configure SELinux @@ -269,7 +266,7 @@ checks: - pci_dss: "2.2.4" condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0' + - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' # 1.6.1.2 Set selinux state - id: 6017 @@ -283,9 +280,9 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' -# 1.6.1.3 Set seliux policy +# 1.6.1.3 Set selinux policy - id: 6018 title: "Ensure SELinux policy is configured" description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." @@ -296,7 +293,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' # 1.6.1.4 Remove SETroubleshoot - id: 6019 @@ -307,9 +304,9 @@ checks: compliance: - cis: "1.6.1.4" - pci_dss: "2.2.4" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' # 1.6.1.5 Disable MCS Translation service mcstrans - id: 6020 @@ -320,9 +317,9 @@ checks: compliance: - cis: "1.6.1.5" - pci_dss: "2.2.4" - condition: none + condition: all rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$' + - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' ############################################### # 1.4 Secure Boot Settings @@ -339,7 +336,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' # 1.4.3 Require Authentication for Single-User Mode (Scored) - id: 6022 @@ -351,13 +348,13 @@ checks: - cis: "1.4.3" - cis_csc: "5.1" - pci_dss: "2.2.4" - condition: none + condition: all rules: - - 'f:/etc/inittab -> !r:^# && r:S:wait' + - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' # 1.4.4 Disable Interactive Boot (Scored) - id: 6023 - title: "Ensure interactive boot is disabled" + title: "Ensure interactive boot is not enabled" description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no" @@ -383,20 +380,23 @@ checks: - cis_csc: "13" condition: all rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - 'c:grep -R *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' + - 'c:grep -R fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6025 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" compliance: - cis: "1.5.3" - cis_csc: "8.4" condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - 'c:grep -R ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ + - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### # 2 OS Services @@ -406,7 +406,7 @@ checks: ############################################### # 2.1.8 Remove telnet-server (Scored) - id: 6026 - title: "Ensure telnet server is disabled" + title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" @@ -417,11 +417,11 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:telnet-server && r::on' # 2.1.6 Remove rsh-server (Scored) - id: 6027 - title: "Ensure rsh server is disabled" + title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Disable rsh, rlogin, and rexec." @@ -432,9 +432,8 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:rsh|rlogin|rsh && r::on' + # 2.3.1 Remove NIS Client (Scored) - id: 6028 @@ -449,11 +448,11 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' + - 'c:rpm -qa ypbind -> r:\.' # 2.2.16 Remove NIS Server (Scored) - id: 6029 - title: "Ensure NIS Server is disabled" + title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to disable ypserv: # chkconfig ypserv off" @@ -464,11 +463,11 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' + - 'c:chkconfig --list -> r:ypserv && r::on' # 2.1.9 Remove tftp-server (Scored) - id: 6030 - title: "Ensure tftp server is disabled" + title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" @@ -479,7 +478,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list-> r:tftp && r::on' # 2.1.7 Remove talk-server (Scored) - id: 6031 @@ -494,23 +493,11 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:talk && r::on' ############################################### # 2 Special Purpose Services ############################################### -# 3.1 Set Daemon umask (Scored) - - id: 6032 - title: "Set Daemon umask" - description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." - rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." - remediation: "Add the following line to the /etc/sysconfig/init file.umask 027" - compliance: - - cis: "3.1" - - pci_dss: "2.2.2" - condition: all - rules: - - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' # 2.2.2 Remove X Windows (Scored) - id: 6033 @@ -524,11 +511,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/inittab -> !r:^# && r:id:5' + - 'c:rpm -qa xorg-x11* -> r:\.' # 2.2.3 Disable Avahi Server (Scored) - id: 6034 - title: "Ensure Avahi Server is disabled" + title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" @@ -538,11 +525,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'p:avahi-daemon' + - 'c:chkconfig --list -> r:avahi-daemon && r::on' # 2.2.7 Disable NFS and RPC (Not Scored) - id: 6035 - title: "Ensure NFS and RPC are disabled" + title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # chkconfig nfs off # chkconfig rpcbind off" @@ -552,12 +539,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' # 2.2.9 Remove FTP Server (Not Scored) - id: 6036 - title: "Ensure FTP Server is disabled" + title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off" @@ -567,11 +553,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:vsftpd && r::on' -# 2.2.10 Remove HTTP Server (Not Scored) +# 2.2.10 Remove HTTP Server (Scored) - id: 6037 - title: "Ensure HTTP server is disabled" + title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # chkconfig httpd off" @@ -580,24 +566,11 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$' + - 'c:chkconfig --list -> r:httpd && r::on' -# 2.2.11 Remove Dovecot (IMAP and POP3 services) (Not Scored) +# 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored) - id: 6038 - title: "Ensure IMAP and POP3 server is disabled" - description: "dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." - remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" - compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - - id: 6039 - title: "Ensure IMAP and POP3 server is disabled" + title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" @@ -607,11 +580,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - 'c:chkconfig --list -> r:dovecot && r::on' -# 2.2.12 Remove Samba (Not Scored) +# 2.2.12 Remove Samba (Scored) - id: 6040 - title: "Ensure Samba is disabled" + title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # chkconfig smb off" @@ -621,13 +594,12 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - 'c:chkconfig --list -> r:smb && r::on' -# 2.2.13 Remove HTTP Proxy Server (Not Scored) +# 2.2.13 Remove HTTP Proxy Server (Scored) - id: 6041 - title: "Ensure HTTP Proxy Server is disabled" - description: "Squid is a standard proxy server used in many environments." + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" compliance: @@ -636,11 +608,11 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - 'c:chkconfig --list -> r:squid && r::on' -# 2.2.14 Remove SNMP Server (Not Scored) +# 2.2.14 Remove SNMP Server (Scored) - id: 6042 - title: "Ensure SNMP Server is disabled" + title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off" @@ -650,7 +622,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - 'c:chkconfig --list -> r:snmpd && r::on' ############################################### # 3 Network Configuration and Firewalls @@ -660,7 +632,7 @@ checks: ############################################### # 3.1.1 Disable IP Forwarding (Scored) - id: 6043 - title: "Ensure IPv4 forwarding is disabled" + title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and run # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" @@ -670,20 +642,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' - - - id: 6044 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag is used to tell the system whether it can forward packets or not." - rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.forwarding = 0 and run # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/proc/sys/net/ipv6/ip_forward -> 0' + - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 6045 @@ -697,8 +657,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -715,7 +677,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 6047 @@ -729,8 +694,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 6048 @@ -744,8 +711,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - id: 6049 @@ -759,8 +728,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/log_martians -> 1' + - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 6050 @@ -774,7 +745,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 6051 @@ -787,7 +759,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 6052 @@ -800,8 +773,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' + - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 6053 @@ -815,7 +790,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization @@ -837,7 +813,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - id: 6055 @@ -853,7 +829,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 6056 @@ -867,7 +843,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 6057 @@ -881,9 +857,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 6058 @@ -897,9 +873,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - id: 6059 @@ -915,7 +891,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 6060 @@ -929,9 +905,9 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' ############################################### # 6 System Maintenance @@ -954,59 +930,3 @@ checks: condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - -# Other/Legacy Tests - - id: 6062 - title: "Account with empty password present" - compliance: - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 6063 - title: "User-mounted removable partition allowed on the console" - condition: none - rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - - id: 6064 - title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$' - - - id: 6065 - title: "Disable standard boot services - PostgreSQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$' - - - id: 6066 - title: "Disable standard boot services - MySQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$' - - - id: 6067 - title: "Disable standard boot services - DNS server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 6068 - title: "Disable standard boot services - NetFS Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$' diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index d98e2f370..b389e0b1e 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -57,9 +57,8 @@ checks: compliance: - cis: "1.1.3" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' # 1.1.4 /tmp: nosuid @@ -73,7 +72,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec @@ -88,7 +86,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. @@ -170,9 +167,8 @@ checks: compliance: - cis: "1.1.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/home\s' - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev @@ -186,7 +182,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid @@ -200,7 +195,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec @@ -215,7 +209,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:noexec' ############################################### @@ -830,7 +823,7 @@ checks: - cis_csc: "3, 11" - pci_dss: "2.2.4" condition: all - rules:$ + rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -1017,4 +1010,4 @@ checks: - nist_800_53: "IA.10, AC.7" condition: none rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' \ No newline at end of file + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' From 79ff3542ebd67b867c1528c37d07927c22a044f5 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 14 Jun 2019 16:22:59 +0200 Subject: [PATCH 096/247] Review Windows 2012 R2 policies --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 101 +++++++++++++++++++-- 1 file changed, 95 insertions(+), 6 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index e20cbde84..399da9595 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -39,6 +39,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' @@ -54,6 +55,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' @@ -67,6 +69,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' @@ -78,7 +81,9 @@ checks: compliance: - cis: "2.3.2.1" - cis_csc: "6.2" + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' @@ -92,6 +97,7 @@ checks: - cis_csc: "6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' @@ -105,6 +111,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' @@ -118,6 +125,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' @@ -131,8 +139,9 @@ checks: - cis_csc: "5.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0' - id: 8008 title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" @@ -146,6 +155,7 @@ checks: - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' @@ -159,6 +169,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' @@ -172,6 +183,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' @@ -185,6 +197,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' @@ -198,6 +211,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' @@ -211,6 +225,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' @@ -224,6 +239,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' @@ -237,6 +253,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' @@ -250,6 +267,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' @@ -263,6 +281,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' @@ -277,6 +296,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' @@ -290,6 +310,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' @@ -303,6 +324,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' @@ -316,6 +338,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' @@ -329,8 +352,9 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 1' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - id: 8023 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" @@ -342,6 +366,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' @@ -356,6 +381,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' @@ -369,6 +395,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' @@ -382,6 +409,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' @@ -395,6 +423,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' @@ -408,6 +437,7 @@ checks: - cis_csc: "14.1, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:lsarpc|netlogon|samr' @@ -419,8 +449,9 @@ checks: compliance: - cis: "2.3.10.7" - cis_csc: "14, 16" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' @@ -434,6 +465,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' @@ -447,6 +479,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' @@ -460,6 +493,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:^$' - id: 8033 @@ -472,6 +506,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' @@ -485,6 +520,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' @@ -498,6 +534,7 @@ checks: - cis_csc: "14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' @@ -511,6 +548,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' @@ -524,6 +562,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' @@ -537,6 +576,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' @@ -550,6 +590,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' @@ -563,6 +604,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' @@ -576,6 +618,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - id: 8042 @@ -588,6 +631,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' @@ -603,6 +647,7 @@ checks: - https://workbench.cisecurity.org/benchmarks/288 condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' @@ -616,6 +661,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' @@ -628,6 +674,7 @@ checks: - cis: "2.3.15.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' @@ -641,6 +688,7 @@ checks: - cis_csc: "14.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' @@ -654,6 +702,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' @@ -667,6 +716,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' @@ -680,6 +730,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' @@ -693,6 +744,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' @@ -706,6 +758,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' @@ -719,6 +772,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' @@ -732,6 +786,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0' @@ -745,6 +800,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' @@ -757,6 +813,7 @@ checks: - cis: "2.3.17.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' @@ -771,6 +828,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' @@ -784,6 +842,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' @@ -797,6 +856,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' @@ -807,8 +867,9 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - cis: "9.1.4" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' @@ -822,6 +883,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' @@ -835,6 +897,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -848,6 +911,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' @@ -861,6 +925,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' @@ -875,6 +940,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' @@ -888,6 +954,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' @@ -901,6 +968,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' @@ -913,6 +981,7 @@ checks: - cis: "9.2.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' @@ -926,6 +995,8 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' - id: 8069 @@ -938,6 +1009,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -951,6 +1023,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' @@ -964,6 +1037,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' @@ -978,6 +1052,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' @@ -991,6 +1066,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' @@ -1004,6 +1080,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' @@ -1016,6 +1093,7 @@ checks: - cis: "9.3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0' @@ -1030,6 +1108,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' @@ -1043,6 +1122,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' @@ -1056,6 +1136,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' @@ -1069,6 +1150,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -1082,6 +1164,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' @@ -1095,6 +1178,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' @@ -1108,6 +1192,7 @@ checks: - cis: "18.1.1.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' @@ -1120,6 +1205,7 @@ checks: - cis: "18.1.1.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' @@ -1138,6 +1224,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' @@ -1155,6 +1242,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' @@ -1170,6 +1258,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' @@ -1637,7 +1726,7 @@ checks: compliance: - cis: "18.9.26.4.2" - cis_csc: "6.3" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' From cd33d95f221f9e32dad6d2cc973e92a7b0c27217 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 17 Jun 2019 12:04:26 +0200 Subject: [PATCH 097/247] Review Win2012R2 Domain L1 policies --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 155 ++++++++++++++------- 1 file changed, 104 insertions(+), 51 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index 399da9595..2ffa517d5 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -35,7 +35,7 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2" + - cis: "1.1.2"0 - cis_csc: "16.5" condition: all rules: @@ -620,7 +620,8 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1' + - id: 8042 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." @@ -788,7 +789,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - id: 8054 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" @@ -885,7 +886,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' - id: 8061 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -997,7 +998,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' - id: 8069 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1138,7 +1139,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' - id: 8079 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1274,6 +1275,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' @@ -1289,6 +1291,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' @@ -1304,6 +1307,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' @@ -1319,6 +1323,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' @@ -1334,6 +1339,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' @@ -1349,6 +1355,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' @@ -1363,8 +1370,9 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - id: 8094 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" @@ -1376,6 +1384,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' @@ -1389,6 +1398,7 @@ checks: - cis_csc: "12" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' @@ -1403,6 +1413,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' @@ -1416,6 +1427,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' @@ -1429,6 +1441,7 @@ checks: - cis_csc: "3.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' @@ -1442,6 +1455,7 @@ checks: - cis_csc: "3.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' @@ -1455,6 +1469,7 @@ checks: - cis_csc: "3.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' @@ -1468,6 +1483,7 @@ checks: - cis_csc: "5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' @@ -1481,6 +1497,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' @@ -1494,6 +1511,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' @@ -1507,6 +1525,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' @@ -1520,6 +1539,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - id: 8106 @@ -1532,6 +1552,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' @@ -1545,6 +1566,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' @@ -1559,6 +1581,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' @@ -1572,6 +1595,7 @@ checks: - cis_csc: "8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' @@ -1585,6 +1609,7 @@ checks: - cis_csc: "8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' @@ -1598,6 +1623,7 @@ checks: - cis_csc: "8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' @@ -1611,6 +1637,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' @@ -1624,6 +1651,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' @@ -1637,6 +1665,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' @@ -1650,6 +1679,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' @@ -1663,6 +1693,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' @@ -1676,6 +1707,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' @@ -1689,6 +1721,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' @@ -1702,6 +1735,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' @@ -1715,6 +1749,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' @@ -1728,6 +1763,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' @@ -1741,6 +1777,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' @@ -1754,6 +1791,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' @@ -1767,36 +1805,25 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - id: 8125 - title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." + title: "Ensure 'Prevent the usage of SkyDrive for file storage' is set to 'Enabled'" + description: "This policy setting lets you prevent apps and features from working with files on SkyDrive. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to SkyDrive cloud service." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - cis: "18.9.52.1" - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSync' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSync -> 1' - id: 8126 - title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." - compliance: - - cis: "18.9.52.2" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' - - - id: 8127 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." @@ -1806,10 +1833,11 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 8128 + - id: 8127 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -1819,9 +1847,10 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 8129 + - id: 8128 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -1831,10 +1860,11 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 8130 + - id: 8129 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -1844,10 +1874,11 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 8131 + - id: 8130 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -1857,10 +1888,11 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 8132 + - id: 8131 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -1870,10 +1902,11 @@ checks: - cis_csc: "14.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 8133 + - id: 8132 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -1883,10 +1916,11 @@ checks: - cis_csc: "14.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 8134 + - id: 8133 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -1896,10 +1930,11 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 8135 + - id: 8134 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -1909,10 +1944,11 @@ checks: - cis_csc: "13.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 8136 + - id: 8135 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -1922,10 +1958,11 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - id: 8137 + - id: 8136 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." @@ -1935,10 +1972,11 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - id: 8138 + - id: 8137 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." @@ -1948,10 +1986,11 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - id: 8139 + - id: 8138 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -1961,10 +2000,11 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - id: 8140 + - id: 8139 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -1974,10 +2014,11 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 8141 + - id: 8140 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -1987,10 +2028,11 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 8142 + - id: 8141 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -2000,10 +2042,11 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 8143 + - id: 8142 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." @@ -2013,10 +2056,11 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - id: 8144 + - id: 8143 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2026,10 +2070,11 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 8145 + - id: 8144 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2039,10 +2084,11 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 8146 + - id: 8145 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2052,10 +2098,11 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 8147 + - id: 8146 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2065,10 +2112,11 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 8148 + - id: 8147 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2078,10 +2126,11 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 8149 + - id: 8148 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." @@ -2091,10 +2140,11 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 8150 + - id: 8149 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2104,10 +2154,11 @@ checks: - cis_csc: "4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 8151 + - id: 8150 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2117,10 +2168,11 @@ checks: - cis_csc: "4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 8152 + - id: 8151 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." @@ -2130,5 +2182,6 @@ checks: - cis_csc: "4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' From 21c7dae38529526e88a136e5cc85e7f54b7c2756 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 17 Jun 2019 12:38:53 +0200 Subject: [PATCH 098/247] Review Win2012R2 Domain L2 policies --- sca/windows/cis_win2012r2_domainL2_rcl.yml | 50 ++++++++++++++++++++-- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index 0b6336ef1..3bfb7b81e 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -39,6 +39,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' @@ -55,8 +56,9 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' - id: 8502 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" @@ -70,6 +72,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' @@ -85,6 +88,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -100,6 +104,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -114,6 +119,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' @@ -133,6 +139,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' @@ -152,6 +159,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' @@ -165,8 +173,9 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' - id: 8509 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" @@ -178,6 +187,7 @@ checks: - cis_csc: "15.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' @@ -199,6 +209,7 @@ checks: - cis_csc: "15.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' @@ -213,6 +224,7 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' @@ -226,6 +238,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' @@ -239,6 +252,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' @@ -252,6 +266,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' @@ -265,6 +280,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' @@ -278,6 +294,7 @@ checks: - cis_csc: "13.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' @@ -290,6 +307,7 @@ checks: - cis: "18.8.22.1.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' @@ -303,6 +321,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' @@ -316,6 +335,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' @@ -329,6 +349,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' @@ -342,6 +363,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' @@ -355,6 +377,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' @@ -368,6 +391,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' @@ -381,6 +405,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' @@ -394,6 +419,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' @@ -407,6 +433,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' @@ -420,6 +447,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' @@ -433,6 +461,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' @@ -446,6 +475,7 @@ checks: - cis_csc: "13" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' @@ -459,6 +489,7 @@ checks: - cis_csc: "6.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' @@ -473,6 +504,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' @@ -485,6 +517,7 @@ checks: - cis: "18.9.58.3.2.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' @@ -498,6 +531,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' @@ -511,6 +545,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' @@ -524,6 +559,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' @@ -539,8 +575,9 @@ checks: - https://workbench.cisecurity.org/benchmarks/766 condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - id: 8537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" @@ -552,6 +589,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' @@ -565,6 +603,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' @@ -577,6 +616,7 @@ checks: - cis: "18.9.65.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' @@ -589,6 +629,7 @@ checks: - cis: "18.9.76.3.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' @@ -603,6 +644,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' @@ -616,6 +658,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' @@ -629,6 +672,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' From 112351750cb6dccad5ebf56f3e0dfd8d4d1e4610 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 17 Jun 2019 13:49:22 +0200 Subject: [PATCH 099/247] Fix typo --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index 2ffa517d5..d66f0bd19 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -35,7 +35,7 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2"0 + - cis: "1.1.2" - cis_csc: "16.5" condition: all rules: From 10bd04707ccb540c28539e9d6cce9f986fb84f59 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 17 Jun 2019 16:27:36 +0200 Subject: [PATCH 100/247] Fix Debian rule with ' --- sca/debian/cis_debian_linux_rcl.yml | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index 094af1fa9..b6bbd17c0 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -166,7 +166,7 @@ checks: rules: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\'\'' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.*' # Section 2 - Filesystem Configuration - Debian 7 - id: 5010 @@ -239,20 +239,7 @@ checks: - 'c:systemctl is-enabled vsftpd -> r:disabled' - id: 5015 - title: "Ensure IMAP and POP3 server is not enabled (IMAP)" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:dpkg -s exim4 -> install ok installed' - - - id: 5016 - title: "Ensure IMAP and POP3 server is not enabled (POP3)" + title: "Ensure IMAP and POP3 server is not enabled" description: "exim is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" From f01f59490a672c29b583af809e6cae30a0539b55 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 17 Jun 2019 16:31:36 +0200 Subject: [PATCH 101/247] Fix typo --- sca/debian/cis_debian_linux_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index b6bbd17c0..94990c377 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -166,7 +166,7 @@ checks: rules: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.*' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' # Section 2 - Filesystem Configuration - Debian 7 - id: 5010 From 4fd48cf1f3e47db0d6356d8aa862e088d2d98cf2 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 17 Jun 2019 16:55:17 +0200 Subject: [PATCH 102/247] First review for Win2012 R2 Member L1 policies --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL1_rcl.yml | 132 +++++++++++++++++++-- 2 files changed, 122 insertions(+), 12 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index d66f0bd19..a5aa23cb9 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -23,7 +23,7 @@ policy: requirements: title: "Check that the Windows platform is Windows Server 2012 R2" description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows Server 2012 R2" - condition: "any required" + condition: "any" rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 3bb4ecfff..6a4263375 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -23,7 +23,7 @@ policy: requirements: title: "Check that the Windows platform is Windows Server 2012 R2" description: "Requirements for running the CIS benchmark Member Server L1 under Windows Server 2012 R2" - condition: "any required" + condition: "any" rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' @@ -40,6 +40,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' @@ -55,6 +56,7 @@ checks: - cis_csc: "16" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' @@ -68,6 +70,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' @@ -81,6 +84,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' @@ -95,6 +99,7 @@ checks: - cis_csc: "6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' @@ -121,6 +126,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' @@ -134,6 +140,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' @@ -147,6 +154,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' @@ -160,6 +168,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' @@ -173,6 +182,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' @@ -186,6 +196,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' @@ -199,6 +210,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' @@ -212,6 +224,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' @@ -253,6 +266,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1' @@ -266,8 +280,9 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> !0' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^(1|2|3)$' - id: 9018 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" @@ -279,6 +294,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' @@ -292,6 +308,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' @@ -305,6 +322,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' @@ -318,6 +336,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' @@ -332,6 +351,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' @@ -345,6 +365,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' @@ -358,6 +379,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' @@ -373,8 +395,9 @@ checks: - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> !0' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:(\d+) compare >= 1' - id: 9026 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" @@ -386,6 +409,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' @@ -399,6 +423,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' @@ -412,6 +437,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' @@ -425,6 +451,7 @@ checks: - cis_csc: "14.1, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*' @@ -438,6 +465,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' @@ -451,6 +479,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' @@ -464,6 +493,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' @@ -477,8 +507,9 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:None' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:^$' - id: 9034 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" @@ -490,6 +521,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' @@ -503,6 +535,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' @@ -516,6 +549,7 @@ checks: - cis_csc: "14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' @@ -529,6 +563,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' @@ -542,6 +577,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' @@ -555,6 +591,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' @@ -568,6 +605,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' @@ -581,6 +619,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - id: 9042 @@ -593,8 +632,9 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(/d+) compare >= 1' - id: 9043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" @@ -606,6 +646,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' @@ -621,6 +662,7 @@ checks: - https://workbench.cisecurity.org/benchmarks/288 condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' @@ -634,6 +676,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' @@ -646,6 +689,7 @@ checks: - cis: "2.3.15.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' @@ -659,6 +703,7 @@ checks: - cis_csc: "14.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' @@ -672,6 +717,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' @@ -685,6 +731,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' @@ -698,8 +745,9 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$|^5$' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$' - id: 9051 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" @@ -711,8 +759,9 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - id: 9052 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" @@ -724,6 +773,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' @@ -737,6 +787,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' @@ -750,6 +801,7 @@ checks: - cis_csc: "5.1" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' @@ -763,6 +815,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' @@ -775,6 +828,7 @@ checks: - cis: "2.3.17.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' @@ -789,6 +843,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' @@ -802,6 +857,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' @@ -815,6 +871,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' @@ -827,8 +884,9 @@ checks: - cis: "9.1.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' - id: 9061 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" @@ -840,6 +898,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' @@ -853,6 +912,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -866,6 +926,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' @@ -879,6 +940,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' @@ -893,6 +955,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' @@ -906,6 +969,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' @@ -919,6 +983,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' @@ -931,6 +996,7 @@ checks: - cis: "9.2.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' @@ -944,6 +1010,8 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' @@ -957,6 +1025,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -970,6 +1039,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' @@ -983,6 +1053,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' @@ -997,6 +1068,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' @@ -1010,6 +1082,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' @@ -1023,6 +1096,7 @@ checks: - cis_csc: "9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' @@ -1035,6 +1109,7 @@ checks: - cis: "9.3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' @@ -1048,6 +1123,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' @@ -1061,6 +1137,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' @@ -1074,6 +1151,8 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' @@ -1087,6 +1166,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -1100,6 +1180,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' @@ -1113,6 +1194,7 @@ checks: - cis_csc: "6.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' @@ -1126,6 +1208,7 @@ checks: - cis: "18.1.1.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' @@ -1138,6 +1221,7 @@ checks: - cis: "18.1.1.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' @@ -1152,6 +1236,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - id: 9086 @@ -1164,6 +1249,7 @@ checks: - cis_csc: "16.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' @@ -1177,6 +1263,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' @@ -1190,6 +1277,7 @@ checks: - cis_csc: "5.7" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' @@ -1203,6 +1291,7 @@ checks: - cis_csc: "5.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' @@ -1216,6 +1305,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' @@ -1234,8 +1324,9 @@ checks: - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ condition: aLL rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0' - id: 9092 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" @@ -1251,6 +1342,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' @@ -1268,6 +1360,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' @@ -1283,6 +1376,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' @@ -1298,6 +1392,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' @@ -1313,6 +1408,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' @@ -1328,6 +1424,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' @@ -1343,6 +1440,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' @@ -1358,6 +1456,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' @@ -1373,6 +1472,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' @@ -1387,8 +1487,9 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - id: 9102 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" @@ -1400,6 +1501,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' @@ -1413,6 +1515,7 @@ checks: - cis_csc: "12" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' @@ -1427,6 +1530,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' @@ -1440,6 +1544,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' @@ -1453,6 +1558,7 @@ checks: - cis_csc: "3.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' @@ -1466,6 +1572,7 @@ checks: - cis_csc: "3.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' @@ -1477,8 +1584,9 @@ checks: compliance: - cis: "18.8.21.4" - cis_csc: "3.7" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' @@ -1492,6 +1600,7 @@ checks: - cis_csc: "5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' @@ -1505,6 +1614,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' From db1758b986705b89703801922c0feb9ac1464ddb Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 18 Jun 2019 09:30:35 +0200 Subject: [PATCH 103/247] Adapt Apache policy --- sca/applications/cis_apache2224_rcl.yml | 117 ++++++++++-------------- 1 file changed, 48 insertions(+), 69 deletions(-) diff --git a/sca/applications/cis_apache2224_rcl.yml b/sca/applications/cis_apache2224_rcl.yml index b7ba5c83e..b8d4c57a2 100644 --- a/sca/applications/cis_apache2224_rcl.yml +++ b/sca/applications/cis_apache2224_rcl.yml @@ -22,17 +22,26 @@ policy: requirements: title: "Check that Apache is installed on the system" description: "Requirements for running the SCA scan against the Apache policy." - condition: all + condition: any rules: - 'f:/etc/apache2/apache2.conf' + - 'f:/etc/httpd/conf/httpd.conf' + +# In case your installation is located in: /etc/apache2 use this block of variables +# variables: +# $main-conf: /etc/apache2/apache2.conf +# $conf-dirs: /etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled +# $ssl-confs: /etc/apache2/mods-enabled/ssl.conf +# $request-confs: /etc/apache2/mods-enabled/reqtimeout.conf +# $traceen: /etc/apache2/apache2.conf,/etc/apache2/conf-enabled/security.conf + variables: - $main-conf: /etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf - $conf-dirs: /etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled,/etc/httpd/conf.d,/etc/httpd/modsecurity.d - $ssl-confs: /etc/apache2/mods-enabled/ssl.conf,/etc/httpd/conf.d/ssl.conf - $mods-en: /etc/apache2/mods-enabled - $request-confs: /etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf - $traceen: /etc/apache2/apache2.conf,/etc/httpd/conf/httpd.conf,/etc/apache2/conf-enabled/security.conf + $main-conf: /etc/httpd/conf/httpd.conf + $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d + $ssl-confs: /etc/httpd/conf.d/ssl.conf + $request-confs: /etc/httpd/conf/httpd.conf + $traceen: /etc/httpd/conf/httpd.conf #2.3 Disable WebDAV Modules checks: @@ -49,10 +58,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_dav.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sdav' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sdav' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sdav' - - 'd:$mods-en -> dav.load' + - 'c:httpd -M -> r:dav_\s*_module' #2.4 Disable Status Module - id: 3501 @@ -68,10 +74,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_status.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sstatus' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sstatus' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sstatus' - - 'd:$mods-en -> status.load' + - 'c:httpd -M -> r:status_module' #2.5 Disable Autoindex Module - id: 3502 @@ -87,10 +90,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sautoindex' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sautoindex' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sautoindex' - - 'd:$mods-en -> autoindex.load' + - 'c:httpd -M -> r:autoindex_module' #2.6 Disable Proxy Modules - id: 3503 @@ -106,10 +106,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sproxy' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sproxy' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\sproxy' - - 'd:$mods-en -> proxy.load' + - 'c:httpd -M -> r:proxy_' #2.7 Disable User Directories Modules - id: 3504 @@ -125,10 +122,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\suserdir' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\suserdir' - - 'f:/etc/httpd/conf.d -> !r:^# && r:loadmodule\suserdir' - - 'd:$mods-en -> userdir.load' + - 'c:httpd -M -> userdir_' #2.8 Disable Info Module - id: 3505 @@ -144,10 +138,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_info.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' - - 'd:$conf-dirs -> load -> !r:^# && r:loadmodule\sinfo' - - 'd:$conf-dirs -> conf -> !r:^# && r:loadmodule\sinfo' - - 'd:$mods-en -> info.load' + - 'c:httpd -M -> r:info_module' #3.2 Give the Apache User Account an Invalid Shell - id: 3506 @@ -158,9 +149,9 @@ checks: compliance: - cis: "3.2" - cis_csc: "16" - condition: all + condition: none rules: - - 'f:/etc/passwd -> r:/var/www && r:\.*/bin/false$|/sbin/nologin$' + - 'f:/etc/passwd -> r:apache' #3.3 Lock the Apache User Account - id: 3507 @@ -173,7 +164,7 @@ checks: - cis_csc: "16" condition: all rules: - - 'f:/etc/shadow -> r:^daemon|^wwwrun|^www-data|^apache && r:\p!\.*$' + - 'c:passwd -S apache -> r:Password locked' #4.4 Restrict Override for All Directories - id: 3508 @@ -192,7 +183,7 @@ checks: rules: - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverride && !r:none$' - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' - - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverride && r:none$' + - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverride && !r:none$' - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' #5.3 Minimize Options for Other Directories @@ -239,8 +230,7 @@ checks: - cis_csc: "18.9" condition: none rules: - - 'd:/etc/httpd/conf.d -> manual.conf' - - 'd:/etc/apache2/conf-enabled -> apache2-doc.conf' + - 'd:$confdirs -> r:manual.conf|apache2-doc.conf' #5.4.5 Verify that no Handler is enabled - id: 3512 @@ -299,7 +289,8 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept condition: all rules: - - 'f:$main-conf -> r:limitexcept && r:get && r:head && r:post && r:options' + - 'f:$main-conf -> r:^Order\s+allow,deny$' + - 'not f:$main-conf -> r:LimitExcept && r:DELETE|HEAD|PUT|CONNECT|TRACE' #5.8 Disable HTTP Trace Method - id: 3516 @@ -316,7 +307,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable condition: none rules: - - 'f:$traceen -> !r:^# && r:traceenable\s+on\s*$' + - 'f:$traceen -> !r:^# && r:TraceEnable\s+on\s*$' #5.13 Restrict Listen Directive - id: 3519 @@ -338,12 +329,6 @@ checks: - 'f:$main-conf -> !r:^# && r:listen\s(\d+)$' - 'f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - 'f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s(\d+)$' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'f:/etc/apache2/sites-enabled/000-default.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' - - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s(\d+)$' - - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'f:/etc/apache2/ports.conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' #5.14 Restrict Browser Frame Options - id: 3520 @@ -361,7 +346,7 @@ checks: - https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx condition: all rules: - - 'f:$main-conf -> r:header\salways\sappend\sx-frame-options && r:sameorigin|deny' + - 'f:$main-conf -> r:Header\salways\sappend\sX-Frame-Options && r:SAMEORIGIN' #6.1 Configure the Error Log to notice at least - id: 3521 @@ -402,7 +387,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog condition: all rules: - - 'f:$main-conf -> r:errorlog\s+\p*syslog\p\.*\p*' + - 'f:$main-conf -> r:ErrorLog\s+\p*syslog\p\.*\p*' #7.6 Disable SSL Insecure Renegotiation - id: 3523 @@ -436,9 +421,9 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression - https://en.wikipedia.org/wiki/CRIME_(security_exploit) - condition: none + condition: all rules: - - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+on' + - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+off' #8.1 Set ServerToken to Prod or ProductOnly - id: 3528 @@ -451,14 +436,10 @@ checks: - cis_csc: "18.9" references: - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens - condition: none + condition: any rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+major' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minor' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+min' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+minimal' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+os' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+full' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+Prod' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+ProductOnly' #8.2: Set ServerSignature to Off - id: 3529 @@ -521,7 +502,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive condition: none rules: - - 'f:$main-conf -> !r:^# && r:keepalive\s+off' + - 'f:$main-conf -> !r:^# && r:keepalive\s+Off' #9.3:Set MaxKeepAliveRequests to 100 or greater - id: 3533 @@ -535,9 +516,9 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests - condition: all + condition: none rules: - - 'f:$main-conf -> n:^maxkeepaliverequests\s+(\d+) compare >= 100' + - 'f:$main-conf -> n:^maxkeepaliverequests\s+(\d+) compare <= 100' #9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service - id: 3534 @@ -551,9 +532,9 @@ checks: references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout - condition: all + condition: none rules: - - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare <= 15' + - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare > 15' #9.5 Set Timeout Limits for Request Headers - id: 3535 @@ -571,8 +552,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html condition: all rules: - - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' - - 'd:$mods-en -> f:reqtimeout.load' + - 'f:$main-conf -> r:^loadmodule\s+reqtimeout' - 'f:$request-confs -> n:^\t*\s*requestreadtimeout\.+header\p(\d+) compare <= 40' #9.6 Set Timeout Limits for Request Body @@ -589,8 +569,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html condition: all rules: - - 'f:/etc/httpd/conf/httpd.conf -> r:^loadmodule\s+reqtimeout' - - 'd:$mods-en -> f:reqtimeout.load' + - 'f:$main-conf -> r:^loadmodule\s+reqtimeout' - 'f:$request-confs -> n:\t*\s*requestreadtimeout\.+body\p(\d+) compare <= 20' #10.1 Set the LimitRequestLine directive to 512 or less @@ -607,7 +586,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline condition: all rules: - - 'f:$main-conf -> n:^limitrequestline\s+(\d+) compare <= 512' + - 'f:$main-conf -> n:^LimitRequestLine\s+(\d+) compare <= 512' #10.2 Set the LimitRequestFields directive to 100 or less - id: 3538 @@ -623,7 +602,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields condition: all rules: - - 'f:$main-conf -> n:^limitrequestfields\s(\d+) compare <= 100' + - 'f:$main-conf -> n:^LimitRequestFields\s(\d+) compare <= 100' #10.3 Set the LimitRequestFieldsize directive to 1024 or less - id: 3539 @@ -639,7 +618,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize condition: all rules: - - 'f:$main-conf -> n:^limitrequestfieldsize\s+(\d+) compare <= 1024' + - 'f:$main-conf -> n:^LimitRequestFieldSize\s+(\d+) compare <= 1024' #10.4 Set the LimitRequestBody directive to 102400 or less - id: 3540 @@ -655,5 +634,5 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody condition: all rules: - - 'f:$main-conf -> n:^limitrequestbody\s+(\d+) compare <= 102400' + - 'f:$main-conf -> n:^LimitRequestBody\s+(\d+) compare <= 102400' From bc75ae24d5bfd6014d8c315543f2a28798a4c6cb Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 18 Jun 2019 10:58:04 +0200 Subject: [PATCH 104/247] Review every Windows 2012 R2 policy --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 10 +-- sca/windows/cis_win2012r2_domainL2_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL1_rcl.yml | 75 ++++++++++++++++++---- sca/windows/cis_win2012r2_memberL2_rcl.yml | 18 ++---- 4 files changed, 76 insertions(+), 29 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index a5aa23cb9..a29c8a9ac 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -1810,9 +1810,9 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - id: 8125 - title: "Ensure 'Prevent the usage of SkyDrive for file storage' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on SkyDrive. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to SkyDrive cloud service." + title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - cis: "18.9.52.1" @@ -1820,8 +1820,8 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSync' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSync -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - id: 8126 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index 3bfb7b81e..8f11c0f79 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -473,7 +473,7 @@ checks: compliance: - cis: "18.8.46.1" - cis_csc: "13" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 6a4263375..387f3be23 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -54,7 +54,7 @@ checks: compliance: - cis: "2.3.1.2" - cis_csc: "16" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' @@ -282,7 +282,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^(1|2|3)$' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - id: 9018 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" @@ -397,7 +397,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:(\d+) compare >= 1' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - id: 9026 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" @@ -799,7 +799,7 @@ checks: compliance: - cis: "2.3.17.7" - cis_csc: "5.1" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' @@ -1275,7 +1275,7 @@ checks: compliance: - cis: "18.2.4" - cis_csc: "5.7" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' @@ -1340,7 +1340,7 @@ checks: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' @@ -1358,7 +1358,7 @@ checks: references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' @@ -1626,8 +1626,9 @@ checks: compliance: - cis: "18.8.27.3" - cis_csc: "16.9" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' @@ -1641,6 +1642,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' @@ -1654,6 +1656,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' @@ -1667,6 +1670,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' @@ -1680,6 +1684,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' @@ -1695,6 +1700,7 @@ checks: - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' @@ -1709,6 +1715,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' @@ -1722,6 +1729,7 @@ checks: - cis_csc: "8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' @@ -1735,6 +1743,7 @@ checks: - cis_csc: "8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' @@ -1748,8 +1757,9 @@ checks: - cis_csc: "8.3" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' - id: 9121 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" @@ -1761,6 +1771,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' @@ -1774,6 +1785,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' @@ -1787,6 +1799,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' @@ -1800,6 +1813,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' @@ -1813,6 +1827,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' @@ -1826,6 +1841,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' @@ -1839,6 +1855,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' @@ -1852,6 +1869,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' @@ -1865,6 +1883,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' @@ -1878,6 +1897,7 @@ checks: - cis_csc: "6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' @@ -1889,8 +1909,9 @@ checks: compliance: - cis: "18.9.30.2" - cis_csc: "8.4" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' @@ -1904,6 +1925,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' @@ -1917,6 +1939,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' @@ -1930,6 +1953,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' @@ -1943,6 +1967,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' @@ -1956,6 +1981,7 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' @@ -1969,6 +1995,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' @@ -1982,6 +2009,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' @@ -1995,6 +2023,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' @@ -2008,6 +2037,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' @@ -2021,6 +2051,7 @@ checks: - cis_csc: "14.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' @@ -2034,6 +2065,7 @@ checks: - cis_csc: "14.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' @@ -2047,6 +2079,7 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' @@ -2060,6 +2093,7 @@ checks: - cis_csc: "13.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' @@ -2073,6 +2107,7 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' @@ -2086,6 +2121,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' @@ -2099,6 +2135,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' @@ -2112,6 +2149,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' @@ -2125,6 +2163,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' @@ -2138,6 +2177,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' @@ -2151,6 +2191,7 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' @@ -2164,6 +2205,7 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' @@ -2177,6 +2219,7 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' @@ -2190,6 +2233,7 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' @@ -2203,6 +2247,7 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' @@ -2216,6 +2261,7 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' @@ -2229,6 +2275,7 @@ checks: - cis_csc: "16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' @@ -2242,6 +2289,7 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' @@ -2255,8 +2303,9 @@ checks: - cis_csc: "4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - id: 9160 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" @@ -2268,6 +2317,7 @@ checks: - cis_csc: "4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' @@ -2281,5 +2331,6 @@ checks: - cis_csc: "4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 513aac072..aa4deda91 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -27,7 +27,7 @@ requirements: checks: # Section 2.3.7 - Interactive logon - id: 9500 - title: "Ensure 'Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" + title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" description: "This policy setting determines whether a user can log on to a Windows domain using cached account information." rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" @@ -149,7 +149,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' # Section 18.5.19.2 - Parameters - id: 9509 @@ -162,7 +162,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' # Section 18.5.20 - Windows Connect Now - id: 9510 @@ -260,7 +260,6 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com" compliance: - cis: "18.8.22.1.7" - - cis_csc: "" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' @@ -316,7 +315,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - id: 9521 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" @@ -342,9 +341,9 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' # Section 18.8.26 - Locale Services - id: 9523 @@ -451,7 +450,6 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Windows Location Provider\\Turn off Windows Location Provider" compliance: - cis: "18.9.39.1.1" - - cis_csc: "" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider' @@ -478,7 +476,6 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session" compliance: - cis: "18.9.58.3.2.1" - - cis_csc: "" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' @@ -573,7 +570,6 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation" compliance: - cis: "18.9.65.1" - - cis_csc: "" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' @@ -587,7 +583,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS" compliance: - cis: "18.9.76.3.2" - - cis_csc: "" + - cis_csc: "8" condition: any rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' From ca40ca6e9441eb8121907b3f6fdb175c3ab2bc2c Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 18 Jun 2019 13:00:57 +0200 Subject: [PATCH 105/247] Review Windows 2012 R2 policies --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL1_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL2_rcl.yml | 63 ++++++++++++++++++++-- 3 files changed, 62 insertions(+), 5 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index a29c8a9ac..d26c26883 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -495,7 +495,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:^$' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - id: 8033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 387f3be23..8d8397d91 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -509,7 +509,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:^$' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - id: 9034 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index aa4deda91..1c448538c 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -36,6 +36,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> r:^0$|^1$|^2$|^3$|^4$' @@ -50,6 +51,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' @@ -64,6 +66,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' @@ -77,6 +80,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' @@ -90,6 +94,7 @@ checks: - cis_csc: "5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -103,6 +108,7 @@ checks: - cis_csc: "5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -117,9 +123,14 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - id: 9507 @@ -132,9 +143,14 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' # Section 18.5.10 - Microsoft Peer-to-Peer Networking Services @@ -148,6 +164,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' @@ -161,6 +178,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' @@ -175,6 +193,7 @@ checks: - cis_csc: "15.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' @@ -196,6 +215,7 @@ checks: - cis_csc: "15.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' @@ -210,6 +230,7 @@ checks: - cis_csc: "12" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' @@ -224,6 +245,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' @@ -237,6 +259,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' @@ -250,6 +273,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' @@ -262,6 +286,7 @@ checks: - cis: "18.8.22.1.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' @@ -275,6 +300,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' @@ -288,6 +314,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' @@ -301,6 +328,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' @@ -314,6 +342,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' @@ -327,6 +356,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' @@ -340,8 +370,10 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' @@ -356,6 +388,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' @@ -370,6 +403,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' @@ -384,6 +418,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' @@ -398,6 +433,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' @@ -412,6 +448,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' @@ -426,6 +463,7 @@ checks: - cis_csc: "6.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' @@ -439,6 +477,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' @@ -452,6 +491,7 @@ checks: - cis: "18.9.39.1.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider -> 1' @@ -465,6 +505,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' @@ -478,6 +519,7 @@ checks: - cis: "18.9.58.3.2.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' @@ -492,6 +534,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' @@ -505,6 +548,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' @@ -518,6 +562,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' @@ -532,6 +577,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' @@ -545,6 +591,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' @@ -559,6 +606,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' @@ -572,6 +620,7 @@ checks: - cis: "18.9.65.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' @@ -584,8 +633,10 @@ checks: compliance: - cis: "18.9.76.3.2" - cis_csc: "8" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' # Section - 18.9.76.9 - Reporting @@ -599,6 +650,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' @@ -611,8 +663,10 @@ checks: compliance: - cis: "18.9.85.3" - cis_csc: "7" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' # Section 18.9.97.2 - WinRM Service @@ -624,8 +678,10 @@ checks: compliance: - cis: "18.9.97.2.2" - cis_csc: "3.4" - condition: any + condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' # Section 18.9.98 - Windows Remote Shell @@ -639,5 +695,6 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' From eef31c8dd5dfa9f6bd9668ab4ed3be978ce98874 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 18 Jun 2019 15:46:25 +0200 Subject: [PATCH 106/247] Review win_audit_rcl policy --- sca/windows/win_audit_rcl.yml | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml index ce686b330..3bd9f460f 100644 --- a/sca/windows/win_audit_rcl.yml +++ b/sca/windows/win_audit_rcl.yml @@ -17,7 +17,7 @@ policy: requirements: title: "Check for Windows platform" description: "Requirements for running the audit policy under a Windows platform" - condition: "any required" + condition: "any" rules: - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' @@ -30,8 +30,10 @@ checks: - nist_800_53: "AU.6" condition: all rules: + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' + - id: 2501 title: "Ensure DCOM is enabled" description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." @@ -43,18 +45,22 @@ checks: - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' + - id: 2502 - title: "LM authentication allowed (disable weak passwords)" + title: "LM authentication not allowed (disable weak passwords)" compliance: - pci_dss: "10.6.1, 11.4" - hipaa: "164.312.b" - nist_800_53: "AU.6, IA.10" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^0$|^1$' + # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). - id: 2503 @@ -65,6 +71,7 @@ checks: - nist_800_53: "AU.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' @@ -73,19 +80,22 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' + # Checking for the microsoft firewall. - id: 2504 - title: "Ensure Microsoft Firewall is disabled" + title: "Ensure Microsoft Firewall is enabled" compliance: - pci_dss: "10.6.1, 1.4" - hipaa: "164.312.b, 164.312.a.1" - nist_800_53: "AU.6, SC.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 0' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 0' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 1' + - id: 2505 title: "Ensure Null sessions are disallowed" compliance: @@ -93,8 +103,10 @@ checks: - nist_800_53: "IA.10" condition: all rules: + - 'r:HKLM\System\CurrentControlSet\Control\Lsa' - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + - id: 2506 title: "Ensure Error reporting is enabled" compliance: @@ -105,6 +117,7 @@ checks: - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps' @@ -117,6 +130,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 1' + - id: 2507 title: "Ensure Automatic Logon is disabled" compliance: @@ -125,9 +139,11 @@ checks: - nist_800_53: "AU.6" condition: any rules: + - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + - id: 2508 title: "Ensure Winpcap packet filter driver is not present" compliance: From bfb1c8b337cd9a7d60b33acb89fd25a1b1981a57 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 19 Jun 2019 11:39:19 +0200 Subject: [PATCH 107/247] Updated Win 10 Enterprise L1 from 1.4 to 1.5 --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 92 ++++----------------- 1 file changed, 17 insertions(+), 75 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 0886e3336..04b054dc8 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -8,7 +8,7 @@ # Foundation # # Based on: -# Center for Internet Security Benchmark v1.4.0 for Microsoft Windows 10 Release 1709 v1.4.0 - 08-21-2018 +# Center for Internet Security Benchmark v1.5.0 for Microsoft Windows 10 Release 1803 v1.5.0 - 03-06-2019 policy: id: "cis_win10_enterprise_L1" @@ -157,19 +157,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 12010 - title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." - rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" - compliance: - - cis: "2.3.7.1" - - cis_csc: "13" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 12011 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." @@ -263,7 +250,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - id: 12018 - title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" + title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" @@ -273,7 +260,6 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - id: 12019 @@ -404,7 +390,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion' - id: 12029 title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" @@ -417,7 +403,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog' - id: 12030 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" @@ -755,32 +741,6 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> 4' - - id: 12056 - title: "Ensure 'HomeGroup Listener (HomeGroupListener)' is set to 'Disabled'" - description: "Makes local computer changes associated with configuration and maintenance of the HomeGroup-joined computer. The recommended state for this setting is: Disabled." - rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\HomeGroup Listener" - compliance: - - cis: "5.6" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener -> Start -> 4' - - - id: 12057 - title: "Ensure 'HomeGroup Provider (HomeGroupProvider)' is set to 'Disabled'" - description: "Performs networking tasks associated with configuration and maintenance of HomeGroups. The recommended state for this setting is: Disabled." - rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\HomeGroup Provider" - compliance: - - cis: "5.7" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider -> Start -> 4' - - id: 12058 title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." @@ -1101,7 +1061,7 @@ checks: compliance: - cis: "9.1.6" - cis_csc: "6.3, 6.4" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -1898,19 +1858,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - id: 12144 - title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards." - rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards" - compliance: - - cis: "18.8.22.1.6" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - id: 12145 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet." @@ -2237,7 +2184,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - id: 12170 - title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security (Enterprise Only)' or 'Enabled: 1 - Basic'" + title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry" @@ -2249,19 +2196,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' - - id: 12171 - title: "Ensure 'Disable pre-release features or settings' is set to 'Disabled'" - description: "This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimentations." - rationale: "It can be dangerous in an enterprise managed environment if experimental features are allowed because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Disable pre-release features or settings" - compliance: - - cis: "18.9.16.3" - - cis_csc: "3" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> EnableConfigFlighting -> 0' - - id: 12172 title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'" description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft." @@ -2299,7 +2233,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^1$|^2$' + - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^3$' - id: 12175 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" @@ -2771,9 +2705,9 @@ checks: - id: 12211 title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" - description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail)" + description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes)" rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." - remediation: "To establish the recommended configuration via GP, set the following UI path so that 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 3b576869-a4ec-4529-8536-b80a7769e899, d4f940ab-401b-4efc-aadc-ad5f3c50688a, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, d3e037e1-3eb8-44c8-a917-57927947596d, and be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" + remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" compliance: - cis: "18.9.76.13.1.2" - cis_csc: "8.4" @@ -2793,6 +2727,14 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 -> 1' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4' + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1' - id: 12212 title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" From 086808e8c7ef21217c7a57657a954aa7d5cb65f2 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 19 Jun 2019 11:53:01 +0200 Subject: [PATCH 108/247] Udpate Win10 L1 id number --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 446 ++++++++++---------- 1 file changed, 223 insertions(+), 223 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 04b054dc8..0539e0425 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -157,7 +157,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 12011 + - id: 12010 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -170,7 +170,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 12012 + - id: 12011 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit" rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." @@ -184,7 +184,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - id: 12013 + - id: 12012 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -197,7 +197,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare => 5 && n:^(\d+) compare <= 14' - - id: 12014 + - id: 12013 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -210,7 +210,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' - - id: 12015 + - id: 12014 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the \"Microsoft network client and server: Digitally sign communications (four related settings)\" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -223,7 +223,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 12016 + - id: 12015 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -236,7 +236,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 12017 + - id: 12016 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -249,7 +249,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 12018 + - id: 12017 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -262,7 +262,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 12019 + - id: 12018 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -275,7 +275,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 12020 + - id: 12019 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -288,7 +288,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 12021 + - id: 12020 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." @@ -301,7 +301,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - id: 12022 + - id: 12021 title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark." rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." @@ -314,7 +314,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - - id: 12023 + - id: 12022 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -327,7 +327,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - - id: 12024 + - id: 12023 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers" rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -340,7 +340,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - id: 12025 + - id: 12024 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." @@ -353,7 +353,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - - id: 12026 + - id: 12025 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." @@ -366,7 +366,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - id: 12027 + - id: 12026 title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None)." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." @@ -379,7 +379,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> None' - - id: 12028 + - id: 12027 title: "Ensure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)." rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." @@ -392,7 +392,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion' - - id: 12029 + - id: 12028 title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog" rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." @@ -405,7 +405,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog' - - id: 12030 + - id: 12029 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled" rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." @@ -418,7 +418,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - id: 12031 + - id: 12030 title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" description: "This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy." rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -431,7 +431,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)' - - id: 12032 + - id: 12031 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" @@ -444,7 +444,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' - - id: 12033 + - id: 12032 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." @@ -457,7 +457,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - id: 12034 + - id: 12033 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." @@ -470,7 +470,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - - id: 12035 + - id: 12034 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled" rationale: "NULL sessions are less secure because by definition they are unauthenticated." @@ -483,7 +483,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - - id: 12036 + - id: 12035 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." @@ -496,7 +496,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - - id: 12037 + - id: 12036 title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting" rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." @@ -509,7 +509,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - - id: 12038 + - id: 12037 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled" rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." @@ -522,7 +522,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - id: 12039 + - id: 12038 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." @@ -534,7 +534,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - id: 12040 + - id: 12039 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." @@ -547,7 +547,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 12041 + - id: 12040 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." @@ -560,7 +560,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - - id: 12042 + - id: 12041 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." @@ -573,7 +573,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - id: 12043 + - id: 12042 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." @@ -586,7 +586,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - id: 12044 + - id: 12043 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" @@ -598,7 +598,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - id: 12045 + - id: 12044 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." @@ -611,7 +611,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - id: 12046 + - id: 12045 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." @@ -624,7 +624,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - - id: 12047 + - id: 12046 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." @@ -637,7 +637,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - - id: 12048 + - id: 12047 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." @@ -650,7 +650,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - - id: 12049 + - id: 12048 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." @@ -663,7 +663,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - - id: 12050 + - id: 12049 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" @@ -676,7 +676,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - - id: 12051 + - id: 12050 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:  …\\Program Files\\, including subfolders  …\\Windows\\system32\\  …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." @@ -689,7 +689,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - - id: 12052 + - id: 12051 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." @@ -702,7 +702,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - - id: 12053 + - id: 12052 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." @@ -715,7 +715,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - - id: 12054 + - id: 12053 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:  %ProgramFiles%  %Windir%  %Windir%\\system32  HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." @@ -728,7 +728,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # 5 System Services - - id: 12055 + - id: 12054 title: "Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" description: "Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. The recommended state for this setting is: Disabled or Not Installed. Note: In Windows 8.1 and Windows 10, this service is bundled with the SMB 1.0/CIFS File Sharing Support optional feature. As a result, removing that feature (highly recommended unless backward compatibility is needed to XP/2003 and older Windows OSes - see Stop using SMB1 | Storage at Microsoft) will also remediate this recommendation. The feature is not installed by default starting with Windows 10 R1709." rationale: "This is a legacy service - its sole purpose is to maintain a list of computers and their network shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it generates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \"master browser\". This noisy traffic could also aid malicious attackers in discovering online machines, because the service also allows anyone to \"browse\" for shared resources without any authentication. This service used to be running by default in older Windows versions (e.g. Windows XP), but today it only remains for backward compatibility for very old software that requires it." @@ -741,7 +741,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> 4' - - id: 12058 + - id: 12055 title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." @@ -754,7 +754,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> 4' - - id: 12059 + - id: 12056 title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'" description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled" rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." @@ -767,7 +767,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4' - - id: 12060 + - id: 12057 title: "Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'" description: "Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. The recommended state for this setting is: Disabled." rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." @@ -780,7 +780,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' - - id: 12061 + - id: 12058 title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)." rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." @@ -793,7 +793,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> 4' - - id: 12062 + - id: 12059 title: "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" description: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." @@ -806,7 +806,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> 4' - - id: 12063 + - id: 12060 title: "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" description: "In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. The recommended state for this setting is: Disabled." rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it." @@ -819,7 +819,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' - - id: 12064 + - id: 12061 title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled." rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." @@ -832,7 +832,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4' - - id: 12065 + - id: 12062 title: "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" description: "Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc))." rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack." @@ -845,7 +845,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> 4' - - id: 12066 + - id: 12063 title: "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" description: "Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. The recommended state for this setting is: Disabled." rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." @@ -858,7 +858,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4' - - id: 12067 + - id: 12064 title: "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" description: "Allows UPnP devices to be hosted on this computer. The recommended state for this setting is: Disabled." rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." @@ -871,7 +871,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4' - - id: 12068 + - id: 12065 title: "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" description: "The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service)." rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly." @@ -884,7 +884,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> 4' - - id: 12069 + - id: 12066 title: "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" description: "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. The recommended state for this setting is: Disabled or Not Installed" rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment." @@ -897,7 +897,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4' - - id: 12070 + - id: 12067 title: "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" description: "Provides the ability to share a cellular data connection with another device. The recommended state for this setting is: Disabled." rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers." @@ -910,7 +910,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4' - - id: 12071 + - id: 12068 title: "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" description: "Provides Web connectivity and administration through the Internet Information Services Manager. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." @@ -923,7 +923,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> 4' - - id: 12072 + - id: 12069 title: "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" description: "This service manages connected Xbox Accessories. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -936,7 +936,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4' - - id: 12073 + - id: 12070 title: "Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'" description: "This service supports Xbox Game Monitoring. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -949,7 +949,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> 4' - - id: 12074 + - id: 12071 title: "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" description: "Provides authentication and authorization services for interacting with Xbox Live. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -962,7 +962,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4' - - id: 12075 + - id: 12072 title: "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" description: "This service syncs save data for Xbox Live save enabled games. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -975,7 +975,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4' - - id: 12076 + - id: 12073 title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled" rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -989,7 +989,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' # 9 Windows Firewall with Advanced Security - - id: 12077 + - id: 12074 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1002,7 +1002,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - id: 12078 + - id: 12075 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1015,7 +1015,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - id: 12079 + - id: 12076 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1028,7 +1028,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - id: 12080 + - id: 12077 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." @@ -1040,7 +1040,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - - id: 12081 + - id: 12078 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log" rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1053,7 +1053,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' - - id: 12082 + - id: 12079 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1066,7 +1066,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 12083 + - id: 12080 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1079,7 +1079,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - id: 12084 + - id: 12081 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1092,7 +1092,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - - id: 12085 + - id: 12082 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1105,7 +1105,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - id: 12086 + - id: 12083 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1118,7 +1118,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - id: 12087 + - id: 12084 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1131,7 +1131,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - id: 12088 + - id: 12085 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." @@ -1143,7 +1143,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - id: 12089 + - id: 12086 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1156,7 +1156,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' - - id: 12090 + - id: 12087 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1169,7 +1169,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 12091 + - id: 12088 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1182,7 +1182,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - id: 12092 + - id: 12089 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1195,7 +1195,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' - - id: 12093 + - id: 12090 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service" @@ -1208,7 +1208,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - id: 12094 + - id: 12091 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1221,7 +1221,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - id: 12095 + - id: 12092 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1234,7 +1234,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - id: 12096 + - id: 12093 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No" rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." @@ -1246,7 +1246,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - - id: 12097 + - id: 12094 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." @@ -1259,7 +1259,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - - id: 12098 + - id: 12095 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" @@ -1272,7 +1272,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - - id: 12099 + - id: 12096 title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1285,7 +1285,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' - - id: 12100 + - id: 12097 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1298,7 +1298,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 12101 + - id: 12098 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1311,7 +1311,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - id: 12102 + - id: 12099 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1325,7 +1325,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # 18 Administrative templates (Computer) - - id: 12103 + - id: 12100 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." @@ -1337,7 +1337,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - - id: 12104 + - id: 12101 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled" rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." @@ -1349,7 +1349,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' - - id: 12105 + - id: 12102 title: "Ensure 'Allow input personalization' is set to 'Disabled'" description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled." rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft." @@ -1362,7 +1362,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' - - id: 12106 + - id: 12103 title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1375,7 +1375,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName -> C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll' - - id: 12107 + - id: 12104 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1388,7 +1388,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - - id: 12108 + - id: 12105 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1401,7 +1401,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - - id: 12109 + - id: 12106 title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1414,7 +1414,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - - id: 12110 + - id: 12107 title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1427,7 +1427,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - - id: 12111 + - id: 12108 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1440,7 +1440,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' - - id: 12112 + - id: 12109 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1." rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." @@ -1453,7 +1453,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' - - id: 12113 + - id: 12110 title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems" rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." @@ -1466,7 +1466,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4' - - id: 12114 + - id: 12111 title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'" description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled." rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." @@ -1479,7 +1479,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' - - id: 12115 + - id: 12112 title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled." rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option." @@ -1492,7 +1492,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' - - id: 12116 + - id: 12113 title: "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" description: "Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware." rationale: "This opt-in feature is free and could prevent malicious software from being installed." @@ -1505,7 +1505,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 1' - - id: 12117 + - id: 12114 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server." rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." @@ -1518,7 +1518,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' - - id: 12118 + - id: 12115 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." @@ -1531,7 +1531,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 12119 + - id: 12116 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes" @@ -1544,7 +1544,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - id: 12120 + - id: 12117 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -1557,7 +1557,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - id: 12121 + - id: 12118 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." @@ -1570,7 +1570,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - - id: 12122 + - id: 12119 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." @@ -1583,7 +1583,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - - id: 12123 + - id: 12120 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:  Search folders specified in the system path first, and then search the current working folder.  Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." @@ -1596,7 +1596,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - id: 12124 + - id: 12121 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds" rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." @@ -1609,7 +1609,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - id: 12125 + - id: 12122 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." @@ -1622,7 +1622,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' - - id: 12126 + - id: 12123 title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." @@ -1635,7 +1635,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' - - id: 12127 + - id: 12124 title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'" description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled." rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system." @@ -1648,7 +1648,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' - - id: 12128 + - id: 12125 title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'" description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled." rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders." @@ -1661,7 +1661,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' - - id: 12129 + - id: 12126 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled." rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." @@ -1674,7 +1674,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - - id: 12130 + - id: 12127 title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" description: "Although this legacy setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled." rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices." @@ -1687,7 +1687,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0' - - id: 12131 + - id: 12128 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." rationale: "Allowing regular users to set a network location increases the risk and attack surface." @@ -1700,7 +1700,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - - id: 12132 + - id: 12129 title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'" description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing" rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." @@ -1715,7 +1715,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - - id: 12133 + - id: 12130 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled." rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." @@ -1728,7 +1728,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' - - id: 12134 + - id: 12131 title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." @@ -1741,7 +1741,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' - - id: 12135 + - id: 12132 title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" description: "This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services.  Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.  Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.  Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled." rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." @@ -1754,7 +1754,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' - - id: 12136 + - id: 12133 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." @@ -1767,7 +1767,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - - id: 12137 + - id: 12134 title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled." rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." @@ -1780,7 +1780,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' - - id: 12138 + - id: 12135 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  Good: The driver has been signed and has not been tampered with.  Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." @@ -1793,7 +1793,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - - id: 12139 + - id: 12136 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The \"Do not apply during periodic background processing\" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1806,7 +1806,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - id: 12140 + - id: 12137 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed." rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." @@ -1819,7 +1819,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - - id: 12141 + - id: 12138 title: "Ensure 'Continue experiences on this device' is set to 'Disabled'" description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences)." rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited." @@ -1832,7 +1832,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' - - id: 12142 + - id: 12139 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers." rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1845,7 +1845,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - - id: 12143 + - id: 12140 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application." rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." @@ -1858,7 +1858,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - id: 12145 + - id: 12141 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet." rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." @@ -1871,7 +1871,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - id: 12146 + - id: 12142 title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -1884,7 +1884,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' - - id: 12147 + - id: 12143 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." @@ -1897,7 +1897,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - id: 12148 + - id: 12144 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1910,7 +1910,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - id: 12149 + - id: 12145 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1923,7 +1923,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - id: 12150 + - id: 12146 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen." rationale: "App notifications might display sensitive business or personal data" @@ -1936,7 +1936,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - id: 12151 + - id: 12147 title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled." rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures." @@ -1949,7 +1949,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' - - id: 12152 + - id: 12148 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." @@ -1962,7 +1962,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - id: 12153 + - id: 12149 title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state." @@ -1975,7 +1975,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' - - id: 12154 + - id: 12150 title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state." @@ -1988,7 +1988,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' - - id: 12155 + - id: 12151 title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" description: "Dictates whether or not Windows is allowed to use standby states when sleeping the computer." rationale: "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA)." @@ -2001,7 +2001,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - id: 12156 + - id: 12152 title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep." rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." @@ -2014,7 +2014,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - id: 12157 + - id: 12153 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests." rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -2027,7 +2027,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 12158 + - id: 12154 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -2040,7 +2040,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - - id: 12159 + - id: 12155 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." @@ -2053,7 +2053,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' - - id: 12160 + - id: 12156 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" rationale: "Unauthenticated RPC communication can create a security vulnerability." @@ -2066,7 +2066,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' - - id: 12161 + - id: 12157 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it" rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." @@ -2079,7 +2079,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - id: 12162 + - id: 12158 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones" rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -2092,7 +2092,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - id: 12163 + - id: 12159 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" @@ -2105,7 +2105,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - id: 12164 + - id: 12160 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -2118,7 +2118,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' - - id: 12165 + - id: 12161 title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it." rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network." @@ -2131,7 +2131,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' - - id: 12166 + - id: 12162 title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account." rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party." @@ -2144,7 +2144,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' - - id: 12167 + - id: 12163 title: "Ensure 'Require pin for pairing' is set to 'Enabled'" description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device." rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use." @@ -2157,7 +2157,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' - - id: 12168 + - id: 12164 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." @@ -2170,7 +2170,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - id: 12169 + - id: 12165 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." @@ -2183,7 +2183,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - id: 12170 + - id: 12166 title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." @@ -2196,7 +2196,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' - - id: 12172 + - id: 12167 title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'" description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft." rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." @@ -2209,7 +2209,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' - - id: 12173 + - id: 12168 title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" description: "This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under \"Get Insider builds,\" and enable users to make their devices available for downloading and installing Windows preview software." rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." @@ -2222,7 +2222,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' - - id: 12174 + - id: 12169 title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:  0 = HTTP only, no peering.  1 = HTTP blended with peering behind the same NAT.  2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.  3 = HTTP blended with Internet Peering.  99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.  100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." @@ -2235,7 +2235,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^3$' - - id: 12175 + - id: 12170 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2248,7 +2248,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - id: 12176 + - id: 12171 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2261,7 +2261,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 12177 + - id: 12172 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2274,7 +2274,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - id: 12178 + - id: 12173 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2287,7 +2287,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - id: 12179 + - id: 12174 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2300,7 +2300,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - id: 12180 + - id: 12175 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -2313,7 +2313,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 12181 + - id: 12176 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2326,7 +2326,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - id: 12182 + - id: 12177 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -2339,7 +2339,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 12183 + - id: 12178 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." @@ -2352,7 +2352,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - id: 12184 + - id: 12179 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this." rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system." @@ -2365,7 +2365,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - id: 12185 + - id: 12180 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -2378,7 +2378,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - id: 12186 + - id: 12181 title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" description: "By default, users can add their computer to a HomeGroup on a home network." rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." @@ -2391,7 +2391,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' - - id: 12187 + - id: 12182 title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs." rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." @@ -2404,7 +2404,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' - - id: 12188 + - id: 12183 title: "Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" description: "This setting lets you configure how your company deals with cookies. The recommended state for this setting is: Enabled: Block only 3rd-party cookies. Configuring this setting to Enabled: Block all cookies also conforms to the benchmark." rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" @@ -2417,7 +2417,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' - - id: 12189 + - id: 12184 title: "Ensure 'Configure Password Manager' is set to 'Disabled'" description: "This setting lets you decide whether employees can save their passwords locally, using Password Manager." rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." @@ -2430,7 +2430,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' - - id: 12190 + - id: 12185 title: "Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" description: "This setting controls whether Adobe Flash (within the Microsoft Edge web browser) will require the user to click on the Flash element before the browser will display the Flash content." rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content \"opt-in\", so the user has to choose to click on each specific piece of Flash content before it will run." @@ -2443,7 +2443,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' - - id: 12191 + - id: 12186 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." @@ -2456,7 +2456,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - id: 12192 + - id: 12187 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" @@ -2469,7 +2469,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 12193 + - id: 12188 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -2482,7 +2482,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> 1' - - id: 12194 + - id: 12189 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -2495,7 +2495,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 12195 + - id: 12190 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -2508,7 +2508,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 12196 + - id: 12191 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -2521,7 +2521,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 12197 + - id: 12192 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -2534,7 +2534,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 12198 + - id: 12193 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -2547,7 +2547,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 12199 + - id: 12194 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -2560,7 +2560,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 12200 + - id: 12195 title: "Ensure 'Allow Cortana' is set to 'Disabled'" description: "This policy setting specifies whether Cortana is allowed on the device" rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." @@ -2573,7 +2573,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' - - id: 12201 + - id: 12196 title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked." rationale: "Access to any computer resource should not be allowed when the device is locked." @@ -2586,7 +2586,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' - - id: 12202 + - id: 12197 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -2599,7 +2599,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 12203 + - id: 12198 title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results." rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out" @@ -2612,7 +2612,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' - - id: 12204 + - id: 12199 title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" description: "This setting enables or disables the automatic download and installation of Windows Store app updates." rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." @@ -2625,7 +2625,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' - - id: 12205 + - id: 12200 title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" description: "Enables or disables the Windows Store offer to update to the latest version of Windows." rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." @@ -2638,7 +2638,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' - - id: 12206 + - id: 12201 title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". This setting can only be set by Group Policy." rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed." @@ -2651,7 +2651,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' - - id: 12207 + - id: 12202 title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus." rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity." @@ -2664,7 +2664,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' - - id: 12208 + - id: 12203 title: "Ensure 'Scan removable drives' is set to 'Enabled'" description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan." rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer." @@ -2677,7 +2677,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' - - id: 12209 + - id: 12204 title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac)." rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software." @@ -2690,7 +2690,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' - - id: 12210 + - id: 12205 title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules." rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." @@ -2703,7 +2703,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - - id: 12211 + - id: 12206 title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes)" rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." @@ -2736,7 +2736,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1' - - id: 12212 + - id: 12207 title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" description: "This policy setting controls Windows Defender Exploit Guard network protection." rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet." @@ -2749,7 +2749,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' - - id: 12213 + - id: 12208 title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software." rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative." @@ -2762,7 +2762,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' - - id: 12214 + - id: 12209 title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center." rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." @@ -2775,7 +2775,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' - - id: 12215 + - id: 12210 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -2790,7 +2790,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block' - - id: 12216 + - id: 12211 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" description: "This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software." rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise." @@ -2803,7 +2803,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' - - id: 12217 + - id: 12212 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files." rationale: "SmartScreen will warn an employee if a file is potentially malicious. Enabling this setting prevents these warnings from being bypassed." @@ -2816,7 +2816,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' - - id: 12218 + - id: 12213 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites." rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed." @@ -2829,7 +2829,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' - - id: 12219 + - id: 12214 title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" description: "This setting enables or disables the Windows Game Recording and Broadcasting features." rationale: "If this setting is allowed users could record and broadcast session info to external sites which is a privacy concern." @@ -2842,7 +2842,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' - - id: 12220 + - id: 12215 title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" description: "This policy setting determines whether Windows Ink items are allowed above the lock screen." rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials." @@ -2855,7 +2855,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' - - id: 12221 + - id: 12216 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -2868,7 +2868,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' - - id: 12222 + - id: 12217 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -2881,7 +2881,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 12223 + - id: 12218 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -2894,7 +2894,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 12224 + - id: 12219 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-WindowsPowerShell/Operational event log." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -2907,7 +2907,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 12225 + - id: 12220 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" @@ -2920,7 +2920,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 01' - - id: 12226 + - id: 12221 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2933,7 +2933,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 12227 + - id: 12222 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2946,7 +2946,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 12228 + - id: 12223 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2959,7 +2959,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 12229 + - id: 12224 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2972,7 +2972,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 12230 + - id: 12225 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -2985,7 +2985,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 12231 + - id: 12226 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2998,7 +2998,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 12232 + - id: 12227 title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" description: "This policy setting determines whether users can access the Windows Insider Program controls in Settings -> Update and Security. These controls enable users to make their devices available for downloading and installing preview (beta) builds of Windows software." rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." @@ -3013,7 +3013,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' - - id: 12233 + - id: 12228 title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:  Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.  Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.  Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.  Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.  Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." @@ -3030,7 +3030,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> 32' - - id: 12234 + - id: 12229 title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" description: "This settings controls when Quality Updates are received." rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible." @@ -3045,7 +3045,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0' - - id: 12235 + - id: 12230 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -3058,7 +3058,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' - - id: 12236 + - id: 12231 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -3071,7 +3071,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 12237 + - id: 12232 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." From aca8896b8e345a381d3af3d096e13881b09951d2 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 19 Jun 2019 12:03:37 +0200 Subject: [PATCH 109/247] Change some checks to the other file, depending if they are L1 or L2 --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 89 +++++++- sca/windows/cis_win2012r2_domainL1_rcl.yml | 241 +++++++++++++------- sca/windows/cis_win2012r2_domainL2_rcl.yml | 145 +++--------- 3 files changed, 272 insertions(+), 203 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index 1a247496a..cbbd56c6c 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -37,6 +37,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' @@ -50,6 +51,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' @@ -63,8 +65,9 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> r:^(\d+) compare >= 1' # 5 System Services - id: 12503 @@ -77,6 +80,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> 4' @@ -90,6 +94,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' @@ -381,7 +386,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> 4' # 18.1 Control Panel - - id: 12527 + - id: 12527 ################## title: "Ensure 'Allow Online Tips' is set to 'Disabled'" description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -391,6 +396,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' @@ -407,6 +413,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' @@ -422,6 +429,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' @@ -437,6 +445,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' @@ -452,6 +461,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -467,6 +477,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -481,6 +492,7 @@ checks: - cis_csc: "3, 13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' @@ -494,6 +506,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' @@ -513,6 +526,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' @@ -532,6 +546,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' @@ -545,6 +560,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' @@ -558,6 +574,7 @@ checks: - cis_csc: "15.4, 15.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' @@ -579,6 +596,7 @@ checks: - cis_csc: "15.4, 15.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' @@ -593,6 +611,7 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' @@ -606,6 +625,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' @@ -619,6 +639,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' @@ -632,6 +653,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' @@ -644,6 +666,7 @@ checks: - cis: "18.8.22.1.8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' @@ -657,6 +680,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' @@ -670,6 +694,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' @@ -683,6 +708,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' @@ -696,6 +722,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' @@ -709,6 +736,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' @@ -722,10 +750,12 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - id: 12551 title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" @@ -737,6 +767,7 @@ checks: - cis_csc: "1.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' @@ -752,6 +783,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' @@ -765,6 +797,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' @@ -778,6 +811,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' @@ -791,6 +825,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' @@ -804,6 +839,7 @@ checks: - cis_csc: "6.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' @@ -817,6 +853,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' @@ -831,6 +868,7 @@ checks: - cis_csc: "14.4, 14.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' @@ -844,6 +882,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1' @@ -857,10 +896,11 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' - - id: 12561 + - id: 12561 ########## title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." @@ -870,6 +910,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' @@ -883,10 +924,11 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 12563 + - id: 12563 ####### title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -896,6 +938,7 @@ checks: - cis_csc: "9.1, 9.2, 13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' @@ -909,6 +952,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' @@ -922,6 +966,7 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' @@ -935,6 +980,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' @@ -948,6 +994,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' @@ -961,6 +1008,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' @@ -974,6 +1022,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' @@ -987,10 +1036,11 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' - - id: 12571 + - id: 12571 ######### title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." @@ -1000,6 +1050,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' @@ -1012,8 +1063,9 @@ checks: - cis: "18.9.58.3.2.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 0' - id: 12573 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" @@ -1025,6 +1077,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' @@ -1038,6 +1091,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' @@ -1051,6 +1105,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' @@ -1066,8 +1121,9 @@ checks: - https://workbench.cisecurity.org/benchmarks/766 condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - id: 12577 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" @@ -1079,10 +1135,11 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 12578 + - id: 12578 ############ title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -1092,6 +1149,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' @@ -1104,6 +1162,7 @@ checks: - cis: "18.9.65.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' @@ -1117,8 +1176,9 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 0' - id: 12581 title: "Ensure 'Turn off the Store application' is set to 'Enabled'" @@ -1133,6 +1193,7 @@ checks: - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' @@ -1145,6 +1206,7 @@ checks: - cis: "18.9.76.3.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' @@ -1158,6 +1220,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' @@ -1171,6 +1234,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' @@ -1184,6 +1248,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' @@ -1197,6 +1262,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' @@ -1210,6 +1276,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index d26c26883..f95d04041 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -116,20 +116,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 8006 - title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." - rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" - compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - - id: 8007 title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." @@ -143,7 +129,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0' - - id: 8008 + - id: 8007 title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." @@ -159,7 +145,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' - - id: 8009 + - id: 8008 title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." @@ -173,7 +159,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' - - id: 8010 + - id: 8009 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -187,7 +173,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 8011 + - id: 8010 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -201,7 +187,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 8012 + - id: 8011 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -215,7 +201,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 8013 + - id: 8012 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." @@ -229,7 +215,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 8014 + - id: 8013 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" @@ -243,7 +229,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 8015 + - id: 8014 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -257,7 +243,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 8016 + - id: 8015 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -271,7 +257,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 8017 + - id: 8016 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." @@ -286,7 +272,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - id: 8018 + - id: 8017 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -300,7 +286,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - - id: 8019 + - id: 8018 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -314,7 +300,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - id: 8020 + - id: 8019 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -328,7 +314,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 8021 + - id: 8020 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -342,7 +328,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 8022 + - id: 8021 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -356,7 +342,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 8023 + - id: 8022 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -371,7 +357,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 8024 + - id: 8023 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -385,7 +371,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 8025 + - id: 8024 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -399,7 +385,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 8026 + - id: 8025 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." @@ -413,6 +399,21 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' +# Section 2.3 - Security Options + - id: 8026 + title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + compliance: + - cis: "2.3.10.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + - id: 8027 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." @@ -496,6 +497,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' + - id: 8033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -1473,7 +1475,50 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' +# Section 18.8 - System - id: 8101 + title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + rationale: "Users might download drivers that include malicious code." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + + - id: 8102 + title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." + rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.5" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + + - id: 8103 + title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." + rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.6" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + + - id: 8104 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." @@ -1487,7 +1532,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - id: 8102 + - id: 8105 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1501,7 +1546,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - id: 8103 + - id: 8106 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1515,7 +1560,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - id: 8104 + - id: 8107 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." rationale: "App notifications might display sensitive business or personal data." @@ -1529,7 +1574,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - id: 8105 + - id: 8108 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." @@ -1542,7 +1587,36 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - id: 8106 + + - id: 8109 + title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' + + - id: 8110 + title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' + + - id: 8111 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -1556,7 +1630,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 8107 + - id: 8112 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -1571,7 +1645,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' # Section 18.9 - Windows Components - - id: 8108 + - id: 8113 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." @@ -1585,7 +1659,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - id: 8109 + - id: 8114 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1599,7 +1673,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - id: 8110 + - id: 8115 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." @@ -1613,7 +1687,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - id: 8111 + - id: 8116 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1627,7 +1701,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' - - id: 8112 + - id: 8117 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." @@ -1641,7 +1715,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - id: 8113 + - id: 8118 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." @@ -1655,7 +1729,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - id: 8114 + - id: 8119 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1669,7 +1743,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - id: 8115 + - id: 8120 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1683,7 +1757,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8116 + - id: 8121 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1697,7 +1771,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - id: 8117 + - id: 8122 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1711,7 +1785,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - id: 8118 + - id: 8123 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1725,7 +1799,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - id: 8119 + - id: 8124 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1739,7 +1813,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8120 + - id: 8125 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1753,7 +1827,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - id: 8121 + - id: 8126 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1767,7 +1841,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8122 + - id: 8127 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." @@ -1781,7 +1855,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - id: 8123 + - id: 8128 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1795,7 +1869,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - id: 8124 + - id: 8129 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1809,7 +1883,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - id: 8125 + - id: 8130 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." @@ -1823,7 +1897,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - id: 8126 + - id: 8131 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." @@ -1837,7 +1911,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 8127 + - id: 8132 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -1850,7 +1924,8 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 8128 + + - id: 8133 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -1864,7 +1939,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 8129 + - id: 8134 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -1878,7 +1953,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 8130 + - id: 8135 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -1892,7 +1967,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 8131 + - id: 8136 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -1906,7 +1981,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 8132 + - id: 8137 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -1920,7 +1995,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 8133 + - id: 8138 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -1934,7 +2009,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 8134 + - id: 8139 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -1948,7 +2023,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 8135 + - id: 8140 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -1962,7 +2037,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - id: 8136 + - id: 8141 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." @@ -1976,7 +2051,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - id: 8137 + - id: 8142 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." @@ -1990,7 +2065,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - id: 8138 + - id: 8143 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -2004,7 +2079,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - id: 8139 + - id: 8144 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -2018,7 +2093,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 8140 + - id: 8145 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -2032,7 +2107,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 8141 + - id: 8146 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -2046,7 +2121,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 8142 + - id: 8147 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." @@ -2060,7 +2135,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - id: 8143 + - id: 8148 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2074,7 +2149,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 8144 + - id: 8149 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2088,7 +2163,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 8145 + - id: 8150 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2102,7 +2177,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 8146 + - id: 8151 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2116,7 +2191,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 8147 + - id: 8152 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2130,7 +2205,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 8148 + - id: 8153 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." @@ -2144,7 +2219,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 8149 + - id: 8154 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2158,7 +2233,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 8150 + - id: 8155 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2172,7 +2247,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 8151 + - id: 8156 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index 8f11c0f79..efe34aa3b 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -28,20 +28,19 @@ requirements: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: -# Section 2.3 - Security Options - id: 8500 - title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." - rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: "2.3.4.2" + - cis_csc: "5.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' # Section 18.4 - MSS (Legacy) - id: 8501 @@ -213,22 +212,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' -# Section 18.8 - System - id: 8511 - title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." - rationale: "Users might download drivers that include malicious code." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - - id: 8512 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -242,7 +226,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - id: 8513 + - id: 8512 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -256,7 +240,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - id: 8514 + - id: 8513 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -270,35 +254,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - id: 8515 - title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." - rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.5" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - - id: 8516 - title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." - rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.6" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - - id: 8517 + - id: 8514 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." @@ -311,7 +267,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - id: 8518 + - id: 8515 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." @@ -325,7 +281,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 8519 + - id: 8516 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -339,7 +295,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - id: 8520 + - id: 8517 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -353,7 +309,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 8521 + - id: 8518 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -367,7 +323,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 8522 + - id: 8519 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -381,7 +337,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - id: 8523 + - id: 8520 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -395,7 +351,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - id: 8524 + - id: 8521 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." @@ -409,35 +365,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - id: 8525 - title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - - id: 8526 - title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - - id: 8527 + - id: 8522 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -451,7 +379,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - id: 8528 + - id: 8523 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." @@ -465,7 +393,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - id: 8529 + - id: 8524 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." @@ -479,7 +407,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - id: 8530 + - id: 8525 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." @@ -494,7 +422,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' # Section 18.9 - System - - id: 8531 + - id: 8526 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -508,7 +436,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 8532 + - id: 8527 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." @@ -521,7 +449,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' - - id: 8533 + - id: 8528 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -535,7 +463,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - id: 8534 + - id: 8529 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -549,7 +477,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - id: 8535 + - id: 8530 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -563,7 +491,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - id: 8536 + - id: 8531 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." @@ -579,7 +507,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - - id: 8537 + - id: 8532 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." @@ -593,7 +521,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 8538 + - id: 8533 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." @@ -607,7 +535,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' - - id: 8539 + - id: 8534 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." @@ -620,7 +548,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - id: 8540 + - id: 8535 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." @@ -633,8 +561,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - - id: 8541 + - id: 8536 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." @@ -648,7 +575,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - id: 8542 + - id: 8537 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -662,7 +589,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - id: 8543 + - id: 8538 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." From 0e458feb0b7ff904937c2ea52e8fea936262a5c2 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 19 Jun 2019 12:05:52 +0200 Subject: [PATCH 110/247] Revert "Change some checks to the other file, depending if they are L1 or L2" This reverts commit aca8896b8e345a381d3af3d096e13881b09951d2. --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 89 +------- sca/windows/cis_win2012r2_domainL1_rcl.yml | 241 +++++++------------- sca/windows/cis_win2012r2_domainL2_rcl.yml | 145 +++++++++--- 3 files changed, 203 insertions(+), 272 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index cbbd56c6c..1a247496a 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -37,7 +37,6 @@ checks: - cis_csc: "5.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' @@ -51,7 +50,6 @@ checks: - cis_csc: "16" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' @@ -65,9 +63,8 @@ checks: - cis_csc: "16.14" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> r:^(\d+) compare >= 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0' # 5 System Services - id: 12503 @@ -80,7 +77,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> 4' @@ -94,7 +90,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' @@ -386,7 +381,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> 4' # 18.1 Control Panel - - id: 12527 ################## + - id: 12527 title: "Ensure 'Allow Online Tips' is set to 'Disabled'" description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -396,7 +391,6 @@ checks: - cis_csc: "9.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' @@ -413,7 +407,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' @@ -429,7 +422,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' @@ -445,7 +437,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' @@ -461,7 +452,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -477,7 +467,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -492,7 +481,6 @@ checks: - cis_csc: "3, 13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' @@ -506,7 +494,6 @@ checks: - cis_csc: "9" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' @@ -526,7 +513,6 @@ checks: - cis_csc: "9" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' @@ -546,7 +532,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' @@ -560,7 +545,6 @@ checks: - cis_csc: "9" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' @@ -574,7 +558,6 @@ checks: - cis_csc: "15.4, 15.5" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' @@ -596,7 +579,6 @@ checks: - cis_csc: "15.4, 15.5" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' @@ -611,7 +593,6 @@ checks: - cis_csc: "2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' @@ -625,7 +606,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' @@ -639,7 +619,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' @@ -653,7 +632,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' @@ -666,7 +644,6 @@ checks: - cis: "18.8.22.1.8" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' @@ -680,7 +657,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' @@ -694,7 +670,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' @@ -708,7 +683,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' @@ -722,7 +696,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' @@ -736,7 +709,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' @@ -750,12 +722,10 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' - id: 12551 title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" @@ -767,7 +737,6 @@ checks: - cis_csc: "1.6" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' @@ -783,7 +752,6 @@ checks: - cis_csc: "16.5" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' @@ -797,7 +765,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' @@ -811,7 +778,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' @@ -825,7 +791,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' @@ -839,7 +804,6 @@ checks: - cis_csc: "6.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' @@ -853,7 +817,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' @@ -868,7 +831,6 @@ checks: - cis_csc: "14.4, 14.6" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' @@ -882,7 +844,6 @@ checks: - cis_csc: "7" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1' @@ -896,11 +857,10 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' - - id: 12561 ########## + - id: 12561 title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." @@ -910,7 +870,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' @@ -924,11 +883,10 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 12563 ####### + - id: 12563 title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -938,7 +896,6 @@ checks: - cis_csc: "9.1, 9.2, 13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' @@ -952,7 +909,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' @@ -966,7 +922,6 @@ checks: - cis_csc: "7.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' @@ -980,7 +935,6 @@ checks: - cis_csc: "7" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' @@ -994,7 +948,6 @@ checks: - cis_csc: "7" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' @@ -1008,7 +961,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' @@ -1022,7 +974,6 @@ checks: - cis_csc: "3" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' @@ -1036,11 +987,10 @@ checks: - cis_csc: "7.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' - - id: 12571 ######### + - id: 12571 title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." @@ -1050,7 +1000,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' @@ -1063,9 +1012,8 @@ checks: - cis: "18.9.58.3.2.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1' - id: 12573 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" @@ -1077,7 +1025,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' @@ -1091,7 +1038,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' @@ -1105,7 +1051,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' @@ -1121,9 +1066,8 @@ checks: - https://workbench.cisecurity.org/benchmarks/766 condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' - id: 12577 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" @@ -1135,11 +1079,10 @@ checks: - cis_csc: "16.5" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 12578 ############ + - id: 12578 title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -1149,7 +1092,6 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' @@ -1162,7 +1104,6 @@ checks: - cis: "18.9.65.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' @@ -1176,9 +1117,8 @@ checks: - cis_csc: "2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1' - id: 12581 title: "Ensure 'Turn off the Store application' is set to 'Enabled'" @@ -1193,7 +1133,6 @@ checks: - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' @@ -1206,7 +1145,6 @@ checks: - cis: "18.9.76.3.2" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' @@ -1220,7 +1158,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' @@ -1234,7 +1171,6 @@ checks: - cis_csc: "13" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' @@ -1248,7 +1184,6 @@ checks: - cis_csc: "7" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' @@ -1262,7 +1197,6 @@ checks: - cis_csc: "3.4" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' @@ -1276,7 +1210,6 @@ checks: - cis_csc: "3.4" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index f95d04041..d26c26883 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -116,6 +116,20 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 8006 + title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + compliance: + - cis: "2.3.4.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + + - id: 8007 title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." @@ -129,7 +143,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0' - - id: 8007 + - id: 8008 title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." @@ -145,7 +159,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' - - id: 8008 + - id: 8009 title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." @@ -159,7 +173,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' - - id: 8009 + - id: 8010 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -173,7 +187,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 8010 + - id: 8011 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -187,7 +201,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 8011 + - id: 8012 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -201,7 +215,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 8012 + - id: 8013 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." @@ -215,7 +229,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 8013 + - id: 8014 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" @@ -229,7 +243,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 8014 + - id: 8015 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -243,7 +257,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 8015 + - id: 8016 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -257,7 +271,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 8016 + - id: 8017 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." @@ -272,7 +286,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - id: 8017 + - id: 8018 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -286,7 +300,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - - id: 8018 + - id: 8019 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -300,7 +314,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - id: 8019 + - id: 8020 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -314,7 +328,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 8020 + - id: 8021 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -328,7 +342,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 8021 + - id: 8022 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -342,7 +356,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 8022 + - id: 8023 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -357,7 +371,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 8023 + - id: 8024 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -371,7 +385,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 8024 + - id: 8025 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -385,7 +399,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 8025 + - id: 8026 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." @@ -399,21 +413,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' -# Section 2.3 - Security Options - - id: 8026 - title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." - rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" - compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - - id: 8027 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." @@ -497,7 +496,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - - id: 8033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -1475,50 +1473,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' -# Section 18.8 - System - id: 8101 - title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." - rationale: "Users might download drivers that include malicious code." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - - id: 8102 - title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." - rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.5" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - - id: 8103 - title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." - rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.6" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - - id: 8104 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." @@ -1532,7 +1487,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - id: 8105 + - id: 8102 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1546,7 +1501,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - id: 8106 + - id: 8103 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1560,7 +1515,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - id: 8107 + - id: 8104 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." rationale: "App notifications might display sensitive business or personal data." @@ -1574,7 +1529,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - id: 8108 + - id: 8105 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." @@ -1587,36 +1542,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - - id: 8109 - title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - - id: 8110 - title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - - id: 8111 + - id: 8106 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -1630,7 +1556,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 8112 + - id: 8107 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -1645,7 +1571,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' # Section 18.9 - Windows Components - - id: 8113 + - id: 8108 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." @@ -1659,7 +1585,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - id: 8114 + - id: 8109 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1673,7 +1599,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - id: 8115 + - id: 8110 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." @@ -1687,7 +1613,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - id: 8116 + - id: 8111 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1701,7 +1627,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' - - id: 8117 + - id: 8112 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." @@ -1715,7 +1641,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - id: 8118 + - id: 8113 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." @@ -1729,7 +1655,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - id: 8119 + - id: 8114 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1743,7 +1669,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - id: 8120 + - id: 8115 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1757,7 +1683,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8121 + - id: 8116 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1771,7 +1697,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - id: 8122 + - id: 8117 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1785,7 +1711,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - id: 8123 + - id: 8118 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1799,7 +1725,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - id: 8124 + - id: 8119 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1813,7 +1739,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8125 + - id: 8120 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1827,7 +1753,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - id: 8126 + - id: 8121 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1841,7 +1767,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8127 + - id: 8122 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." @@ -1855,7 +1781,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - id: 8128 + - id: 8123 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1869,7 +1795,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - id: 8129 + - id: 8124 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1883,7 +1809,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - id: 8130 + - id: 8125 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." @@ -1897,7 +1823,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - id: 8131 + - id: 8126 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." @@ -1911,7 +1837,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 8132 + - id: 8127 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -1924,8 +1850,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - - id: 8133 + - id: 8128 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -1939,7 +1864,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 8134 + - id: 8129 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -1953,7 +1878,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 8135 + - id: 8130 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -1967,7 +1892,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 8136 + - id: 8131 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -1981,7 +1906,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 8137 + - id: 8132 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -1995,7 +1920,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 8138 + - id: 8133 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -2009,7 +1934,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 8139 + - id: 8134 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -2023,7 +1948,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 8140 + - id: 8135 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -2037,7 +1962,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - id: 8141 + - id: 8136 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." @@ -2051,7 +1976,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - id: 8142 + - id: 8137 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." @@ -2065,7 +1990,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - id: 8143 + - id: 8138 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -2079,7 +2004,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - id: 8144 + - id: 8139 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -2093,7 +2018,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 8145 + - id: 8140 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -2107,7 +2032,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 8146 + - id: 8141 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -2121,7 +2046,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 8147 + - id: 8142 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." @@ -2135,7 +2060,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - id: 8148 + - id: 8143 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2149,7 +2074,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 8149 + - id: 8144 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2163,7 +2088,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 8150 + - id: 8145 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2177,7 +2102,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 8151 + - id: 8146 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2191,7 +2116,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 8152 + - id: 8147 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2205,7 +2130,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 8153 + - id: 8148 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." @@ -2219,7 +2144,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 8154 + - id: 8149 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2233,7 +2158,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 8155 + - id: 8150 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2247,7 +2172,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 8156 + - id: 8151 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index efe34aa3b..8f11c0f79 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -28,19 +28,20 @@ requirements: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: +# Section 2.3 - Security Options - id: 8500 - title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." - rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: "2.3.10.4" + - cis_csc: "16.14" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' # Section 18.4 - MSS (Legacy) - id: 8501 @@ -212,7 +213,22 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' +# Section 18.8 - System - id: 8511 + title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + rationale: "Users might download drivers that include malicious code." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + + - id: 8512 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -226,7 +242,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - id: 8512 + - id: 8513 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -240,7 +256,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - id: 8513 + - id: 8514 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -254,7 +270,35 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - id: 8514 + - id: 8515 + title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." + rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.5" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + + - id: 8516 + title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." + rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.6" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + + - id: 8517 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." @@ -267,7 +311,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - id: 8515 + - id: 8518 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." @@ -281,7 +325,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 8516 + - id: 8519 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -295,7 +339,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - id: 8517 + - id: 8520 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -309,7 +353,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 8518 + - id: 8521 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -323,7 +367,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 8519 + - id: 8522 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -337,7 +381,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - id: 8520 + - id: 8523 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -351,7 +395,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - id: 8521 + - id: 8524 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." @@ -365,7 +409,35 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - id: 8522 + - id: 8525 + title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' + + - id: 8526 + title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' + + - id: 8527 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -379,7 +451,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - id: 8523 + - id: 8528 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." @@ -393,7 +465,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - id: 8524 + - id: 8529 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." @@ -407,7 +479,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - id: 8525 + - id: 8530 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." @@ -422,7 +494,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' # Section 18.9 - System - - id: 8526 + - id: 8531 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -436,7 +508,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 8527 + - id: 8532 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." @@ -449,7 +521,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' - - id: 8528 + - id: 8533 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -463,7 +535,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - id: 8529 + - id: 8534 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -477,7 +549,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - id: 8530 + - id: 8535 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -491,7 +563,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - id: 8531 + - id: 8536 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." @@ -507,7 +579,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - - id: 8532 + - id: 8537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." @@ -521,7 +593,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 8533 + - id: 8538 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." @@ -535,7 +607,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' - - id: 8534 + - id: 8539 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." @@ -548,7 +620,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - id: 8535 + - id: 8540 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." @@ -561,7 +633,8 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - id: 8536 + + - id: 8541 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." @@ -575,7 +648,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - id: 8537 + - id: 8542 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -589,7 +662,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - id: 8538 + - id: 8543 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." From 2400f64f1babadb0da0df8889d15f139ba4824fe Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 19 Jun 2019 12:14:20 +0200 Subject: [PATCH 111/247] Fix typo --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 89 ++++++++++++++++++--- 1 file changed, 78 insertions(+), 11 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index 1a247496a..1a97611df 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -37,6 +37,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' @@ -50,6 +51,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' @@ -63,8 +65,9 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> n:^(\d+) compare >= 1' # 5 System Services - id: 12503 @@ -77,6 +80,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> 4' @@ -90,6 +94,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' @@ -381,7 +386,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> 4' # 18.1 Control Panel - - id: 12527 + - id: 12527 ################## title: "Ensure 'Allow Online Tips' is set to 'Disabled'" description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -391,6 +396,7 @@ checks: - cis_csc: "9.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' @@ -407,6 +413,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' @@ -422,6 +429,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' @@ -437,6 +445,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' @@ -452,6 +461,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -467,6 +477,7 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' @@ -481,6 +492,7 @@ checks: - cis_csc: "3, 13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' @@ -494,6 +506,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' @@ -513,6 +526,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' @@ -532,6 +546,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' @@ -545,6 +560,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' @@ -558,6 +574,7 @@ checks: - cis_csc: "15.4, 15.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' @@ -579,6 +596,7 @@ checks: - cis_csc: "15.4, 15.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' @@ -593,6 +611,7 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' @@ -606,6 +625,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' @@ -619,6 +639,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' @@ -632,6 +653,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' @@ -644,6 +666,7 @@ checks: - cis: "18.8.22.1.8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' @@ -657,6 +680,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' @@ -670,6 +694,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' @@ -683,6 +708,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' @@ -696,6 +722,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' @@ -709,6 +736,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' @@ -722,10 +750,12 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - id: 12551 title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" @@ -737,6 +767,7 @@ checks: - cis_csc: "1.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' @@ -752,6 +783,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' @@ -765,6 +797,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' @@ -778,6 +811,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' @@ -791,6 +825,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' @@ -804,6 +839,7 @@ checks: - cis_csc: "6.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' @@ -817,6 +853,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' @@ -831,6 +868,7 @@ checks: - cis_csc: "14.4, 14.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' @@ -844,6 +882,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1' @@ -857,10 +896,11 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' - - id: 12561 + - id: 12561 ########## title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." @@ -870,6 +910,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' @@ -883,10 +924,11 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 12563 + - id: 12563 ####### title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -896,6 +938,7 @@ checks: - cis_csc: "9.1, 9.2, 13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' @@ -909,6 +952,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' @@ -922,6 +966,7 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' @@ -935,6 +980,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' @@ -948,6 +994,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' @@ -961,6 +1008,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' @@ -974,6 +1022,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' @@ -987,10 +1036,11 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' - - id: 12571 + - id: 12571 ######### title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." @@ -1000,6 +1050,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' @@ -1012,8 +1063,9 @@ checks: - cis: "18.9.58.3.2.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 0' - id: 12573 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" @@ -1025,6 +1077,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' @@ -1038,6 +1091,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' @@ -1051,6 +1105,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' @@ -1066,8 +1121,9 @@ checks: - https://workbench.cisecurity.org/benchmarks/766 condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 15' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - id: 12577 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" @@ -1079,10 +1135,11 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 12578 + - id: 12578 ############ title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -1092,6 +1149,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' @@ -1104,6 +1162,7 @@ checks: - cis: "18.9.65.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' @@ -1117,8 +1176,9 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 0' - id: 12581 title: "Ensure 'Turn off the Store application' is set to 'Enabled'" @@ -1133,6 +1193,7 @@ checks: - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' @@ -1145,6 +1206,7 @@ checks: - cis: "18.9.76.3.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' @@ -1158,6 +1220,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' @@ -1171,6 +1234,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' @@ -1184,6 +1248,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' @@ -1197,6 +1262,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' @@ -1210,6 +1276,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' From eeb72d5b2236c0f2f3179869edfa6df9461902b9 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 19 Jun 2019 12:20:00 +0200 Subject: [PATCH 112/247] Add changes for Domain L1 and L2 policies --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 241 ++++++++++++++------- sca/windows/cis_win2012r2_domainL2_rcl.yml | 145 +++---------- 2 files changed, 194 insertions(+), 192 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index d26c26883..f95d04041 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -116,20 +116,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 8006 - title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." - rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" - compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - - id: 8007 title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." @@ -143,7 +129,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0' - - id: 8008 + - id: 8007 title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." @@ -159,7 +145,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' - - id: 8009 + - id: 8008 title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." @@ -173,7 +159,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' - - id: 8010 + - id: 8009 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -187,7 +173,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 8011 + - id: 8010 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -201,7 +187,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 8012 + - id: 8011 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -215,7 +201,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 8013 + - id: 8012 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." @@ -229,7 +215,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 8014 + - id: 8013 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" @@ -243,7 +229,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 8015 + - id: 8014 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -257,7 +243,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 8016 + - id: 8015 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -271,7 +257,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 8017 + - id: 8016 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." @@ -286,7 +272,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - id: 8018 + - id: 8017 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -300,7 +286,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - - id: 8019 + - id: 8018 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -314,7 +300,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - id: 8020 + - id: 8019 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -328,7 +314,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 8021 + - id: 8020 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -342,7 +328,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 8022 + - id: 8021 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -356,7 +342,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 8023 + - id: 8022 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -371,7 +357,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 8024 + - id: 8023 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -385,7 +371,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 8025 + - id: 8024 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -399,7 +385,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 8026 + - id: 8025 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." @@ -413,6 +399,21 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' +# Section 2.3 - Security Options + - id: 8026 + title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + compliance: + - cis: "2.3.10.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + - id: 8027 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." @@ -496,6 +497,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' + - id: 8033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -1473,7 +1475,50 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' +# Section 18.8 - System - id: 8101 + title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + rationale: "Users might download drivers that include malicious code." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + + - id: 8102 + title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." + rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.5" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + + - id: 8103 + title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." + rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.6" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + + - id: 8104 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." @@ -1487,7 +1532,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - id: 8102 + - id: 8105 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1501,7 +1546,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - id: 8103 + - id: 8106 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1515,7 +1560,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - id: 8104 + - id: 8107 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." rationale: "App notifications might display sensitive business or personal data." @@ -1529,7 +1574,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - id: 8105 + - id: 8108 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." @@ -1542,7 +1587,36 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - id: 8106 + + - id: 8109 + title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.1" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' + + - id: 8110 + title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.33.6.2" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' + + - id: 8111 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -1556,7 +1630,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 8107 + - id: 8112 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -1571,7 +1645,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' # Section 18.9 - Windows Components - - id: 8108 + - id: 8113 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." @@ -1585,7 +1659,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - id: 8109 + - id: 8114 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1599,7 +1673,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - id: 8110 + - id: 8115 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." @@ -1613,7 +1687,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - id: 8111 + - id: 8116 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1627,7 +1701,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' - - id: 8112 + - id: 8117 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." @@ -1641,7 +1715,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - id: 8113 + - id: 8118 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." @@ -1655,7 +1729,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - id: 8114 + - id: 8119 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1669,7 +1743,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - id: 8115 + - id: 8120 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1683,7 +1757,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8116 + - id: 8121 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1697,7 +1771,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - id: 8117 + - id: 8122 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1711,7 +1785,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - id: 8118 + - id: 8123 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1725,7 +1799,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - id: 8119 + - id: 8124 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1739,7 +1813,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8120 + - id: 8125 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1753,7 +1827,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - id: 8121 + - id: 8126 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1767,7 +1841,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8122 + - id: 8127 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." @@ -1781,7 +1855,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - id: 8123 + - id: 8128 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1795,7 +1869,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - id: 8124 + - id: 8129 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1809,7 +1883,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - id: 8125 + - id: 8130 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." @@ -1823,7 +1897,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - id: 8126 + - id: 8131 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." @@ -1837,7 +1911,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 8127 + - id: 8132 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -1850,7 +1924,8 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 8128 + + - id: 8133 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -1864,7 +1939,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 8129 + - id: 8134 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -1878,7 +1953,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 8130 + - id: 8135 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -1892,7 +1967,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 8131 + - id: 8136 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -1906,7 +1981,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 8132 + - id: 8137 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -1920,7 +1995,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 8133 + - id: 8138 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -1934,7 +2009,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 8134 + - id: 8139 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -1948,7 +2023,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 8135 + - id: 8140 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -1962,7 +2037,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - id: 8136 + - id: 8141 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." @@ -1976,7 +2051,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - id: 8137 + - id: 8142 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." @@ -1990,7 +2065,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - id: 8138 + - id: 8143 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -2004,7 +2079,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - id: 8139 + - id: 8144 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -2018,7 +2093,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 8140 + - id: 8145 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -2032,7 +2107,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 8141 + - id: 8146 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -2046,7 +2121,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 8142 + - id: 8147 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." @@ -2060,7 +2135,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - id: 8143 + - id: 8148 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2074,7 +2149,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 8144 + - id: 8149 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2088,7 +2163,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 8145 + - id: 8150 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2102,7 +2177,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 8146 + - id: 8151 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2116,7 +2191,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 8147 + - id: 8152 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2130,7 +2205,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 8148 + - id: 8153 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." @@ -2144,7 +2219,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 8149 + - id: 8154 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2158,7 +2233,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 8150 + - id: 8155 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2172,7 +2247,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 8151 + - id: 8156 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index 8f11c0f79..efe34aa3b 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -28,20 +28,19 @@ requirements: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: -# Section 2.3 - Security Options - id: 8500 - title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." - rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: "2.3.4.2" + - cis_csc: "5.1" condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' # Section 18.4 - MSS (Legacy) - id: 8501 @@ -213,22 +212,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' -# Section 18.8 - System - id: 8511 - title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." - rationale: "Users might download drivers that include malicious code." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - - id: 8512 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -242,7 +226,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - id: 8513 + - id: 8512 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -256,7 +240,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - id: 8514 + - id: 8513 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -270,35 +254,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - id: 8515 - title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." - rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.5" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - - id: 8516 - title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." - rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." - compliance: - - cis: "18.8.22.1.6" - - cis_csc: "13.1" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - - id: 8517 + - id: 8514 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." @@ -311,7 +267,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - id: 8518 + - id: 8515 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." @@ -325,7 +281,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 8519 + - id: 8516 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -339,7 +295,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - id: 8520 + - id: 8517 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -353,7 +309,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 8521 + - id: 8518 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -367,7 +323,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 8522 + - id: 8519 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -381,7 +337,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - id: 8523 + - id: 8520 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -395,7 +351,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - id: 8524 + - id: 8521 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." @@ -409,35 +365,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - id: 8525 - title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.1" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - - id: 8526 - title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." - compliance: - - cis: "18.8.33.6.2" - - cis_csc: "16.5" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - - id: 8527 + - id: 8522 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -451,7 +379,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - id: 8528 + - id: 8523 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." @@ -465,7 +393,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - id: 8529 + - id: 8524 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." @@ -479,7 +407,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - id: 8530 + - id: 8525 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." @@ -494,7 +422,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' # Section 18.9 - System - - id: 8531 + - id: 8526 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -508,7 +436,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 8532 + - id: 8527 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." @@ -521,7 +449,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' - - id: 8533 + - id: 8528 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -535,7 +463,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - id: 8534 + - id: 8529 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -549,7 +477,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - id: 8535 + - id: 8530 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -563,7 +491,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - id: 8536 + - id: 8531 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." @@ -579,7 +507,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - - id: 8537 + - id: 8532 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." @@ -593,7 +521,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 8538 + - id: 8533 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." @@ -607,7 +535,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' - - id: 8539 + - id: 8534 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." @@ -620,7 +548,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - id: 8540 + - id: 8535 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." @@ -633,8 +561,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - - id: 8541 + - id: 8536 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." @@ -648,7 +575,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - id: 8542 + - id: 8537 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -662,7 +589,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - id: 8543 + - id: 8538 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." From 918bd82729ce5a9f8111c279dba384bad7342f3e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 19 Jun 2019 12:21:02 +0200 Subject: [PATCH 113/247] Updated RHEL5 --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 277 ++++++++++------------------- 1 file changed, 90 insertions(+), 187 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index f5d06510e..59afc175b 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -20,7 +20,7 @@ policy: requirements: title: "Check RHEL5 version" - description: "Requirements for running the SCA scan against RHEL 5." + description: "Requirements for running the SCA scan against RHEL 5 family." condition: any rules: - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 5' @@ -47,8 +47,7 @@ checks: - CCE-14161-4 condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp' + - 'c:mount -> r:\s/tmp\s' # 1.1.2 /tmp: nodev - id: 5501 @@ -63,8 +62,7 @@ checks: - CCE-14412-1 condition: all rules: - - 'd:/tmp' - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nodev' + - 'c:mount -> r:\s/tmp\s && r:nodev' # 1.1.3 /tmp: nosuid - id: 5502 @@ -79,7 +77,7 @@ checks: - CCE-14940-1 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:nosuid' + - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.4 /tmp: noexec - id: 5503 @@ -94,7 +92,7 @@ checks: - CCE-14412-1 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/tmp && r:noexec' + - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.5 Build considerations - Partition scheme. - id: 5504 @@ -109,8 +107,7 @@ checks: - CCE-14777-7 condition: all rules: - - 'd:/var' - - 'f:/etc/fstab -> !r^# && r:/var' + - 'c:mount -> r:\s/var\s' # 1.1.6 bind mount /var/tmp to /tmp - id: 5505 @@ -124,7 +121,7 @@ checks: - CCE-14584-7 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/tmp && r:bind' + - 'c:mount -> r:\s/var/tmp\s' # 1.1.7 /var/log: partition - id: 5506 @@ -139,7 +136,7 @@ checks: - CCE-14011-1 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log' + - 'c:mount -> r:\s/var/log\s' # 1.1.8 /var/log/audit: partition - id: 5507 @@ -154,7 +151,7 @@ checks: - CCE-14171-3 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/var/log/audit' + - 'c:mount -> r:\s/var/log/audit\s' # 1.1.9 /home: partition - id: 5508 @@ -169,7 +166,7 @@ checks: - CCE-14559-9 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - 'c:mount -> r:\s/home\s' # 1.1.10 /home: nodev - id: 5509 @@ -184,50 +181,7 @@ checks: - CCE-4249-9 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' - -# 1.1.11 nodev on removable media partitions (not scored) - - id: 5510 - title: "Add nodev Option to Removable Media Partitions" - description: "Set nodev on removable media to prevent character and block special devices that are present on the removable be treated as these device files." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the / etc/fstab file and add 'nodev' to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.11" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' - -# 1.1.13 nosuid on removable media partitions (not scored) - - id: 5511 - title: "Add nosuid Option to Removable Media Partitions" - description: "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.13" - - pci_dss: "2.2.4" - references: - - CCE-4042-8 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' - -# 1.1.12 noexec on removable media partitions (not scored) - - id: 5512 - title: "Add noexec Option to Removable Media Partitions" - description: "Set noexec on removable media to prevent programs from executing from the removable media." - rationale: "Setting this option on a file system prevents users from executing programs from the removable. This deters users from being to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.12" - - pci_dss: "2.2.4" - references: - - CCE-4275-4 - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.14 /dev/shm: nodev - id: 5513 @@ -242,7 +196,7 @@ checks: - CCE-15007-8 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nodev' + - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.15 /dev/shm: nosuid - id: 5514 @@ -257,7 +211,7 @@ checks: - CCE-14306-5 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:nosuid' + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.16 /dev/shm: noexec - id: 5515 @@ -272,7 +226,7 @@ checks: - CCE-14927-8 condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/dev/shm && r:noexec' + - 'c:mount -> r:\s/dev/shm\s && r:noexec' ########################################## # 1.2 Software Updates @@ -291,7 +245,7 @@ checks: - CCE-4218-4 condition: none rules: - - 'p:yum-updatesd' + - 'c:/sbin/chkconfig --list -> r:yum-updatesd && r::on' ############################################### # 1.4 Configure SELinux @@ -309,7 +263,7 @@ checks: - CCE-3977-6 condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0' + - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' # 1.4.2 Set selinux state - id: 5518 @@ -324,7 +278,7 @@ checks: - CCE-3999-0 condition: all rules: - - 'f:/etc/selinux/config -> r:SELINUX=enforcing' + - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' # 1.4.3 Set seliux policy - id: 5519 @@ -339,7 +293,7 @@ checks: - CCE-3624-4 condition: all rules: - - 'f:/etc/selinux/config -> r:SELINUXTYPE=targeted' + - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' # 1.4.4 Remove SETroubleshoot - id: 5520 @@ -352,7 +306,7 @@ checks: - pci_dss: "2.2.4" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsetroubleshoot$' + - 'c:/sbin/chkconfig --list -> r:setroubleshoot && r::on' # 1.4.5 Disable MCS Translation service mcstrans - id: 5521 @@ -367,7 +321,7 @@ checks: - CCE-3668-1 condition: none rules: - - 'd:$rc_dirs -> ^S\d\dmctrans$' + - 'c:/sbin/chkconfig --list -> r:mctrans && r::on' ############################################### # 1.5 Secure Boot Settings @@ -385,7 +339,7 @@ checks: - CCE-3818-2 condition: all rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password' + - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' # 1.5.4 Require Authentication for Single-User Mode (Scored) - id: 5523 @@ -400,7 +354,7 @@ checks: - CCE-4241-6 condition: none rules: - - 'f:/etc/inittab -> !r:^# && r:S:wait' + - 'f:/etc/inittab -> r:^~:S:wait:/sbin/sulogin' # 1.5.5 Disable Interactive Boot (Scored) - id: 5524 @@ -415,7 +369,7 @@ checks: - CCE-4245-7 condition: all rules: - - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' + - 'f:/etc/sysconfig/init -> r:^PROMPT=no$' ############################################### # 1.6 Additional Process Hardening @@ -431,7 +385,9 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/security/limits.conf -> !r:^# && r:hard\.+core\.+0' + - 'c:grep -Rh *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:/sbin/sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 5526 @@ -446,7 +402,8 @@ checks: - CCE-4146-7 condition: all rules: - - 'f:/proc/sys/kernel/randomize_va_space -> r:^2$' + - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' + - 'c:/sbin/sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' # 1.6.2 Configure ExecShield (Scored) - id: 5527 @@ -461,7 +418,7 @@ checks: - CCE-4168-1 condition: all rules: - - 'f:/proc/sys/kernel/exec-shield -> 1' + - 'c:/sbin/sysctl kernel.exec-shield -> r:\s1$' # 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored) # TODO @@ -498,9 +455,9 @@ checks: - CCE-4330-7 condition: none rules: - - 'f:/etc/xinetd.d/telnet -> !r:^# && r:disable && r:no' + - 'c:rpm -qa telnet-server -> r:\.' -# 2.1.2 Remove telnet Clients (Scored) +# Remove rsh-server (Scored) - id: 5530 title: "Remove rsh-server" description: "The Berkeley rsh-server ( rsh , rlogin , rcp ) package contains legacy services that exchange credentials in clear-text." @@ -514,11 +471,8 @@ checks: - CCE-4308-3 condition: none rules: - - 'f:/etc/xinetd.d/rlogin -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/rsh -> !r:^# && r:disable && r:no' - - 'f:/etc/xinetd.d/shell -> !r:^# && r:disable && r:no' + - 'c:rpm -qa rsh-server -> r:\.' -# 2.1.4 Remove rsh (Scored) - id: 5531 title: "Remove NIS Client" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files" @@ -533,7 +487,7 @@ checks: - CCE-4348-9 (uninstall) condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypbind$' + - 'c:rpm -qa ypbind -> r:\.' # 2.1.6 Remove NIS Server (Scored) - id: 5532 @@ -550,7 +504,7 @@ checks: - CCE-4348-9 (uninstall) condition: none rules: - - 'd:$rc_dirs -> ^S\d\dypserv$' + - 'c:rpm -qa ypserv -> r:\.' # 2.1.7 Remove tftp (Scored) - id: 5533 @@ -567,7 +521,7 @@ checks: - CCE-3916-4 (uninstall) condition: none rules: - - 'f:/etc/xinetd.d/tftpd -> !r:^# && r:disable && r:no' + - 'c:rpm -qa tftpd -> r:\.' # 2.1.9 Remove talk (Scored) - id: 5534 @@ -581,7 +535,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/talk -> !r:^# && r:disable && r:no' + - 'c:rpm -qa talk-server -> r:\.' ############################################### # 3 Special Purpose Services @@ -596,7 +550,7 @@ checks: - cis: "3.2" condition: all rules: - - 'f:/etc/init.d/functions -> !r:^# && r:file.umask 027' + - 'f:/etc/sysconfig/init -> umask 027' # 3.3 Remove X Windows (Scored) - id: 5536 @@ -607,9 +561,10 @@ checks: compliance: - cis: "3.3" - pci_dss: "2.2.2" - condition: none + condition: all rules: - - 'f:/etc/inittab -> !r:^# && r:id:5' + - 'f:/etc/inittab -> r:^\s*id:3:initdefault' + - 'not c:yum grouplist X?Window?System -> r:Installed Groups' # 3.1.1 Disable Avahi Server (Scored) - id: 5537 @@ -622,7 +577,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'p:avahi-daemon' + - 'c:/sbin/chkconfig --list -> r:avahi-daemon && r::on' # 3.8 Disable NFS and RPC (Not Scored) - id: 5538 @@ -635,8 +590,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dnfs$' - - 'd:$rc_dirs -> ^S\d\dnfslock$' + - 'c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on' # 3.10 Remove FTP Server (Not Scored) - id: 5539 @@ -650,7 +604,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'f:/etc/xinetd.d/vsftpd -> !r:^# && r:disable && r:no' + - 'c:rpm -qa vsftpd -> r:\.' # 3.11 Remove HTTP Server (Not Scored) - id: 5540 @@ -663,7 +617,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dhttpd$' + - 'c:rpm -qa httpd -> r:\.' # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) - id: 5541 @@ -676,19 +630,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'f:/etc/xinetd.d/cyrus-imapd -> !r:^# && r:disable && r:no' - - - id: 5542 - title: "Remove Dovecot" - description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." - remediation: "# yum erase dovecot" - compliance: - - cis: "3.12" - - pci_dss: "2.2.2" - condition: none - rules: - - 'f:/etc/xinetd.d/dovecot -> !r:^# && r:disable && r:no' + - 'c:rpm -qa dovecot -> r:\.' # 3.13 Remove Samba (Not Scored) - id: 5543 @@ -701,8 +643,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsamba$' - - 'd:$rc_dirs -> ^S\d\dsmb$' + - 'c:rpm -qa samba -> r:\.' # 3.14 Remove HTTP Proxy Server (Not Scored) - id: 5544 @@ -715,7 +656,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsquid$' + - 'c:rpm -qa squid -> r:\.' # 3.15 Remove SNMP Server (Not Scored) - id: 5545 @@ -728,7 +669,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'd:$rc_dirs -> ^S\d\dsnmpd$' + - 'c:rpm -qa net-snmp -> r:\.' ############################################### # 4 Network Configuration and Firewalls @@ -749,7 +690,8 @@ checks: - CCE-3561-8 condition: all rules: - - 'f:/proc/sys/net/ipv4/ip_forward -> 0' + - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 4.1.2 Disable Send Packet Redirects (Scored) - id: 5547 @@ -765,8 +707,10 @@ checks: - CCE-4155-8 condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/send_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/send_redirects -> 0' + - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 4.2 Modify Network Parameters (Host and Router) @@ -785,7 +729,10 @@ checks: - CCE-4091-5 condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_source_route -> 0' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 4.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 5549 @@ -801,8 +748,10 @@ checks: - CCE-4186-3 condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/accept_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/accept_redirects -> 0' + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 5550 @@ -818,8 +767,10 @@ checks: - CCE-3339-9 condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/secure_redirects -> 0' - - 'f:/proc/sys/net/ipv4/conf/default/secure_redirects -> 0' + - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 4.2.4 Log Suspicious Packets (Scored) - id: 5551 @@ -834,7 +785,10 @@ checks: - CCE-4320-8 condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/log_martians -> 1' + - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 4.2.5 Enable Ignore Broadcast Requests (Scored) - id: 5552 @@ -849,7 +803,8 @@ checks: - CCE-3644-2 condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -> 1' + - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 4.2.6 Enable Bad Error Message Protection (Scored) - id: 5553 @@ -864,7 +819,8 @@ checks: - CCE-4133-5 condition: all rules: - - 'f:/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses -> 1' + - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 4.2.7 Enable RFC-recommended Source Route Validation (Scored) - id: 5554 @@ -880,8 +836,10 @@ checks: - CCE-3840-6 condition: all rules: - - 'f:/proc/sys/net/ipv4/conf/all/rp_filter -> 1' - - 'f:/proc/sys/net/ipv4/conf/default/rp_filter -> 1' + - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 4.2.8 Enable TCP SYN Cookies (Scored) - id: 5555 @@ -896,7 +854,8 @@ checks: - CCE-4265-5 condition: all rules: - - 'f:/proc/sys/net/ipv4/tcp_syncookies -> 1' + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 6 System Access, Authentication and Authorization @@ -920,7 +879,7 @@ checks: - https://www.ssh.com/ssh/ condition: all rules: - - 'f:$sshd_file -> n:^\s*\t*Protocol\s*\t*(\d+) compare > 1' + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' # 6.2.2 Set LogLevel to INFO (Scored) - id: 5557 @@ -936,7 +895,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' + - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - id: 5558 @@ -950,7 +909,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) - id: 5559 @@ -965,9 +924,9 @@ checks: - nist_800_53: "SC.8" references: - CCE-4250-7 - condition: none + condition: all rules: - - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no' + - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 6.2.7 Set SSH HostbasedAuthentication to No (Scored) - id: 5560 @@ -982,9 +941,9 @@ checks: - nist_800_53: "SC.8" references: - CCE-4251-5 - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 6.2.8 Disable SSH Root Login (Scored) - id: 5561 @@ -1001,7 +960,7 @@ checks: - CCE-4252-3 condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' + - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) - id: 5562 @@ -1016,9 +975,9 @@ checks: - nist_800_53: "SC.8" references: - CCE-4256-4 - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' ############################################### # 9 System Maintenance @@ -1042,59 +1001,3 @@ checks: condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - -# Other/Legacy Tests - - id: 5564 - title: "Account with empty password present" - compliance: - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 5565 - title: "User-mounted removable partition allowed on the console" - condition: none - rules: - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - 'f:/etc/security/console.perms -> r:^ \d+ ' - - - id: 5566 - title: "Disable standard boot services - Kudzu hardware detection Enabled" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dkudzu$' - - - id: 5567 - title: "Disable standard boot services - PostgreSQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dpostgresql$' - - - id: 5568 - title: "Disable standard boot services - MySQL server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dmysqld$' - - - id: 5569 - title: "Disable standard boot services - DNS server Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnamed$' - - - id: 5570 - title: "Disable standard boot services - NetFS Enabled" - compliance: - - pci_dss: "2.2.2" - condition: none - rules: - - 'd:$rc_dirs -> ^S\d\dnetfs$' From a9bc2380362ba04d6c3eefbd40dcf2913c67d554 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 19 Jun 2019 12:21:38 +0200 Subject: [PATCH 114/247] RHEL: grep -R -> grep -Rh --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 84 ++++++++---------------------- sca/rhel/7/cis_rhel7_linux_rcl.yml | 40 +++++++------- 2 files changed, 42 insertions(+), 82 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 8381c66f4..b6a68fb5b 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -156,7 +156,7 @@ checks: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home' + - 'c:mount -> r:\s/home\s' # 1.1.14 /home: nodev - id: 6009 @@ -169,47 +169,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/fstab -> !r:^# && r:/home && r:nodev' - -# 1.1.18 nodev on removable media partitions (not scored) - - id: 6010 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nodev' - -# 1.1.19 nosuid on removable media partitions (not scored) - - id: 6011 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:nosuid' - -# 1.1.20 noexec on removable media partitions (not scored) - - id: 6012 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:/etc/fstab -> !r:^# && r:/media && r:noexec' + - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - id: 6013 @@ -380,9 +340,9 @@ checks: - cis_csc: "13" condition: all rules: - - 'c:grep -R *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' - - 'c:grep -R fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6025 @@ -395,7 +355,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -R ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ + - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### @@ -642,8 +602,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4_forward\s*=\s*0$' - - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 6045 @@ -659,8 +619,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -679,8 +639,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 6047 @@ -696,8 +656,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 6048 @@ -713,8 +673,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - id: 6049 @@ -730,8 +690,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 6050 @@ -746,7 +706,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 6051 @@ -760,7 +720,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 6052 @@ -775,8 +735,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 6053 @@ -791,7 +751,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index b389e0b1e..34cf3e3e4 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -302,9 +302,9 @@ checks: - cis_csc: "13" condition: all rules: - - 'c:grep -R *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' - - 'c:grep -R fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 6519 @@ -317,7 +317,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -R ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ + - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### @@ -721,8 +721,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4_forward\s*=\s*0$' - - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 6546 @@ -738,8 +738,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -758,8 +758,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 6548 @@ -775,8 +775,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 6549 @@ -792,8 +792,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - id: 6550 @@ -809,8 +809,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 6551 @@ -825,7 +825,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 6552 @@ -840,7 +840,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - id: 6553 @@ -856,8 +856,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 6554 @@ -872,7 +872,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization From 07005f9c87661e4cc16b9e3719c3c19556e9469e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 19 Jun 2019 12:24:55 +0200 Subject: [PATCH 115/247] SLES: grep -R -> grep -Rh --- sca/sles/11/cis_sles11_linux_rcl.yml | 36 ++++++++++++++-------------- sca/sles/12/cis_sles12_linux_rcl.yml | 36 ++++++++++++++-------------- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index dc3d62098..e27d1ae60 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -231,7 +231,7 @@ checks: rules: - 'c:ulimit -H -c -> 0' - 'c:sysctl fs.suid_dumpable -> r:= 0$' - - 'c:grep -R ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7017 @@ -244,7 +244,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -R kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/ -> r:= 2$' + - 'c:grep -Rh kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/ -> r:= 2$' - 'c:/sbin/sysctl kernel.randomize_va_space -> r:=\s*2$' ############################################### @@ -602,7 +602,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) @@ -617,8 +617,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*0$' @@ -637,8 +637,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*0$' @@ -654,8 +654,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*0$' @@ -671,8 +671,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*0$' @@ -687,8 +687,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*1$' @@ -704,7 +704,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.icpm_echo_ignore_broadcasts -> r:=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) @@ -719,7 +719,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) @@ -734,8 +734,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*1$' @@ -751,7 +751,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*1$' ############################################### diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index 0f5592cb8..113e2ed08 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -247,7 +247,7 @@ checks: rules: - 'c:sysctl fs.suid_dumpable -> r:\s0$' - 'c:ulimit -Hc -> 0' - - 'c:grep -R ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7517 @@ -261,7 +261,7 @@ checks: condition: all rules: - 'c:sysctl kernel.randomize_va_space -> r:\s2$|\t2$' - - 'c:grep -R ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' + - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' ############################################### # 2 OS Services @@ -624,7 +624,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' - - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 7545 @@ -640,8 +640,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -660,8 +660,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - id: 7547 @@ -677,8 +677,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - id: 7548 @@ -694,8 +694,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - id: 7549 title: "Ensure suspicious packets are logged" @@ -710,8 +710,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.log_martians -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - id: 7550 @@ -726,7 +726,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7551 @@ -741,7 +741,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - 'c:grep -R net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - id: 7552 @@ -757,8 +757,8 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -R net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' - - 'c:grep -R net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - id: 7553 @@ -773,7 +773,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -R net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization From 100204247c15781b3e0044d6a5b48c4ff4e3440b Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 19 Jun 2019 12:26:52 +0200 Subject: [PATCH 116/247] Applications: grep -R -> grep -Rh --- .../cis_mysql5-6_community_rcl.yml | 44 +++++++------- .../cis_mysql5-6_enterprise_rcl.yml | 58 +++++++++---------- 2 files changed, 51 insertions(+), 51 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index 59a5c14c5..483bfcb98 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -92,7 +92,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: all rules: - - 'c:grep -R local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' + - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -105,7 +105,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all rules: - - 'c:grep -R skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' + - 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" @@ -119,7 +119,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links condition: all rules: - - 'c:grep -R skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' + - 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' - id: 4507 title: "Ensure 'secure_file_priv' is not empty" @@ -132,7 +132,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'c:grep -R secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' + - 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -143,7 +143,7 @@ checks: - cis: "4.9" condition: all rules: - - 'c:grep -R strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' + - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' #6 Auditing and Logging - id: 4509 @@ -157,7 +157,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all rules: - - 'c:grep -R log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' + - 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' - id: 4510 title: "Ensure Log Files are not Stored on a non-system partition" @@ -171,7 +171,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html condition: none rules: - - 'c:grep -R log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - id: 4511 title: "Ensure 'log_warning' is set to 2" @@ -184,7 +184,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all rules: - - 'c:grep -R log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' + - 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' - id: 4512 title: "Ensure 'log_raw' is set to 'OFF'" @@ -198,7 +198,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw condition: all rules: - - 'c:grep -R log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' + - 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' #7 Authentication - id: 4513 @@ -215,8 +215,8 @@ checks: - https://www.cvedetails.com/cve/CVE-2003-1480/ condition: none rules: - - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' - - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' + - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' + - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' - id: 4514 title: "Ensure 'secure_auth' is set to 'ON'" @@ -229,7 +229,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all rules: - - 'c:grep -R secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' + - 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' - id: 4515 title: "Ensure Passwords Are Not Stored in the Global Configuration" @@ -242,7 +242,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none rules: - - 'c:grep -R password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' + - 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' - id: 4516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" @@ -253,7 +253,7 @@ checks: - cis: "7.4" condition: all rules: - - 'c:grep -R no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' + - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' - id: 4517 title: "Ensure Password Policy is in Place" @@ -266,13 +266,13 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all rules: - - 'c:grep -R plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' - - 'c:grep -R validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' - - 'c:grep -R validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' - - 'c:grep -R validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' - - 'c:grep -R validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' - - 'c:grep -R validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' - - 'c:grep -R validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' + - 'c:grep -Rh plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'c:grep -Rh validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'c:grep -Rh validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' + - 'c:grep -Rh validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -Rh validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -Rh validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' + - 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' #9 Replication - id: 4518 @@ -286,4 +286,4 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all rules: - - 'c:grep -R master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' + - 'c:grep -Rh master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index 6e721dfde..d045e1d8b 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -92,7 +92,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: all rules: - - 'c:grep -R local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' + - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' - id: 4505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" @@ -105,7 +105,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all rules: - - 'c:grep -R skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' + - 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' - id: 4506 title: "Ensure '--skip-symbolic-links' Is Enabled" @@ -119,7 +119,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links condition: all rules: - - 'c:grep -R skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' + - 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' - id: 4507 title: "Ensure 'secure_file_priv' is not empty" @@ -132,7 +132,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all rules: - - 'c:grep -R secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' + - 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' - id: 4508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" @@ -143,7 +143,7 @@ checks: - cis: "4.9" condition: all rules: - - 'c:grep -R strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' + - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' #6 Auditing and Logging - id: 4509 @@ -157,7 +157,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all rules: - - 'c:grep -R log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' + - 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' - id: 4510 title: "Ensure Log Files are not Stored on a non-system partition" @@ -171,7 +171,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html condition: none rules: - - 'c:grep -R log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - id: 4511 title: "Ensure 'log_warning' is set to 2" @@ -184,7 +184,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all rules: - - 'c:grep -R log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' + - 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' - id: 4512 title: "Ensure 'log_raw' is set to 'OFF'" @@ -198,7 +198,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw condition: all rules: - - 'c:grep -R log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' + - 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' #7 Authentication - id: 4513 @@ -215,8 +215,8 @@ checks: - https://www.cvedetails.com/cve/CVE-2003-1480/ condition: none rules: - - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' - - 'c:grep -R old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' + - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' + - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' - id: 4514 title: "Ensure 'secure_auth' is set to 'ON'" @@ -229,7 +229,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all rules: - - 'c:grep -R secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' + - 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' - id: 4515 title: "Ensure Passwords Are Not Stored in the Global Configuration" @@ -242,7 +242,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none rules: - - 'c:grep -R password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' + - 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' - id: 4516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" @@ -253,7 +253,7 @@ checks: - cis: "7.4" condition: all rules: - - 'c:grep -R no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' + - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' - id: 4517 title: "Ensure Password Policy is in Place" @@ -266,13 +266,13 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all rules: - - 'c:grep -R plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' - - 'c:grep -R validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' - - 'c:grep -R validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' - - 'c:grep -R validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' - - 'c:grep -R validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' - - 'c:grep -R validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' - - 'c:grep -R validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' + - 'c:grep -Rh plugin-load /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:plugin-load\s*=\s*validate_password.so\s*$' + - 'c:grep -Rh validate-password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate-password\s*=\s*force_plus_permanent\s*$' + - 'c:grep -Rh validate_password_length /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_length\s*=\s*(\d+)\s$ compare >= 14' + - 'c:grep -Rh validate_password_mixed_case_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_mixed_case_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -Rh validate_password_number_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_number_count\s*=\s*(\d+)\s*$ compare >= 1' + - 'c:grep -Rh validate_password_special_char_count /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> n:validate_password_special_char_count\s*=\s*(\d+) compare >= 1' + - 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' #9 Replication - id: 4518 @@ -286,7 +286,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all rules: - - 'c:grep -R master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' + - 'c:grep -Rh master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' #10 Enterprise rules - id: 4519 @@ -298,7 +298,7 @@ checks: - cis: "6.5" condition: none rules: - - 'c:grep -R audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE' + - 'c:grep -Rh audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE' - id: 4520 title: "Ensure audit_log_exclude_account is set to NULL" @@ -309,7 +309,7 @@ checks: - cis: "6.6" condition: all rules: - - 'c:grep -R audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' + - 'c:grep -Rh audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' - id: 4521 title: "Ensure audit_log_include_accounts is set to NULL" @@ -320,7 +320,7 @@ checks: - cis: "6.7" condition: all rules: - - 'c:grep -R audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' + - 'c:grep -Rh audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' - id: 4522 title: "Ensure audit_log_policy is set to log logins and connections" @@ -331,7 +331,7 @@ checks: - cis: "6.9" condition: all rules: - - 'c:grep -R audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins' + - 'c:grep -Rh audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins' - id: 4523 title: "Ensure audit_log_statement_policy is set to ALL" @@ -342,7 +342,7 @@ checks: - cis: "6.10" condition: all rules: - - 'c:grep -R audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$' + - 'c:grep -Rh audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$' - id: 4524 title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" @@ -353,7 +353,7 @@ checks: - cis: "6.11" condition: all rules: - - 'c:grep -R audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' + - 'c:grep -Rh audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' - id: 4525 title: "Make sure the audit plugin can't be unloaded" @@ -364,4 +364,4 @@ checks: - cis: "6.12" condition: all rules: - - 'c:grep -R force_plus_permanent /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' + - 'c:grep -Rh force_plus_permanent /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' From 13fd1d59de873f2a9d070883e7bd08cb2a95ff53 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 19 Jun 2019 12:55:28 +0200 Subject: [PATCH 117/247] Fix tcp_sync rules --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 4 ++-- sca/rhel/6/cis_rhel6_linux_rcl.yml | 4 ++-- sca/rhel/7/cis_rhel7_linux_rcl.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 59afc175b..f667a6e78 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -854,8 +854,8 @@ checks: - CCE-4265-5 condition: all rules: - - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' ############################################### # 6 System Access, Authentication and Authorization diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index b6a68fb5b..716db5553 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -750,8 +750,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 34cf3e3e4..7c0b5eab3 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -871,8 +871,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' + - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' ############################################### # 5 System Access, Authentication and Authorization From 6e8909ef8630ccd91257c4b7f15c4341f3c8179b Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 19 Jun 2019 13:01:01 +0200 Subject: [PATCH 118/247] Fix numbering --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 100 ++++++++++++++--------------- sca/rhel/6/cis_rhel6_linux_rcl.yml | 92 +++++++++++++------------- 2 files changed, 96 insertions(+), 96 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index f667a6e78..4a19a4e8e 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -184,7 +184,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.14 /dev/shm: nodev - - id: 5513 + - id: 5510 title: "Add nodev Option to /dev/shm Partition" description: "The nodev mount option specifies that the /dev/shm (temporary filesystem stored in memory) cannot contain block or character special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -199,7 +199,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.15 /dev/shm: nosuid - - id: 5514 + - id: 5511 title: "Add nosuid Option to /dev/shm Partition" description: "The nosuid mount option specifies that the /dev/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -214,7 +214,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.16 /dev/shm: noexec - - id: 5515 + - id: 5512 title: "Add noexec Option to /dev/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -232,7 +232,7 @@ checks: # 1.2 Software Updates ########################################## # 1.2.5 Disable yum-updatesd (Scored) - - id: 5516 + - id: 5513 title: "Disable yum-updatesd" description: "The yum-updatesd utility provides notification of updates that are available for your system." rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly." @@ -251,7 +251,7 @@ checks: # 1.4 Configure SELinux ############################################### # 1.4.1 enable selinux in /etc/grub.conf - - id: 5517 + - id: 5514 title: "Enable SELinux in /etc/grub.conf" description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters" rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten." @@ -266,7 +266,7 @@ checks: - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' # 1.4.2 Set selinux state - - id: 5518 + - id: 5515 title: "Set the SELinux State" description: "Set SELinux to enable when the system is booted." rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." @@ -281,7 +281,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' # 1.4.3 Set seliux policy - - id: 5519 + - id: 5516 title: "Set the SELinux Policy" description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." @@ -296,7 +296,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' # 1.4.4 Remove SETroubleshoot - - id: 5520 + - id: 5517 title: "Remove SETroubleshoot" description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." @@ -309,7 +309,7 @@ checks: - 'c:/sbin/chkconfig --list -> r:setroubleshoot && r::on' # 1.4.5 Disable MCS Translation service mcstrans - - id: 5521 + - id: 5518 title: "Disable MCS Translation Service (mcstrans)" description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system." @@ -327,7 +327,7 @@ checks: # 1.5 Secure Boot Settings ############################################### # 1.5.3 Set Boot Loader Password (Scored) - - id: 5522 + - id: 5519 title: "Set Boot Loader Password" description: "Setting the boot loader password will require that the person who is rebooting system the must enter a password before being able to set command line boot parameters" rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -342,7 +342,7 @@ checks: - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' # 1.5.4 Require Authentication for Single-User Mode (Scored) - - id: 5523 + - id: 5520 title: "Require Authentication for Single-User Mode" description: "Since /etc/init determines what run state the system is in, setting the entry in /etc/inittab will force single user authentication." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -357,7 +357,7 @@ checks: - 'f:/etc/inittab -> r:^~:S:wait:/sbin/sulogin' # 1.5.5 Disable Interactive Boot (Scored) - - id: 5524 + - id: 5521 title: "Disable Interactive Boot" description: "The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." @@ -375,7 +375,7 @@ checks: # 1.6 Additional Process Hardening ############################################### # 1.6.1 Restrict Core Dumps (Scored) - - id: 5525 + - id: 5522 title: "Restrict Core Dumps" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." @@ -390,7 +390,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 5526 + - id: 5523 title: "Enable Randomized Virtual Memory Region Placement" description: "Set the system flag to force randomized virtual memory region placement." rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." @@ -406,7 +406,7 @@ checks: - 'c:/sbin/sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' # 1.6.2 Configure ExecShield (Scored) - - id: 5527 + - id: 5524 title: "Configure ExecShield" description: "Execshield is made up of a number of kernel features to provide protection against buffer overflow attacks. These features include prevention of execution in memory data space, and special handling of text buffers." rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." @@ -423,7 +423,7 @@ checks: # 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored) # TODO # 1.6.5 Disable Prelink (Scored) - - id: 5528 + - id: 5525 title: "Disable Prelink" description: "Prelinking is a performance enhancing feature that decreases process start up time. It loads shared libraries into addresses for which the linking of required symbols has already been performed. After a binary has been prelinked, the addresses at which shared libraries is not changed, even if kernel.randomize_va_space is set to 1." rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)." @@ -441,7 +441,7 @@ checks: # 2.1 Remove Legacy Services ############################################### # 2.1.1 Remove telnet-server (Scored) - - id: 5529 + - id: 5526 title: "Remove telnet-server" description: "The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions." @@ -458,7 +458,7 @@ checks: - 'c:rpm -qa telnet-server -> r:\.' # Remove rsh-server (Scored) - - id: 5530 + - id: 5527 title: "Remove rsh-server" description: "The Berkeley rsh-server ( rsh , rlogin , rcp ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." @@ -473,7 +473,7 @@ checks: rules: - 'c:rpm -qa rsh-server -> r:\.' - - id: 5531 + - id: 5528 title: "Remove NIS Client" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files" rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -490,7 +490,7 @@ checks: - 'c:rpm -qa ypbind -> r:\.' # 2.1.6 Remove NIS Server (Scored) - - id: 5532 + - id: 5529 title: "Remove NIS Server" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." @@ -507,7 +507,7 @@ checks: - 'c:rpm -qa ypserv -> r:\.' # 2.1.7 Remove tftp (Scored) - - id: 5533 + - id: 5530 title: "Remove tftp-server" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is the server package used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -524,7 +524,7 @@ checks: - 'c:rpm -qa tftpd -> r:\.' # 2.1.9 Remove talk (Scored) - - id: 5534 + - id: 5531 title: "Remove talk-server" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -541,7 +541,7 @@ checks: # 3 Special Purpose Services ############################################### # 3.2 Set Daemon umask (Scored) - - id: 5535 + - id: 5532 title: "Set Daemon umask" description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." @@ -553,7 +553,7 @@ checks: - 'f:/etc/sysconfig/init -> umask 027' # 3.3 Remove X Windows (Scored) - - id: 5536 + - id: 5533 title: "Remove X Windows" description: "The X Windows system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -567,7 +567,7 @@ checks: - 'not c:yum grouplist X?Window?System -> r:Installed Groups' # 3.1.1 Disable Avahi Server (Scored) - - id: 5537 + - id: 5534 title: "Disable Avahi Server" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." @@ -580,7 +580,7 @@ checks: - 'c:/sbin/chkconfig --list -> r:avahi-daemon && r::on' # 3.8 Disable NFS and RPC (Not Scored) - - id: 5538 + - id: 5535 title: "Disable NFS and RPC" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -593,7 +593,7 @@ checks: - 'c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on' # 3.10 Remove FTP Server (Not Scored) - - id: 5539 + - id: 5536 title: "Remove FTP Server" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -607,7 +607,7 @@ checks: - 'c:rpm -qa vsftpd -> r:\.' # 3.11 Remove HTTP Server (Not Scored) - - id: 5540 + - id: 5537 title: "Remove HTTP Server" description: "HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with Red Hat Linux is Apache." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -620,7 +620,7 @@ checks: - 'c:rpm -qa httpd -> r:\.' # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) - - id: 5541 + - id: 5538 title: "Remove Dovecot" description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." @@ -633,7 +633,7 @@ checks: - 'c:rpm -qa dovecot -> r:\.' # 3.13 Remove Samba (Not Scored) - - id: 5543 + - id: 5539 title: "Remove Samba" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -646,7 +646,7 @@ checks: - 'c:rpm -qa samba -> r:\.' # 3.14 Remove HTTP Proxy Server (Not Scored) - - id: 5544 + - id: 5540 title: "Remove HTTP Proxy Server" description: "The default HTTP proxy package shipped with Red Hat Linux is squid." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -659,7 +659,7 @@ checks: - 'c:rpm -qa squid -> r:\.' # 3.15 Remove SNMP Server (Not Scored) - - id: 5545 + - id: 5541 title: "Remove SNMP Server" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." @@ -678,7 +678,7 @@ checks: # 4.1 Modify Network Parameters (Host Only) ############################################### # 4.1.1 Disable IP Forwarding (Scored) - - id: 5546 + - id: 5542 title: "Disable IP Forwarding" description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -694,7 +694,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 4.1.2 Disable Send Packet Redirects (Scored) - - id: 5547 + - id: 5543 title: "Disable Send Packet Redirects" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -716,7 +716,7 @@ checks: # 4.2 Modify Network Parameters (Host and Router) ############################################### # 4.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 5548 + - id: 5544 title: "Disable Source Routed Packet Acceptance" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." @@ -735,7 +735,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 4.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 5549 + - id: 5545 title: "Disable ICMP Redirect Acceptance" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -754,7 +754,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 5550 + - id: 5546 title: "Disable Secure ICMP Redirect Acceptance" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -773,7 +773,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 4.2.4 Log Suspicious Packets (Scored) - - id: 5551 + - id: 5547 title: "Log Suspicious Packets" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -791,7 +791,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 4.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 5552 + - id: 5548 title: "Enable Ignore Broadcast Requests" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -807,7 +807,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 4.2.6 Enable Bad Error Message Protection (Scored) - - id: 5553 + - id: 5549 title: "Enable Bad Error Message Protection" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -823,7 +823,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 4.2.7 Enable RFC-recommended Source Route Validation (Scored) - - id: 5554 + - id: 5550 title: "Enable RFC-recommended Source Route Validation" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." @@ -842,7 +842,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 4.2.8 Enable TCP SYN Cookies (Scored) - - id: 5555 + - id: 5551 title: "Enable TCP SYN Cookies" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding." @@ -864,7 +864,7 @@ checks: # 6.1 Configure SSH ############################################### # 6.2.1 Set SSH Protocol to 2 (Scored) - - id: 5556 + - id: 5552 title: "Set SSH Protocol to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -882,7 +882,7 @@ checks: - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' # 6.2.2 Set LogLevel to INFO (Scored) - - id: 5557 + - id: 5553 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -898,7 +898,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 5558 + - id: 5554 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -912,7 +912,7 @@ checks: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 5559 + - id: 5555 title: "Set SSH IgnoreRhosts to Yes" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." @@ -929,7 +929,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 6.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 5560 + - id: 5556 title: "Set SSH HostbasedAuthentication to No" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -946,7 +946,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 6.2.8 Disable SSH Root Login (Scored) - - id: 5561 + - id: 5557 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1) . The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -963,7 +963,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 5562 + - id: 5558 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -986,7 +986,7 @@ checks: # 9.2 Review User and Group Settings ############################################### # 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 5563 + - id: 5559 title: "Verify No UID 0 Accounts Exist Other Than root" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 716db5553..fe56d144b 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -172,7 +172,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - - id: 6013 + - id: 6010 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -185,7 +185,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 6014 + - id: 6011 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -198,7 +198,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 6015 + - id: 6012 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -215,7 +215,7 @@ checks: # 1.4 Configure SELinux ############################################### # 1.6.1.1 enable selinux in /etc/grub.conf - - id: 6016 + - id: 6013 title: "Ensure SELinux is not disabled in bootloader configuration" description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters." rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." @@ -229,7 +229,7 @@ checks: - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' # 1.6.1.2 Set selinux state - - id: 6017 + - id: 6014 title: "Ensure the SELinux state is enforcing" description: "Set SELinux to enable when the system is booted." rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." @@ -243,7 +243,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' # 1.6.1.3 Set selinux policy - - id: 6018 + - id: 6015 title: "Ensure SELinux policy is configured" description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." @@ -256,7 +256,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' # 1.6.1.4 Remove SETroubleshoot - - id: 6019 + - id: 6016 title: "Ensure SETroubleshoot is not installed" description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user- friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." @@ -269,7 +269,7 @@ checks: - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' # 1.6.1.5 Disable MCS Translation service mcstrans - - id: 6020 + - id: 6017 title: "Ensure the MCS Translation Service (mcstrans) is not installed" description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." @@ -285,7 +285,7 @@ checks: # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 6021 + - id: 6018 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security." @@ -299,7 +299,7 @@ checks: - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' # 1.4.3 Require Authentication for Single-User Mode (Scored) - - id: 6022 + - id: 6019 title: "Ensure authentication required for single user mode" description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -313,7 +313,7 @@ checks: - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' # 1.4.4 Disable Interactive Boot (Scored) - - id: 6023 + - id: 6020 title: "Ensure interactive boot is not enabled" description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." @@ -330,7 +330,7 @@ checks: # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 6024 + - id: 6021 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) )." @@ -345,7 +345,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 6025 + - id: 6022 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -365,7 +365,7 @@ checks: # 2.1 Remove Legacy Services ############################################### # 2.1.8 Remove telnet-server (Scored) - - id: 6026 + - id: 6023 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." @@ -380,7 +380,7 @@ checks: - 'c:chkconfig --list -> r:telnet-server && r::on' # 2.1.6 Remove rsh-server (Scored) - - id: 6027 + - id: 6024 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." @@ -396,7 +396,7 @@ checks: # 2.3.1 Remove NIS Client (Scored) - - id: 6028 + - id: 6025 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." @@ -411,7 +411,7 @@ checks: - 'c:rpm -qa ypbind -> r:\.' # 2.2.16 Remove NIS Server (Scored) - - id: 6029 + - id: 6026 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." @@ -426,7 +426,7 @@ checks: - 'c:chkconfig --list -> r:ypserv && r::on' # 2.1.9 Remove tftp-server (Scored) - - id: 6030 + - id: 6027 title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -441,7 +441,7 @@ checks: - 'c:chkconfig --list-> r:tftp && r::on' # 2.1.7 Remove talk-server (Scored) - - id: 6031 + - id: 6028 title: "Ensure talk server is disabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -460,7 +460,7 @@ checks: ############################################### # 2.2.2 Remove X Windows (Scored) - - id: 6033 + - id: 6029 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -474,7 +474,7 @@ checks: - 'c:rpm -qa xorg-x11* -> r:\.' # 2.2.3 Disable Avahi Server (Scored) - - id: 6034 + - id: 6030 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." @@ -488,7 +488,7 @@ checks: - 'c:chkconfig --list -> r:avahi-daemon && r::on' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 6035 + - id: 6031 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -502,7 +502,7 @@ checks: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' # 2.2.9 Remove FTP Server (Not Scored) - - id: 6036 + - id: 6032 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." @@ -516,7 +516,7 @@ checks: - 'c:chkconfig --list -> r:vsftpd && r::on' # 2.2.10 Remove HTTP Server (Scored) - - id: 6037 + - id: 6033 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -529,7 +529,7 @@ checks: - 'c:chkconfig --list -> r:httpd && r::on' # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored) - - id: 6038 + - id: 6034 title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." @@ -543,7 +543,7 @@ checks: - 'c:chkconfig --list -> r:dovecot && r::on' # 2.2.12 Remove Samba (Scored) - - id: 6040 + - id: 6035 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." @@ -557,7 +557,7 @@ checks: - 'c:chkconfig --list -> r:smb && r::on' # 2.2.13 Remove HTTP Proxy Server (Scored) - - id: 6041 + - id: 6036 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." @@ -571,7 +571,7 @@ checks: - 'c:chkconfig --list -> r:squid && r::on' # 2.2.14 Remove SNMP Server (Scored) - - id: 6042 + - id: 6037 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." @@ -591,7 +591,7 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 6043 + - id: 6038 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -606,7 +606,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 6045 + - id: 6039 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -626,7 +626,7 @@ checks: # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 6046 + - id: 6040 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." @@ -643,7 +643,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 6047 + - id: 6041 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -660,7 +660,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 6048 + - id: 6042 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -677,7 +677,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - - id: 6049 + - id: 6043 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -694,7 +694,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6050 + - id: 6044 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -709,7 +709,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6051 + - id: 6045 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -723,7 +723,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 6052 + - id: 6046 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." @@ -739,7 +739,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6053 + - id: 6047 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -760,7 +760,7 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6054 + - id: 6048 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -776,7 +776,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 6055 + - id: 6049 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -792,7 +792,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 6056 + - id: 6050 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -806,7 +806,7 @@ checks: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6057 + - id: 6051 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -822,7 +822,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6058 + - id: 6052 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -838,7 +838,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 6059 + - id: 6053 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -854,7 +854,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6060 + - id: 6054 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -876,7 +876,7 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6061 + - id: 6055 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." From a2daa3436e261b14c65a9ecb4be5f8f9c6719609 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 19 Jun 2019 04:21:00 -0700 Subject: [PATCH 119/247] Fix Debian policies - uncomplete --- sca/debian/cis_debian_linux_rcl.yml | 39 +- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 727 ++++++++++++----------- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 188 +++--- 3 files changed, 475 insertions(+), 479 deletions(-) diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index 94990c377..cfe4d99c9 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -56,7 +56,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' - id: 5002 @@ -94,9 +93,8 @@ checks: - cis_csc: "5.1" - cis: "1.1.8" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/var/tmp\s' - 'c:mount -> r:\s/var/tmp\s && r:nodev' - id: 5005 @@ -108,9 +106,8 @@ checks: - cis_csc: "5.1" - cis: "1.1.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/home\s' - 'c:mount -> r:\s/home\s && r:nodev' - id: 5006 @@ -121,9 +118,8 @@ checks: compliance: - cis_csc: "5.1" - cis: "1.1.14" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nodev' - id: 5007 @@ -134,9 +130,8 @@ checks: compliance: - cis_csc: "5.1" - cis: "1.1.15" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - id: 5008 @@ -147,9 +142,8 @@ checks: compliance: - cis_csc: "5.1" - cis: "1.1.16" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:noexec' # Section 1.7 - Warning banners @@ -178,9 +172,8 @@ checks: - cis_csc: "5.1" - cis: "2.14" - pci_dss: "2.2.4" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nodev' - id: 5011 @@ -191,9 +184,8 @@ checks: compliance: - cis_csc: "5.1" - cis: "2.15" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nosuid' - id: 5012 @@ -204,9 +196,8 @@ checks: compliance: - cis_csc: "5.1" - cis: "2.16" - condition: any + condition: all rules: - - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:noexec' # Section 2.1 - Inetd services @@ -370,7 +361,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' - - 'c:grep -R net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' - id: 5026 title: "Ensure IPv6 forwarding is disabled" @@ -383,7 +374,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' - - 'c:grep -R net\.ipv6\.ip_forward\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.ip_forward\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' # Section 3.2 - Network Parameters (Host and Router) - id: 5027 @@ -398,12 +389,12 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -R net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - id: 5028 title: "Ensure broadcast ICMP requests are ignored" @@ -416,7 +407,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - 'c:grep -R net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' # Section 5.2 - SSH Server Configuration - id: 5029 diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index 764a5fafb..09d8dfdf1 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -1,5 +1,5 @@ # Security Configuration assessment -# Level 1 CIS Checks for Debian Linux 7 and Debian Linux 8 +# Level 1 CIS Checks for Debian Linux 8 # Copyright (C) 2015-2019, Wazuh Inc. # # This program is a free software; you can redistribute it @@ -8,14 +8,13 @@ # Foundation # # Based on: -# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 # Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 policy: - id: "cis_debianlinux7-8_L1" - file: "cis_debianlinux7-8_L1_rcl.yml" - name: "CIS benchmark for Debian/Linux 7 and 8 L1" - description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 7 and 8." + id: "cis_debianlinux8_L1" + file: "cis_debianlinux8_L1_rcl.yml" + name: "CIS benchmark for Debian/Linux 8 L1" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 8." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -28,6 +27,98 @@ requirements: - 'f:/proc/sys/kernel/ostype -> Linux' checks: +# 1.1.1 Disable unused filesystems + - id: 11000 + title: "Ensure mounting of cramfs filesystems is disabled" + description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs" + compliance: + - cis: "1.1.1.1" + - cis_csc: "13" + condition: all + rules: + - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' + - 'not c:lsmod -> r:cramfs' + + - id: 11001 + title: "Ensure mounting of freevxfs filesystems is disabled" + description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install freevxfs /bin/true. 2) Run the following command to unload the freevxfs module: # rmmod freevxfs" + compliance: + - cis: "1.1.1.2" + - cis_csc: "13, 5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' + - 'not c:lsmod -> r:freevxfs' + + - id: 11002 + title: "Ensure mounting of jffs2 filesystems is disabled" + description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install jffs2 /bin/true. 2) Run the following command to unload the jffs2 module: # rmmod jffs2" + compliance: + - cis: "1.1.1.3" + - cis_csc: "13, 5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' + - 'not c:lsmod -> r:jffs2' + + - id: 11003 + title: "Ensure mounting of hfs filesystems is disabled" + description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfs /bin/true. 2) Run the following command to unload the hfs module: # rmmod hfs" + compliance: + - cis: "1.1.1.4" + - cis_csc: "13, 5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' + - 'not c:lsmod -> r:hfs' + + - id: 11004 + title: "Ensure mounting of hfsplus filesystems is disabled" + description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfsplus /bin/true. 2) Run the following command to unload the hfsplus module: # rmmod hfsplus" + compliance: + - cis: "1.1.1.5" + - cis_csc: "13, 5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' + - 'not c:lsmod -> r:hfsplus' + + - id: 11005 + title: "Ensure mounting of squashfs filesystems is disabled" + description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install squashfs /bin/true. 2) Run the following command to unload the squashfs module: # rmmod squashfs" + compliance: + - cis: "1.1.1.6" + - cis_csc: "13" + condition: all + rules: + - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' + - 'not c:lsmod -> r:squashfs' + + - id: 11006 + title: "Ensure mounting of udf filesystems is disabled" + description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install udf /bin/true. 2) Run the following command to unload the udf module: # rmmod udf" + compliance: + - cis: "1.1.1.7" + - cis_csc: "13, 5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' + - 'not c:lsmod -> r:udf' + # 2 Filesystem Configuration - id: 10500 title: "Ensure /tmp is configured" @@ -36,8 +127,10 @@ checks: remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - cis: "1.1.2" + - cis_csc: "13, 5.1" references: - http://tldp.org/HOWTO/LVM-HOWTO/ + - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ condition: any rules: - 'c:mount -> r:\s/tmp\s' @@ -49,9 +142,9 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - cis: "1.1.3" + - cis_csc: "13, 5.1" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' - id: 10502 @@ -61,86 +154,46 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - cis: "1.1.4" + - cis_csc: "13, 5.1" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nosuid' - - id: 10503 - title: "Set noexec option for /tmp partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" - compliance: - - cis: "2.4" - condition: all - rules: - - 'not c:mount -> r:\s/tmp\s' - - 'c:mount -> r:\s/tmp\s && r:noexec' - - - id: 10504 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." - compliance: - - cis: "1.1.5" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'c:mount -> r:\s/var\s' - - - id: 10505 - title: "Bind mount the /var/tmp directory to /tmp" - description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." - rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." - remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" - compliance: - - cis: "2.6" - condition: all - rules: - - 'c:findmnt -> r:/var/tmp && r:[/tmp]' - - 'c:grep ^/tmp /etc/fstab -> r:^/tmp && r:\s*/var/tmp\s*' - - - id: 10506 - title: "Ensure separate partition exists for /var/log" - description: "The /var/log directory is used by system services to store log data." - rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + - id: 10501 + title: "Ensure nodev option set on /var/tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" compliance: - - cis: "1.1.10" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ + - cis: "1.1.7" + - cis_csc: "13, 5.1" condition: all rules: - - 'c:mount -> r:\s/var/log\s' + - 'c:mount -> r:\s/var/tmp\s && r:nodev' - - id: 10507 - title: "Ensure separate partition exists for /var/log/audit" - description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." - rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + - id: 10501 + title: "Ensure nosuid option set on /var/tmp partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp" compliance: - - cis: "1.1.11" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ + - cis: "1.1.8" + - cis_csc: "13, 5.1" condition: all rules: - - 'c:mount -> r:\s/var/log/audit\s' + - 'c:mount -> r:\s/var/tmp\s && r:nosuid' - - id: 10508 - title: "Ensure separate partition exists for /home" - description: "The /home directory is used to support disk storage needs of local users." - rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + - id: 10501 + title: "Ensure noexec option set on /var/tmp partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp" compliance: - - cis: "1.1.12" - references: - - http://tldp.org/HOWTO/LVM-HOWTO/ + - cis: "1.1.9" + - cis_csc: "2, 2.6" condition: all rules: - - 'c:mount -> r:\s/home\s' + - 'c:mount -> r:\s/var/tmp\s && r:noexec' - id: 10509 title: "Ensure nodev option set on /home partition" @@ -149,46 +202,46 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - cis: "1.1.13" + - cis_csc: "13, 15.1, 5.1" condition: all rules: - - 'not c:mount -> r:\s/home\s' - 'c:mount -> r:\s/home\s && r:nodev' - id: 10510 - title: "Add nodev Option to /run/shm Partition" - description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "2.14" + - cis: "1.1.14" + - cis_csc: "13, 5.1" condition: all rules: - - 'not c:mount -> r:\s/run/shm\s' - - 'c:mount -> r:\s/run/shm\s && r:nodev' + - 'c:mount -> r:\s/dev/shm\s && r:nodev' - id: 10511 - title: "Add nosuid Option to /run/shm Partition" - description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "2.15" + - cis: "1.1.15" + - cis_csc: "13, 5.1" condition: all rules: - - 'not c:mount -> r:\s/run/shm\s' - - 'c:mount -> r:\s/run/shm\s && r:nosuid' + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - id: 10512 - title: "Add noexec Option to /run/shm Partition" - description: "Set noexec on the shared memory partition to prevent programs from executing from there." + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm" compliance: - - cis: "2.16" + - cis: "1.1.16" + - cis_csc: "13, 5.1" condition: all rules: - - 'not c:mount -> r:\s/run/shm\s' - - 'c:mount -> r:\s/run/shm\s && r:noexec' + - 'c:mount -> r:\s/dev/shm\s && r:noexec' - id: 10513 title: "Disable Automounting" @@ -196,359 +249,351 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "2.25" + - cis: "1.1.21" + - cis_csc: "8.3, 8.4, 8.5" condition: none rules: - - 'c:find /etc -regex /etc/rc.*autofsc -> r:S\.*autofsc' + - 'c:systemctl is-enabled autofs -> r:^enabled' -# 3 Secure Boot Settings +# 1.3 Filesystem Integrity Checking + - id: 11026 + title: "Ensure AIDE is installed" + description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system." + rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." + remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" + compliance: + - cis: "1.3.1" + - cis_csc: "3.5, 14.9" + condition: all + rules: + - 'c:dpkg -s aide -> r:install ok installed' + + - id: 11027 + title: "Ensure filesystem integrity is regularly checked" + description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem." + rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." + remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." + compliance: + - cis: "1.3.2" + - cis_csc: "3.5, 14.9" + condition: all + rules: + - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*|\s*\t*/usr/bin/aide\s*\t* && r:\s*\t*--check' + +# 1.4 Secure Boot Settings - id: 10514 - title: "Set Boot Loader Password" - description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + title: "Ensure bootloader password is set" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" + remediation: "1) Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is 2) Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" 3) Run the following to update the grub configuration: # update-grub" compliance: - - cis: "3.3" + - cis: "1.4.2" + - cis_csc: "5.1" condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - id: 10515 - title: "Require authentication for Single-User mode" - description: "Setting a password for the root user will force authentication in single user mode." + title: "Ensure authentication required for single user mode" + description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "3.4" + - cis: "1.4.3" + - cis_csc: "5.1" condition: none rules: - - 'f:/etc/shadow -> r:^root:[*\!]:' + - 'f:/etc/shadow -> r:^root:*:|^root:!:' -# 4 Additional Process Hardening +# 1.5 Additional Process Hardening - id: 10516 - title: "Restrict Core Dumps" + title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." - rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0 and set the active kernel parameter." compliance: - - cis: "4.1" + - cis: "1.5.1" + - cis_csc: "13" condition: all rules: - 'c:ulimit -H -c -> 0' - - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' - - 'c:grep -R ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' + - 'c:grep -Rh ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - id: 10517 - title: "Enable Randomized Virtual Memory Region Placement" - description: "Set the system flag to force randomized virtual memory region placement." + title: "Ensure address space layout randomization (ASLR) is enabled" + description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" + remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "4.3" + - cis: "1.5.3" + - cis_csc: "8.3, 8.4" condition: all rules: + - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' -# 5 OS Services - - id: 10518 - title: "Ensure NIS Client is not installed" - description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." - remediation: "Uninstall the nis package: # apt-get purge nis" - compliance: - - cis: "2.3.1" - condition: none - rules: - - 'c:dpkg -s nis -> r:install ok installed' - - - id: 10519 - title: "Ensure rsh server is not enabled" - description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." - rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." - remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" - compliance: - - cis: "5.1.2" - condition: none - rules: - - 'f:/etc/inetd.conf -> r:^shell|^login|^exec' - - - id: 10520 - title: "Ensure talk server is not enabled" - description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." - rationale: "The software presents a security risk as it uses unencrypted protocols for communication." - remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" - compliance: - - cis: "5.1.4" - condition: none - rules: - - 'f:/etc/inetd.conf -> r:^talk|^ntalk' - - - id: 10521 - title: "Ensure telnet client is not installed" - description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." - remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" - compliance: - - cis: "2.3.4" - condition: none - rules: - - 'c:dpkg -s telnet -> r:install ok installed' - - - id: 10522 - title: "Ensure tftp-server is not enabled" - description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." - rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." - remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" +# 1.7 Warning Banners + - id: 10593 + title: "Ensure local login warning banner is configured properly" + description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture \r - operating system release \s - operating system name \v - operating system version" + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in." + remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of\m,\r,\s, or\v: # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue" compliance: - - cis: "5.1.7" + - cis: "1.7.1.2" + - cis_csc: "13, 5.1" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:tftp' + - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' +# 2 Services - id: 10523 - title: "Ensure xinetd is not enabled" - description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." - rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." - remediation: "Disable xinetd: # update-rc.d xinetd disable" - compliance: - - cis: "5.1.8" - condition: none - rules: - - 'c:find /etc -regex /etc/rc.*xinetd -> r:S\.+xinetd' - - - id: 10524 - title: "Ensure chargen is not enabled" - description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" + title: "Ensure xinetd is not installed" + description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." + remediation: "Run the following command to disable xinetd: # apt-get remove xinetd" compliance: - - cis: "5.2" + - cis: "2.1.1" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:chargen' + - 'c:dpkg -s xinetd -> r:install ok installed' - - id: 10525 - title: "Ensure daytime is not enabled" - description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" - compliance: - - cis: "5.3" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:daytime' - - - id: 10526 - title: "Ensure echo is not enabled" - description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" - compliance: - - cis: "5.4" - condition: none - rules: - - 'f:/etc/inetd.conf -> !r:^# && r:echo' - - - id: 10527 - title: "Ensure discard is not enabled" - description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" + - id: 10523 + title: "Ensure inetd is not installed" + description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no inetd services required, it is recommended that the daemon be removed." + remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd" compliance: - - cis: "5.5" + - cis: "2.1.2" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'f:/etc/inetd.conf -> !r:^# && r:discard' + - 'c:dpkg -s openbsd-inetd -> r:install ok installed' + - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - id: 10528 - title: "Ensure time is not enabled" - description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." - rationale: "Disabling this service will reduce the remote attack surface of the system." - remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" + - id: 10532 + title: "Ensure ntp is configured" + description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." + rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." + remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." compliance: - - cis: "5.6" - condition: none + - cis: "2.2.1.2" + - cis_csc: "6.1" + references: + - http://www.ntp.org/ + condition: all rules: - - 'f:/etc/inetd.conf -> !r:^# && r:time' + - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' + - 'f:/etc/ntp.conf -> r:^server\s\.+' + - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' -# 6 Special Purpose Services - id: 10529 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." - rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." - remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" + rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." + remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "6.2" + - cis: "2.2.3" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*avahi-daemon -> r:S\.*avahi-daemon' + - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' - id: 10530 - title: "Ensure print server is not enabled" + title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." - remediation: "Disable cups: # update-rc.d cups disable" + remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "6.3" + - cis: "2.2.4" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*cups -> r:S\.*cups' + - 'c:systemctl is-enabled cups -> r:^enabled' - id: 10531 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." - rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." - remediation: "Disable isc-dhcp-server: # update-rc.d isc-dhcp-server disable" + rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." + remediation: "Run the following commands to disable dhcpd: # systemctl disable isc-dhcp-server # systemctl disable isc-dhcp-server6" + references: + - https://www.isc.org/dhcp/ compliance: - - cis: "6.4" + - cis: "2.2.5" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*isc-dhcp-server -> r:S\.*isc-dhcp-server' - - - id: 10532 - title: "Configure Network Time Protocol (NTP)" - description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." - rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." - remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." - compliance: - - cis: "6.5" - references: - - http://www.ntp.org/ - condition: all - rules: - - 'c:dpkg -s ntp -> r:install ok installed' - - 'f:/etc/ntp.conf -> r:^restrict -4 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' - - 'f:/etc/ntp.conf -> r:^restrict -6 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' - - 'f:/etc/ntp.conf -> r:^server\s\.+' - - 'f:/etc/ntp.conf -> r:^RUNASUSER\s*\t*=\s*\t*ntp' + - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' + - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' - id: 10533 - title: "Ensure LDAP is not enabled" + title: "Ensure LDAP server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." - rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." - remediation: "Uninstall the slapd package: # apt-get purge slapd" + rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable slapd: # systemctl disable slapd" compliance: - - cis: "6.6" + - cis: "2.2.6" + - cis_csc: "9.1, 9.2" references: - - http://www.openldap.org + - https://www.openldap.org condition: none rules: - - 'c:dpkg -s slapd -> install ok installed' + - 'c:systemctl is-enabled slapd -> r:^enabled' - id: 10534 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind" compliance: - - cis: "6.7" + - cis: "2.2.7" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*rpcbind -> r:S\.*rpcbind' - - 'c:find /etc -regex /etc/rc.*nfs-kernel-server -> r:S\.*nfs-kernel-server' + - 'c:systemctl is-enabled nfs-server -> r:^enabled' + - 'c:systemctl is-enabled rpcbind -> r:^enabled' - id: 10535 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Disable bind9: # update-rc.d bind9 disable" + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable named: # systemctl disable bind9" compliance: - - cis: "6.8" + - cis: "2.2.8" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*bind9 -> r:S\.*bind9' + - 'c:systemctl is-enabled bind9 -> r:^enabled' - id: 10536 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Disable vsftpd: # update-rc.d vsftpd disable" + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "6.9" + - cis: "2.2.9" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*vsftpd -> r:S\.*vsftpd' + - 'c:systemctl is-enabled vsftpd -> r:^enabled' - id: 10537 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Disable apache2: # update-rc.d apache2 disable" + remediation: "Run the following command to disable apache2: # systemctl disable apache2" compliance: - - cis: "6.10" + - cis: "2.2.10" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*apache2 -> r:S\.*apache2' - - - id: 10538 - title: "Ensure IMAP and POP server is not enabled" - description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." - remediation: "Disable dovecot: # update-rc.d dovecot disable" - compliance: - - cis: "6.11" - condition: none - rules: - - 'c:find /etc -regex /etc/rc.*dovecot -> r:S\.*dovecot' + - 'c:systemctl is-enabled apache2 -> r:^enabled' - id: 10539 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." - remediation: "Disable samba: # update-rc.d samba disable" + remediation: "Run the following command to disable smbd: # systemctl disable smbd" compliance: - - cis: "6.12" + - cis: "2.2.12" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*smb -> r:S\.*smb' + - 'c:systemctl is-enabled smbd -> r:^enabled' - id: 10540 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." - remediation: "Disable squid3: # update-rc.d squid3 disable" + remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "6.13" + - cis: "2.2.13" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*squid -> r:S\.*squid' + - 'c:systemctl is-enabled squid -> r:^enabled' - id: 10541 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." - rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." - remediation: "Disable snmpd: # update-rc.d snmpd disable" + rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." + remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "6.14" + - cis: "2.2.14" + - cis_csc: "9.1, 9.2" condition: none rules: - - 'c:find /etc -regex /etc/rc.*snmpd -> r:S\.*snmpd' - - - id: 10542 - title: "Configure Mail Transfer Agent for Local-Only Mode" - description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." - rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." - remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" - compliance: - - cis: "6.15" - condition: all - rules: - - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' + - 'c:systemctl is-enabled snmpd -> r:^enabled' - id: 10543 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." - remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" + remediation: "Run the following command to disable rsync: # systemctl disable rsync" + compliance: + - cis: "2.2.16" + - cis_csc: "9.1, 9.2" + condition: none + rules: + - 'c:systemctl is-enabled rsync -> r:^enabled' + + - id: 10518 + title: "Ensure NIS Client is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Uninstall the nis package: # apt-get remove nis" + compliance: + - cis: "2.3.1" + - cis_csc: "2, 2.6" + condition: none + rules: + - 'c:dpkg -s nis -> r:install ok installed' + + - id: 10519 + title: "Ensure rsh client is not installed" + description: "The rshpackage contains the client commands for the rsh services." + rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." + remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" + compliance: + - cis: "2.3.2" + - cis_csc: "3.4, 4.5" + condition: none + rules: + - 'c:dpkg -s rsh-client -> r:install ok installed' + - 'c:dpkg -s rsh-redone-client -> r:install ok installed' + + - id: 10520 + title: "Ensure talk client is not installed" + description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to uninstall talk: apt-get remove talk" compliance: - - cis: "6.16" + - cis: "2.3.3" + - cis_csc: "2, 2.6" condition: none rules: - - 'c:dpkg -s rsync -> install ok installed' - - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE\s*\t*=\s*\t*false' + - 'c:dpkg -s talk -> r:install ok installed' -# 7 Network Configuration and Firewall + - id: 10521 + title: "Ensure telnet client is not installed" + description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." + remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" + compliance: + - cis: "2.3.4" + - cis_csc: "3.4, 4.5" + condition: none + rules: + - 'c:dpkg -s telnet -> r:install ok installed' + +--------------------------------------------------- #ToDo + +# 3 Network Configuration - id: 10544 title: "Disable IP Forwarding" description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." @@ -808,21 +853,21 @@ checks: - rsyslog.conf(5) man page condition: all rules: - - 'c:grep -R ^*.emerg\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.info\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.warning\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^news.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^news.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^news.notice\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^*.=warning;*.=err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^*.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^*.*;mail.none;news.none\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local0,local1.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local2,local3.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local4,local5.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local6,local7.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^*.emerg\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^mail.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^mail.info\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^mail.warning\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^mail.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^news.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^news.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^news.notice\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^*.=warning;*.=err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^*.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^*.*;mail.none;news.none\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^local0,local1.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^local2,local3.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^local4,local5.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -Rh ^local6,local7.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - id: 10566 title: "Configure rsyslog to Send Logs to a Remote Log Host" @@ -848,8 +893,8 @@ checks: - rsyslog.conf(8) man page condition: all rules: - - 'c:grep -R ^\$ModLoad imtcp.so /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' - - 'c:grep -R ^\$InputTCPServerRun 514 /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' + - 'c:grep -Rh ^\$ModLoad imtcp.so /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' + - 'c:grep -Rh ^\$InputTCPServerRun 514 /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' - id: 10568 title: "Configure logrotate" @@ -1131,7 +1176,7 @@ checks: - cis: "10.4" condition: all rules: - - 'c:grep -R ^umask 077 /etc/profile.d/' + - 'c:grep -Rh ^umask 077 /etc/profile.d/' - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' - id: 10592 @@ -1145,36 +1190,6 @@ checks: rules: - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' -# 11 Warning Banners - - id: 10593 - title: "Set Warning Banner for Standard Login Services" - description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." - remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" - compliance: - - cis: "11.1" - condition: all - rules: - - 'f:/etc/motd' - - 'f:/etc/issue' - - 'f:/etc/issue.net' - - 'c:stat -c%u-%g-%a /etc/motd -> 0-0-644' - - 'c:stat -c%u-%g-%a /etc/issue -> 0-0-644' - - 'c:stat -c%u-%g-%a /etc/issue.net -> 0-0-644' - - - id: 10594 - title: "Remove OS Information from Login Warning Banners" - description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." - rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." - remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." - compliance: - - cis: "11.2" - condition: none - rules: - - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' - - 'c:grep (\\v|\\r|\\m|\\s) /etc/motd' - - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue.net' - # 13 Review User and Group Settings - id: 10595 title: "Ensure Password Fields are Not Empty" diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index 80493dba6..a897e6625 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -1,5 +1,5 @@ # Security Configuration assessment -# Level 2 CIS Checks for Debian Linux 7 and Debian Linux 8 +# Level 2 CIS Checks for Debian Linux 8 # Copyright (C) 2015-2019, Wazuh Inc. # # This program is a free software; you can redistribute it @@ -8,14 +8,13 @@ # Foundation # # Based on: -# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 # Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 policy: - id: "cis_debianlinux7-8_L2" - file: "cis_debianlinux7-8_L2_rcl.yml" - name: "CIS benchmark for Debian/Linux 7 and 8 L2" - description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 7 and 8." + id: "cis_debianlinux8_L2" + file: "cis_debianlinux8_L2_rcl.yml" + name: "CIS benchmark for Debian/Linux 8 L2" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 8." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -28,104 +27,118 @@ requirements: - 'f:/proc/sys/kernel/ostype -> Linux' checks: -# 2 Filesystem Configuration - - id: 11000 - title: "Disable Mounting of cramfs Filesystems" - description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" - compliance: - - cis: "2.18" - condition: all - rules: - - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' - - 'not c:lsmod -> r:cramfs' - - id: 11001 - title: "Disable Mounting of freevxfs Filesystems" - description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" + - id: 10504 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.19" + - cis: "1.1.5" + - cis_csc: "13, 5.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' - - 'not c:lsmod -> r:freevxfs' + - 'c:mount -> r:\s/var\s' - - id: 11002 - title: "Disable Mounting of jffs2 Filesystems" - description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" + - id: 10504 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "2.20" + - cis: "1.1.6" + - cis_csc: "13, 5.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' - - 'not c:lsmod -> r:jffs2' + - 'c:mount -> r:\s/var/tmp\s' - - id: 11003 - title: "Disable Mounting of hfs Filesystems" - description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" + - id: 10506 + title: "Ensure separate partition exists for /var/log" + description: "The /var/log directory is used by system services to store log data." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.21" + - cis: "1.1.10" + - cis_csc: "6.3, 6.4" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' - - 'not c:lsmod -> r:hfs' + - 'c:mount -> r:\s/var/log\s' - - id: 11004 - title: "Disable Mounting of hfsplus Filesystems" - description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" + - id: 10507 + title: "Ensure separate partition exists for /var/log/audit" + description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.22" + - cis: "1.1.11" + - cis_csc: "6.3, 6.4" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' - - 'not c:lsmod -> r:hfsplus' + - 'c:mount -> r:\s/var/log/audit\s' - - id: 11005 - title: "Disable Mounting of squashfs Filesystems" - description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" + - id: 10508 + title: "Ensure separate partition exists for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.23" + - cis: "1.1.12" + - cis_csc: "13, 5.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all rules: - - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' - - 'not c:lsmod -> r:squashfs' + - 'c:mount -> r:\s/home\s' - - id: 11006 - title: "Disable Mounting of udf Filesystems" - description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" - rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." - remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" + - id: 10513 + title: "Disable Automounting" + description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." + rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." + remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "2.24" - condition: all + - cis: "1.1.21" + - cis_csc: "8.3, 8.4, 8.5" + condition: none rules: - - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' - - 'not c:lsmod -> r:udf' + - 'c:systemctl is-enabled autofs -> r:^enabled' # 4 Additional Process Hardening - id: 11007 - title: "Activate AppArmor" - description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model." - rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." - remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." + title: "Ensure SELinux or AppArmor are installed" + description: "SELinux and AppArmor provide Mandatory Access Controls." + rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." + remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis: "4.5" - condition: all + - cis: "1.6.3" + - cis_csc: "14.4, 14.6" + condition: any + rules: + - 'c:dpkg -s selinux -> r:install ok installed' + - 'c:dpkg -s apparmor -> r:install ok installed' + +# 2 Services + + - id: 10530 + title: "Ensure CUPS is not enabled" + description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." + rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable cups: # systemctl disable cups" + compliance: + - cis: "2.2.4" + - cis_csc: "9.1, 9.2" + condition: none rules: - - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0' - - 'c:apparmor_status -> r:^0\s*processes are in complain mode' - - 'c:apparmor_status -> r:^0\s*processes are unconfined' + - 'c:systemctl is-enabled cups -> r:^enabled' + +--------------------------------------------------- #ToDo # 8.1 Configure System Accounting (auditd) - id: 11008 @@ -389,26 +402,3 @@ checks: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-e 2$' - -# 8.3 Advanced Intrusion Detection Environment (AIDE) - - id: 11026 - title: "Install AIDE" - description: "In some installations, AIDE is not installed automatically" - rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." - remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." - compliance: - - cis: "8.3.1" - condition: all - rules: - - 'c:dpkg -s aide -> r:install ok installed' - - - id: 11027 - title: "Implement Periodic Execution of File Integrity" - description: "Implement periodic file checking, in compliance with site policy" - rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." - remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." - compliance: - - cis: "8.3.2" - condition: all - rules: - - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*--check' From fdfe9c29eeb22ccfce73a28c98a45cddcb0b06b5 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 21 Jun 2019 12:36:35 +0200 Subject: [PATCH 120/247] Fix rules --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 6 +++--- sca/rhel/6/cis_rhel6_linux_rcl.yml | 4 ++-- sca/rhel/7/cis_rhel7_linux_rcl.yml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 4a19a4e8e..6d97638b6 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -402,8 +402,8 @@ checks: - CCE-4146-7 condition: all rules: - - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' - - 'c:/sbin/sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' + - 'c:/sbin/sysctl kernel\.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' # 1.6.2 Configure ExecShield (Scored) - id: 5524 @@ -432,7 +432,7 @@ checks: - cis: "1.6.5" condition: all rules: - - 'f:/etc/sysconfig/prelink -> r:PRELINKING=no' + - 'f:/etc/sysconfig/prelink -> r:^PRELINKING=no$' ############################################### # 2 OS Services diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index fe56d144b..14fb9e4a4 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -340,7 +340,7 @@ checks: - cis_csc: "13" condition: all rules: - - 'c:grep -Rh *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' @@ -355,7 +355,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 7c0b5eab3..86f077e40 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -302,7 +302,7 @@ checks: - cis_csc: "13" condition: all rules: - - 'c:grep -Rh *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' @@ -317,7 +317,7 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### From 7ee1730c717b5a51b0f605f0f8ffd1e0c6350914 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Fri, 21 Jun 2019 17:30:32 +0200 Subject: [PATCH 121/247] Fix rules --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 4 ++-- sca/rhel/6/cis_rhel6_linux_rcl.yml | 2 +- sca/rhel/7/cis_rhel7_linux_rcl.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 6d97638b6..b6932270f 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -385,7 +385,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -Rh *\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - 'c:/sbin/sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' @@ -838,7 +838,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 4.2.8 Enable TCP SYN Cookies (Scored) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 14fb9e4a4..2f7a24e78 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -735,7 +735,7 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 86f077e40..f492bd062 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -856,7 +856,7 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) From d73da1d3d079da13c63bf6e3000ec268b1473f0b Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 24 Jun 2019 08:12:10 +0200 Subject: [PATCH 122/247] Fix rhel symbolic links --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 14 +++++++------- sca/rhel/7/cis_rhel7_linux_rcl.yml | 12 ++++++------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 2f7a24e78..0cb9d3874 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -23,11 +23,11 @@ requirements: description: "Requirements for running the policy against RHEL 6 family." condition: any rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' - - 'f:/etc/redhat-release -> r:^CentOS && r:release 6' - - 'f:/etc/redhat-release -> r:^Cloud && r:release 6' - - 'f:/etc/redhat-release -> r:^Oracle && r:release 6' - - 'f:/etc/redhat-release -> r:^Better && r:release 6' + - 'c:cat /etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' + - 'c:cat /etc/redhat-release -> r:^CentOS && r:release 6' + - 'c:cat /etc/redhat-release -> r:^Cloud && r:release 6' + - 'c:cat /etc/redhat-release -> r:^Oracle && r:release 6' + - 'c:cat /etc/redhat-release -> r:^Better && r:release 6' variables: $sshd_file: /etc/ssh/sshd_config @@ -226,7 +226,7 @@ checks: - pci_dss: "2.2.4" condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' + - 'f:/boot/grub/grub.conf -> r:selinux=0|enforcing=0' # 1.6.1.2 Set selinux state - id: 6014 @@ -296,7 +296,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' + - 'f:/boot/grub/grub.conf -> !r:^# && r:password --md5' # 1.4.3 Require Authentication for Single-User Mode (Scored) - id: 6019 diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index f492bd062..b6474294b 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -23,12 +23,12 @@ requirements: description: "Requirements for running the policy against RHEL 7 family." condition: any rules: - - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 7' - - 'f:/etc/redhat-release -> r:^CentOS && r:release 7' - - 'f:/etc/redhat-release -> r:^Cloud && r:release 7' - - 'f:/etc/redhat-release -> r:^Oracle && r:release 7' - - 'f:/etc/redhat-release -> r:^Better && r:release 7' - - 'f:/etc/redhat-release -> r:^OpenVZ && r:release 7' + - 'c:cat /etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 7' + - 'c:cat /etc/redhat-release -> r:^CentOS && r:release 7' + - 'c:cat /etc/redhat-release -> r:^Cloud && r:release 7' + - 'c:cat /etc/redhat-release -> r:^Oracle && r:release 7' + - 'c:cat /etc/redhat-release -> r:^Better && r:release 7' + - 'c:cat /etc/redhat-release -> r:^OpenVZ && r:release 7' variables: $sshd_file: /etc/ssh/sshd_config From 88f639491903fdd8302796391af9393995cc6933 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 24 Jun 2019 12:25:07 +0200 Subject: [PATCH 123/247] Fix SLES rule --- sca/sles/11/cis_sles11_linux_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index e27d1ae60..4581c25ec 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -213,7 +213,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password --med5' + - 'f:/boot/grub/menu.lst -> !r:^# && r:password --md5' ############################################### # 1.5 Additional Process Hardening From b490322000adc5d00fd3ffd07dfa317c74fb6259 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 24 Jun 2019 15:00:49 +0200 Subject: [PATCH 124/247] Fix rules --- sca/rhel/5/cis_rhel5_linux_rcl.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index b6932270f..89d2a03e8 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -263,7 +263,7 @@ checks: - CCE-3977-6 condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' + - 'f:/boot/grub/grub.conf -> r:selinux=0|enforcing=0' # 1.4.2 Set selinux state - id: 5515 @@ -339,7 +339,7 @@ checks: - CCE-3818-2 condition: all rules: - - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' + - 'f:/boot/grub/grub.conf -> !r:^# && r:password --md5' # 1.5.4 Require Authentication for Single-User Mode (Scored) - id: 5520 @@ -403,7 +403,7 @@ checks: condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' - - 'c:/sbin/sysctl kernel\.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' + - 'c:/sbin/sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' # 1.6.2 Configure ExecShield (Scored) - id: 5524 From 1fd1382d79943aa5139247604009fa689c692ddc Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 24 Jun 2019 16:48:30 +0200 Subject: [PATCH 125/247] Revert "Fix rhel symbolic links" This reverts commit d73da1d3d079da13c63bf6e3000ec268b1473f0b. --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 14 +++++++------- sca/rhel/7/cis_rhel7_linux_rcl.yml | 12 ++++++------ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 0cb9d3874..2f7a24e78 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -23,11 +23,11 @@ requirements: description: "Requirements for running the policy against RHEL 6 family." condition: any rules: - - 'c:cat /etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' - - 'c:cat /etc/redhat-release -> r:^CentOS && r:release 6' - - 'c:cat /etc/redhat-release -> r:^Cloud && r:release 6' - - 'c:cat /etc/redhat-release -> r:^Oracle && r:release 6' - - 'c:cat /etc/redhat-release -> r:^Better && r:release 6' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 6' + - 'f:/etc/redhat-release -> r:^CentOS && r:release 6' + - 'f:/etc/redhat-release -> r:^Cloud && r:release 6' + - 'f:/etc/redhat-release -> r:^Oracle && r:release 6' + - 'f:/etc/redhat-release -> r:^Better && r:release 6' variables: $sshd_file: /etc/ssh/sshd_config @@ -226,7 +226,7 @@ checks: - pci_dss: "2.2.4" condition: none rules: - - 'f:/boot/grub/grub.conf -> r:selinux=0|enforcing=0' + - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' # 1.6.1.2 Set selinux state - id: 6014 @@ -296,7 +296,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub/grub.conf -> !r:^# && r:password --md5' + - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' # 1.4.3 Require Authentication for Single-User Mode (Scored) - id: 6019 diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index b6474294b..f492bd062 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -23,12 +23,12 @@ requirements: description: "Requirements for running the policy against RHEL 7 family." condition: any rules: - - 'c:cat /etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 7' - - 'c:cat /etc/redhat-release -> r:^CentOS && r:release 7' - - 'c:cat /etc/redhat-release -> r:^Cloud && r:release 7' - - 'c:cat /etc/redhat-release -> r:^Oracle && r:release 7' - - 'c:cat /etc/redhat-release -> r:^Better && r:release 7' - - 'c:cat /etc/redhat-release -> r:^OpenVZ && r:release 7' + - 'f:/etc/redhat-release -> r:^Red Hat Enterprise Linux && r:release 7' + - 'f:/etc/redhat-release -> r:^CentOS && r:release 7' + - 'f:/etc/redhat-release -> r:^Cloud && r:release 7' + - 'f:/etc/redhat-release -> r:^Oracle && r:release 7' + - 'f:/etc/redhat-release -> r:^Better && r:release 7' + - 'f:/etc/redhat-release -> r:^OpenVZ && r:release 7' variables: $sshd_file: /etc/ssh/sshd_config From 53ee030c4abc65114efa5b6fead564ae5eee95ca Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 24 Jun 2019 16:59:03 +0200 Subject: [PATCH 126/247] Add registry folder check --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 223 ++++++++++++++++++++ 1 file changed, 223 insertions(+) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 0539e0425..06ddcbe05 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -37,6 +37,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> r:^3$' @@ -50,6 +51,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' @@ -63,6 +65,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' @@ -76,6 +79,7 @@ checks: - cis_csc: "6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' @@ -102,6 +106,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' @@ -115,6 +120,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' @@ -128,6 +134,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' @@ -141,6 +148,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' @@ -154,6 +162,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' @@ -167,6 +176,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' @@ -180,6 +190,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' @@ -194,6 +205,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare => 5 && n:^(\d+) compare <= 14' @@ -207,6 +219,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' @@ -220,6 +233,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' @@ -233,6 +247,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' @@ -246,6 +261,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' @@ -259,6 +275,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' @@ -272,6 +289,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' @@ -285,6 +303,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' @@ -298,6 +317,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' @@ -311,6 +331,7 @@ checks: - cis_csc: "14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' @@ -324,6 +345,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' @@ -337,6 +359,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' @@ -350,6 +373,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' @@ -363,6 +387,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' @@ -376,6 +401,7 @@ checks: - cis_csc: "14.1, 14.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> None' @@ -389,6 +415,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion' @@ -402,6 +429,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog' @@ -415,6 +443,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' @@ -428,6 +457,7 @@ checks: - cis_csc: "5.1, 9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)' @@ -441,6 +471,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' @@ -454,6 +485,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' @@ -467,6 +499,7 @@ checks: - cis_csc: "14, 16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' @@ -480,6 +513,7 @@ checks: - cis_csc: "14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' @@ -493,6 +527,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' @@ -506,6 +541,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' @@ -519,6 +555,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' @@ -531,6 +568,7 @@ checks: - cis: "2.3.11.6" - cis_csc: "16" rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' @@ -544,6 +582,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' @@ -557,6 +596,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' @@ -570,6 +610,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' @@ -583,6 +624,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' @@ -595,6 +637,7 @@ checks: - cis: "2.3.15.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' @@ -608,6 +651,7 @@ checks: - cis_csc: "14.4, 14.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' @@ -621,6 +665,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' @@ -634,6 +679,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' @@ -647,6 +693,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' @@ -660,6 +707,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' @@ -673,6 +721,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' @@ -686,6 +735,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' @@ -699,6 +749,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' @@ -712,6 +763,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' @@ -724,6 +776,7 @@ checks: - cis: "2.3.17.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' @@ -764,6 +817,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4' @@ -777,6 +831,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' @@ -816,6 +871,7 @@ checks: - cis_csc: "9.1, 9.2" condition: any rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' @@ -829,6 +885,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4' @@ -855,6 +912,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4' @@ -868,6 +926,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4' @@ -907,6 +966,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4' @@ -933,6 +993,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4' @@ -946,6 +1007,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> 4' @@ -959,6 +1021,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4' @@ -972,6 +1035,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4' @@ -985,6 +1049,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' @@ -999,6 +1064,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' @@ -1012,6 +1078,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' @@ -1025,6 +1092,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' @@ -1037,6 +1105,7 @@ checks: - cis: "9.1.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' @@ -1050,6 +1119,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' @@ -1063,6 +1133,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -1076,6 +1147,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' @@ -1089,6 +1161,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' @@ -1102,6 +1175,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' @@ -1115,6 +1189,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' @@ -1128,6 +1203,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' @@ -1140,6 +1216,7 @@ checks: - cis: "9.2.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' @@ -1153,6 +1230,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' @@ -1166,6 +1244,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -1179,6 +1258,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' @@ -1192,6 +1272,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' @@ -1205,6 +1286,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' @@ -1218,6 +1300,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' @@ -1231,6 +1314,7 @@ checks: - cis_csc: "9.2, 9.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' @@ -1243,6 +1327,7 @@ checks: - cis: "9.3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' @@ -1256,6 +1341,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' @@ -1269,6 +1355,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' @@ -1282,6 +1369,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' @@ -1295,6 +1383,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' @@ -1308,6 +1397,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' @@ -1321,6 +1411,7 @@ checks: - cis_csc: "6.2, 6.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' @@ -1334,6 +1425,7 @@ checks: - cis: "18.1.1.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' @@ -1346,6 +1438,7 @@ checks: - cis: "18.1.1.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' @@ -1359,6 +1452,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' @@ -1372,6 +1466,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName -> C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll' @@ -1385,6 +1480,7 @@ checks: - cis_csc: "16.2, 16.10" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' @@ -1398,6 +1494,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' @@ -1411,6 +1508,7 @@ checks: - cis_csc: "5.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' @@ -1424,6 +1522,7 @@ checks: - cis_csc: "5.7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' @@ -1437,6 +1536,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' @@ -1450,6 +1550,7 @@ checks: - cis_csc: "5.8, 4.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' @@ -1463,6 +1564,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4' @@ -1476,6 +1578,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' @@ -1489,6 +1592,7 @@ checks: - cis_csc: "8.4, 8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' @@ -1502,6 +1606,7 @@ checks: - cis_csc: "8.4, 8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 1' @@ -1515,6 +1620,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' @@ -1528,6 +1634,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' @@ -1541,6 +1648,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' @@ -1554,6 +1662,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' @@ -1567,6 +1676,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' @@ -1580,6 +1690,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' @@ -1593,6 +1704,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' @@ -1606,6 +1718,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' @@ -1619,6 +1732,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' @@ -1632,6 +1746,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' @@ -1645,6 +1760,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' @@ -1658,6 +1774,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' @@ -1671,6 +1788,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' @@ -1684,6 +1802,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0' @@ -1697,6 +1816,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' @@ -1710,6 +1830,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL' @@ -1725,6 +1846,7 @@ checks: - cis_csc: "12" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' @@ -1738,6 +1860,7 @@ checks: - cis_csc: "12" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' @@ -1751,6 +1874,7 @@ checks: - cis_csc: "15.4, 15.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' @@ -1764,6 +1888,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' @@ -1777,6 +1902,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' @@ -1790,6 +1916,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' @@ -1803,6 +1930,7 @@ checks: - cis_csc: "3.7, 5.4, 5.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' @@ -1816,6 +1944,7 @@ checks: - cis_csc: "3.7, 5.4, 5.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' @@ -1829,6 +1958,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' @@ -1842,6 +1972,7 @@ checks: - cis_csc: "3.7, 5.4, 5.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' @@ -1855,6 +1986,7 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' @@ -1868,6 +2000,7 @@ checks: - cis_csc: "13.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' @@ -1881,6 +2014,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' @@ -1894,6 +2028,7 @@ checks: - cis_csc: "5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' @@ -1907,6 +2042,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' @@ -1920,6 +2056,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' @@ -1933,6 +2070,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' @@ -1946,6 +2084,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' @@ -1959,6 +2098,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' @@ -1972,6 +2112,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' @@ -1985,6 +2126,7 @@ checks: - cis_csc: "9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' @@ -1998,6 +2140,7 @@ checks: - cis_csc: "13.2, 13.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' @@ -2011,6 +2154,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' @@ -2024,6 +2168,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' @@ -2037,6 +2182,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' @@ -2050,6 +2196,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' @@ -2063,6 +2210,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' @@ -2076,6 +2224,7 @@ checks: - cis_csc: "16.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' @@ -2089,6 +2238,7 @@ checks: - cis_csc: "8.3, 8.4, 8.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' @@ -2102,6 +2252,7 @@ checks: - cis_csc: "8.3, 8.4, 8.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' @@ -2128,6 +2279,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' @@ -2141,6 +2293,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' @@ -2154,6 +2307,7 @@ checks: - cis_csc: "15.8, 15.9" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' @@ -2167,6 +2321,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' @@ -2180,6 +2335,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' @@ -2193,6 +2349,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' @@ -2206,6 +2363,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' @@ -2219,6 +2377,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' @@ -2232,6 +2391,7 @@ checks: - cis_csc: "4.5, 3.4, 3.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^3$' @@ -2245,6 +2405,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' @@ -2258,6 +2419,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' @@ -2271,6 +2433,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' @@ -2284,6 +2447,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' @@ -2297,6 +2461,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' @@ -2310,6 +2475,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' @@ -2323,6 +2489,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' @@ -2336,6 +2503,7 @@ checks: - cis_csc: "6.3, 6.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' @@ -2349,6 +2517,7 @@ checks: - cis_csc: "8.4, 8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' @@ -2362,6 +2531,7 @@ checks: - cis_csc: "8.4, 8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' @@ -2375,6 +2545,7 @@ checks: - cis_csc: "8.4, 8.3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' @@ -2388,6 +2559,7 @@ checks: - cis_csc: "14.1, 14.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' @@ -2401,6 +2573,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' @@ -2414,6 +2587,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' @@ -2427,6 +2601,7 @@ checks: - cis_csc: "16" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' @@ -2440,6 +2615,7 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' @@ -2453,6 +2629,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' @@ -2466,6 +2643,7 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' @@ -2479,6 +2657,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> 1' @@ -2492,6 +2671,7 @@ checks: - cis_csc: "16.14" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' @@ -2505,6 +2685,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' @@ -2518,6 +2699,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' @@ -2531,6 +2713,7 @@ checks: - cis_csc: "14.4, 14.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' @@ -2544,6 +2727,7 @@ checks: - cis_csc: "14.4, 14.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' @@ -2557,6 +2741,7 @@ checks: - cis_csc: "7.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' @@ -2570,6 +2755,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' @@ -2583,6 +2769,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' @@ -2596,6 +2783,7 @@ checks: - cis_csc: "13.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' @@ -2609,6 +2797,7 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' @@ -2622,6 +2811,7 @@ checks: - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' @@ -2635,6 +2825,7 @@ checks: - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' @@ -2648,6 +2839,7 @@ checks: - cis_csc: "8" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' @@ -2661,6 +2853,7 @@ checks: - cis_csc: "8.1, 8.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' @@ -2674,6 +2867,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' @@ -2687,6 +2881,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' @@ -2700,6 +2895,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' @@ -2713,6 +2909,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' @@ -2746,6 +2943,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' @@ -2759,6 +2957,7 @@ checks: - cis_csc: "8.1, 8.6" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' @@ -2772,6 +2971,7 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' @@ -2785,6 +2985,7 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' @@ -2800,6 +3001,7 @@ checks: - cis_csc: "2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' @@ -2813,6 +3015,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' @@ -2826,6 +3029,7 @@ checks: - cis_csc: "7" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' @@ -2839,6 +3043,7 @@ checks: - cis_csc: "13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' @@ -2852,6 +3057,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' @@ -2865,6 +3071,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' @@ -2878,6 +3085,7 @@ checks: - cis_csc: "5.1" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' @@ -2891,6 +3099,7 @@ checks: - cis_csc: "16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' @@ -2904,6 +3113,7 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' @@ -2917,6 +3127,7 @@ checks: - cis_csc: "16.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 01' @@ -2930,6 +3141,7 @@ checks: - cis_csc: "16.13, 16.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' @@ -2943,6 +3155,7 @@ checks: - cis_csc: "16.5, 16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' @@ -2956,6 +3169,7 @@ checks: - cis_csc: "16.5, 16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' @@ -2969,6 +3183,7 @@ checks: - cis_csc: "16.5, 16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' @@ -2982,6 +3197,7 @@ checks: - cis_csc: "3.4" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' @@ -2995,6 +3211,7 @@ checks: - cis_csc: "16.5, 16.13" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' @@ -3008,6 +3225,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' @@ -3023,6 +3241,7 @@ checks: - cis_csc: "3" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays' @@ -3040,6 +3259,7 @@ checks: - cis_csc: "3.4, 3.5, 4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' @@ -3055,6 +3275,7 @@ checks: - cis_csc: "3.4, 3.5, 4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' @@ -3068,6 +3289,7 @@ checks: - cis_csc: "3.4, 3.5, 4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' @@ -3081,5 +3303,6 @@ checks: - cis_csc: "3.4, 3.5, 4.5" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 1' From 02c32142a7318396b8e2ddd4a182039b35f0d784 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 24 Jun 2019 17:04:54 +0200 Subject: [PATCH 127/247] Add review for Win 10 Enterprise L2 policy --- sca/windows/cis_win10_enterprise_L2_rcl.yml | 263 +++++++++----------- 1 file changed, 121 insertions(+), 142 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index 1a97611df..480c9e920 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -8,12 +8,12 @@ # Foundation # # Based on: -# Center for Internet Security Benchmark v1.4.0 for Microsoft Windows 10 Release 1709 v1.4.0 - 08-21-2018 +# Center for Internet Security Benchmark v1.5.0 for Microsoft Windows 10 Release 1803 v1.5.0 - 03-06-2019 policy: id: "cis_win10_enterprise_L2" file: "cis_win10_enterprise_L2_rcl.yml" - name: "CIS benchmark for Windows 10 Enterprise (Release 1709)" + name: "CIS benchmark for Windows 10 Enterprise (Release 1803)" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows (L2)." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -21,7 +21,7 @@ policy: requirements: title: "Check that the Windows platform is Windows 10" description: "Requirements for running the CIS benchmark Domain Controller L2 under Windows 10" - condition: "any required" + condition: any rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' @@ -71,20 +71,6 @@ checks: # 5 System Services - id: 12503 - title: "Ensure 'Bluetooth Handsfree Service (BthHFSrv)' is set to 'Disabled'" - description: "Enables wireless Bluetooth headsets to run on this computer. The recommended state for this setting is: Disabled." - rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Handsfree Service" - compliance: - - cis: "5.1" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BthHFSrv -> Start -> 4' - - - id: 12504 title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." @@ -98,7 +84,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' - - id: 12505 + - id: 12504 title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" description: "Windows service for application access to downloaded maps. This service is started on- demand by application accessing downloaded maps." rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." @@ -108,10 +94,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4' - - id: 12506 + - id: 12505 title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -121,37 +108,39 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4' - - id: 12507 + - id: 12506 title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" compliance: - - cis: "5.11" + - cis: "5.9" - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4' - - - id: 12508 + - id: 12507 title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" compliance: - - cis: "5.14" + - cis: "5.12" - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4' - - id: 12509 + - id: 12508 title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -161,10 +150,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4' - - id: 12510 + - id: 12509 title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -174,10 +164,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4' - - id: 12511 + - id: 12510 title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -187,10 +178,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4' - - id: 12512 + - id: 12511 title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -200,10 +192,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4' - - id: 12513 + - id: 12512 title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." @@ -213,10 +206,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4' - - id: 12514 + - id: 12513 title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address." rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." @@ -226,10 +220,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4' - - id: 12515 + - id: 12514 title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." @@ -239,10 +234,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4' - - id: 12516 + - id: 12515 title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." @@ -252,10 +248,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4' - - id: 12517 + - id: 12516 title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." @@ -265,10 +262,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4' - - id: 12518 + - id: 12517 title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." @@ -278,10 +276,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4' - - id: 12519 + - id: 12518 title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'" description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." @@ -291,10 +290,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4' - - id: 12520 + - id: 12519 title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))." rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." @@ -304,10 +304,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4' - - id: 12521 + - id: 12520 title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -317,10 +318,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4' - - id: 12522 + - id: 12521 title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." @@ -330,10 +332,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4' - - id: 12523 + - id: 12522 title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." @@ -343,10 +346,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4' - - id: 12524 + - id: 12523 title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." @@ -356,10 +360,11 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4' - - id: 12525 + - id: 12524 title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." @@ -369,24 +374,12 @@ checks: - cis_csc: "9.1, 9.2" condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4' - - id: 12526 - title: "Ensure 'Windows Store Install Service (InstallService)' is set to 'Disabled'" - description: "This service provides infrastructure support for the Windows Store. The recommended state for this setting is: Disabled." - rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Store Install Service (InstallService)" - compliance: - - cis: "5.40" - - cis_csc: "9.1, 9.2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService -> Start -> 4' - # 18.1 Control Panel - - id: 12527 ################## + - id: 12525 title: "Ensure 'Allow Online Tips' is set to 'Disabled'" description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -401,7 +394,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' # 18.4 MSS (Legacy) - - id: 12528 + - id: 12526 title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." @@ -417,7 +410,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' - - id: 12529 + - id: 12527 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." @@ -433,7 +426,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' - - id: 12530 + - id: 12528 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." @@ -449,7 +442,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - - id: 12531 + - id: 12529 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -465,7 +458,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 12532 + - id: 12530 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -482,7 +475,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # 18.5 Network - - id: 12533 + - id: 12531 title: "Ensure 'Enable Font Providers' is set to 'Disabled'" description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." @@ -496,7 +489,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' - - id: 12534 + - id: 12532 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -516,7 +509,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - - id: 12535 + - id: 12533 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -536,7 +529,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - - id: 12536 + - id: 12534 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." @@ -550,7 +543,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' - - id: 12537 + - id: 12535 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." @@ -564,7 +557,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' - - id: 12538 + - id: 12536 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." @@ -586,7 +579,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - - id: 12539 + - id: 12537 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." @@ -601,7 +594,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # 18.8 System - - id: 12540 + - id: 12538 title: "Ensure 'Turn off access to the Store' is set to 'Enabled'" description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled." rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." @@ -615,7 +608,21 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' - - id: 12541 + - id: 12539 + title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + rationale: "Users might download drivers that include malicious code." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP" + compliance: + - cis: "18.8.22.1.2" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + + - id: 12540 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -629,7 +636,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - id: 12542 + - id: 12541 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -643,7 +650,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - id: 12543 + - id: 12542 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -657,7 +664,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - id: 12544 + - id: 12543 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." @@ -670,7 +677,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - id: 12545 + - id: 12544 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." @@ -684,7 +691,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 12546 + - id: 12545 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -698,7 +705,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - id: 12547 + - id: 12546 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -712,7 +719,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 12548 + - id: 12547 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -726,7 +733,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 12549 + - id: 12548 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -740,7 +747,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - id: 12550 + - id: 12549 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -757,7 +764,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - - id: 12551 + - id: 12550 title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic." rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." @@ -773,7 +780,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1' - - id: 12552 + - id: 12551 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." @@ -787,7 +794,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - id: 12553 + - id: 12552 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -801,7 +808,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - id: 12554 + - id: 12553 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." @@ -815,7 +822,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - id: 12555 + - id: 12554 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." @@ -829,7 +836,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - id: 12556 + - id: 12555 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." @@ -843,7 +850,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' - - id: 12557 + - id: 12556 title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled." rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." @@ -858,7 +865,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' # 18.9 Windows Components - - id: 12558 + - id: 12557 title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled." rationale: "Users of a system could accidentally share sensitive data with other users on the same system." @@ -872,21 +879,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' - - id: 12559 - title: "Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" - description: "This policy setting controls whether Windows Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled." - rationale: "Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Block launching Windows Store apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied. Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." - compliance: - - cis: "18.9.6.2" - - cis_csc: "7" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> BlockHostedAppAccessWinRT -> 1' - - - id: 12560 + - id: 12558 title: "Ensure 'Allow Use of Camera' is set to 'Disabled'" description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." @@ -900,7 +893,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' - - id: 12561 ########## + - id: 12559 title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." @@ -914,7 +907,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' - - id: 12562 + - id: 12560 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -928,7 +921,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 12563 ####### + - id: 12561 title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -942,7 +935,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' - - id: 12564 + - id: 12562 title: "Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" description: "This setting determines whether the Address bar drop-down functionality is available in Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." @@ -956,7 +949,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' - - id: 12565 + - id: 12563 title: "Ensure 'Allow Adobe Flash' is set to 'Disabled'" description: "This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." @@ -970,7 +963,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' - - id: 12566 + - id: 12564 title: "Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" description: "This setting lets you decide whether employees can browse using InPrivate website browsing. The recommended state for this setting is: Disabled." rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." @@ -984,7 +977,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' - - id: 12567 + - id: 12565 title: "Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" description: "This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop- ups to appear in secondary windows. The recommended state for this setting is: Enabled." rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." @@ -998,7 +991,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' - - id: 12568 + - id: 12566 title: "Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" description: "This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Having search suggestions sent out to be processed is considered a privacy concern." @@ -1012,7 +1005,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' - - id: 12569 + - id: 12567 title: "Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" description: "This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. The recommended state for this setting is: Enabled." rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." @@ -1026,7 +1019,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' - - id: 12570 + - id: 12568 title: "Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" description: "This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. The recommended state for this setting is: Enabled." rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." @@ -1040,7 +1033,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' - - id: 12571 ######### + - id: 12569 title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." @@ -1054,7 +1047,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' - - id: 12572 + - id: 12570 title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled." rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." @@ -1067,7 +1060,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 0' - - id: 12573 + - id: 12571 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -1081,7 +1074,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - id: 12574 + - id: 12572 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -1095,7 +1088,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - id: 12575 + - id: 12573 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -1109,7 +1102,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - id: 12576 + - id: 12574 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." @@ -1125,7 +1118,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - - id: 12577 + - id: 12575 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." @@ -1139,7 +1132,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 12578 ############ + - id: 12576 title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -1153,7 +1146,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' - - id: 12579 + - id: 12577 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." @@ -1166,27 +1159,13 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - id: 12580 - title: "Ensure 'Disable all apps from Windows Store' is set to 'Disabled'" - description: "This setting configures the launch of all apps from the Windows Store that came pre- installed or were downloaded. The recommended state for this setting is: Disabled." - rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Disable all apps from Windows Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." - compliance: - - cis: "18.9.68.1" - - cis_csc: "2" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableStoreApps -> 0' - - - id: 12581 + - id: 12578 title: "Ensure 'Turn off the Store application' is set to 'Enabled'" description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education." rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." compliance: - - cis: "18.9.68.4" + - cis: "18.9.68.5" - cis_csc: "2" references: - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions @@ -1197,7 +1176,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' - - id: 12582 + - id: 12579 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  (0x0) Disabled (default)  (0x1) Basic membership  (0x2) Advanced membership. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." @@ -1210,7 +1189,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - id: 12583 + - id: 12580 title: "Ensure 'Configure Watson events' is set to 'Disabled'" description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled." rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." @@ -1224,7 +1203,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' - - id: 12584 + - id: 12581 title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled." rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." @@ -1238,7 +1217,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' - - id: 12585 + - id: 12582 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." @@ -1252,7 +1231,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - id: 12586 + - id: 12583 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -1266,7 +1245,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - id: 12587 + - id: 12584 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." From f69fb508a37e871284131255493cf66ccaad1b4a Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 24 Jun 2019 18:02:56 +0200 Subject: [PATCH 128/247] Generalize some RHEL6 rules & fix others --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 0cb9d3874..c07b15d4b 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -264,9 +264,9 @@ checks: compliance: - cis: "1.6.1.4" - pci_dss: "2.2.4" - condition: all + condition: none rules: - - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' + - 'c:rpm -qa setroubleshoot -> r:\.' # 1.6.1.5 Disable MCS Translation service mcstrans - id: 6017 @@ -277,9 +277,9 @@ checks: compliance: - cis: "1.6.1.5" - pci_dss: "2.2.4" - condition: all + condition: none rules: - - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' + - 'c:rpm -qa mcstrans -> r:\.' ############################################### # 1.4 Secure Boot Settings @@ -324,7 +324,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/etc/sysconfig/init -> !r:^# && r:PROMPT=no' + - 'f:/etc/sysconfig/init -> r:^PROMPT=no$' ############################################### # 1.5 Additional Process Hardening @@ -438,7 +438,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list-> r:tftp && r::on' + - 'c:chkconfig --list -> r:tftp && r::on' # 2.1.7 Remove talk-server (Scored) - id: 6028 From aa1ba679cdc2f434bffe7c88e678fe53456b1b0d Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 25 Jun 2019 11:48:32 +0200 Subject: [PATCH 129/247] Add review for policy Win10 Enterprise L1 --- sca/windows/cis_win10_enterprise_L1_rcl.yml | 66 ++++++++++----------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index 06ddcbe05..e3a41848d 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -13,7 +13,7 @@ policy: id: "cis_win10_enterprise_L1" file: "cis_win10_enterprise_L1_rcl.yml" - name: "CIS benchmark for Windows 10 Enterprise (Release 1709)" + name: "CIS benchmark for Windows 10 Enterprise (Release 1803)" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows (L1)." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -21,7 +21,7 @@ policy: requirements: title: "Check that the Windows platform is Windows 10" description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows 10" - condition: "any required" + condition: any rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' @@ -172,7 +172,7 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" + - cis: "2.3.7.1" - cis_csc: "8" condition: all rules: @@ -800,7 +800,7 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service" compliance: - - cis: "5.8" + - cis: "5.6" - cis_csc: "9.1, 9.2" condition: any rules: @@ -813,7 +813,7 @@ checks: rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" compliance: - - cis: "5.9" + - cis: "5.7" - cis_csc: "9.1, 9.2" condition: all rules: @@ -827,7 +827,7 @@ checks: rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)" compliance: - - cis: "5.10" + - cis: "5.8" - cis_csc: "9.1, 9.2" condition: all rules: @@ -841,7 +841,7 @@ checks: rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" compliance: - - cis: "5.12" + - cis: "5.10" - cis_csc: "9.1, 9.2" condition: any rules: @@ -854,7 +854,7 @@ checks: rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service" compliance: - - cis: "5.13" + - cis: "5.11" - cis_csc: "9.1, 9.2" condition: any rules: @@ -869,7 +869,7 @@ checks: compliance: - cis: "5.24" - cis_csc: "9.1, 9.2" - condition: any + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' @@ -976,7 +976,7 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service" compliance: - - cis: "5.41" + - cis: "5.40" - cis_csc: "9.1, 9.2" condition: any rules: @@ -989,7 +989,7 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service" compliance: - - cis: "5.42" + - cis: "5.41" - cis_csc: "9.1, 9.2" condition: all rules: @@ -1003,7 +1003,7 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Game Monitoring" compliance: - - cis: "5.43" + - cis: "5.42" - cis_csc: "9.1, 9.2" condition: all rules: @@ -1017,7 +1017,7 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager" compliance: - - cis: "5.44" + - cis: "5.43" - cis_csc: "9.1, 9.2" condition: all rules: @@ -1031,7 +1031,7 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save" compliance: - - cis: "5.45" + - cis: "5.44" - cis_csc: "9.1, 9.2" condition: all rules: @@ -1045,7 +1045,7 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" compliance: - - cis: "5.46" + - cis: "5.45" - cis_csc: "9.1, 9.2" condition: all rules: @@ -1121,7 +1121,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - id: 12079 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" @@ -1232,7 +1232,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - id: 12087 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" @@ -1371,7 +1371,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\\w+\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - id: 12097 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" @@ -1552,7 +1552,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0' - id: 12110 title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" @@ -1831,10 +1831,10 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\\\*\\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - id: 12130 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" @@ -1898,7 +1898,7 @@ checks: rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials" compliance: - - cis: "18.8.4.1" + - cis: "18.8.4.2" - cis_csc: "16" condition: all rules: @@ -2359,7 +2359,7 @@ checks: rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications" compliance: - - cis: "18.9.16.4" + - cis: "18.9.16.3" - cis_csc: "13" condition: all rules: @@ -2373,7 +2373,7 @@ checks: rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds" compliance: - - cis: "18.9.16.5" + - cis: "18.9.16.4" - cis_csc: "3" condition: all rules: @@ -2695,7 +2695,7 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level" compliance: - - cis: "18.9.58.3.9.3" + - cis: "18.9.58.3.9.5" - cis_csc: "3.4" condition: all rules: @@ -2807,7 +2807,7 @@ checks: rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates" compliance: - - cis: "18.9.68.2" + - cis: "18.9.68.3" - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" condition: all rules: @@ -2821,7 +2821,7 @@ checks: rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows" compliance: - - cis: "18.9.68.3" + - cis: "18.9.68.4" - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" condition: all rules: @@ -2967,7 +2967,7 @@ checks: rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Security Center\\App and browser protection\\Prevent users from modifying settings" compliance: - - cis: "18.9.79.1.1" + - cis: "18.9.79.2.1" - cis_csc: "8.4" condition: all rules: @@ -3129,7 +3129,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 01' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - id: 12221 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" @@ -3277,7 +3277,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - id: 12231 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" @@ -3305,4 +3305,4 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' From 677e46190f0bb5dc5567dac6e9f53f02474a8fa5 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 25 Jun 2019 11:48:59 +0200 Subject: [PATCH 130/247] Fix %SYSTEMROOT% checks for Windows 2012 R2 --- sca/windows/cis_win2012r2_domainL1_rcl.yml | 6 +++--- sca/windows/cis_win2012r2_memberL1_rcl.yml | 8 +++----- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index f95d04041..a5824a6c5 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -888,7 +888,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - id: 8061 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1000,7 +1000,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - id: 8069 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1141,7 +1141,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - id: 8079 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index 8d8397d91..a35b0ff62 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -900,7 +900,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\domainfw\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - id: 9062 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1012,8 +1012,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\privatefw\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - id: 9070 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" @@ -1153,8 +1152,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:\psystemroot\p\\system32\logfiles\firewall\publicfw\plog' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - id: 9080 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" From 34e6d2bf7a0a2a83044c4549fd36435515cb98d6 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 25 Jun 2019 16:01:17 +0200 Subject: [PATCH 131/247] Adapt generic Windows checks to other policies --- sca/windows/win_audit_rcl.yml | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml index 3bd9f460f..1d175a546 100644 --- a/sca/windows/win_audit_rcl.yml +++ b/sca/windows/win_audit_rcl.yml @@ -59,7 +59,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' - - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^0$|^1$' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^5$' # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). @@ -92,12 +92,10 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\standardprofile -> enablefirewall -> 1' - id: 2505 - title: "Ensure Null sessions are disallowed" + title: "Ensure Null sessions are not allowed" compliance: - pci_dss: "11.4" - nist_800_53: "IA.10" @@ -108,7 +106,7 @@ checks: - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - id: 2506 - title: "Ensure Error reporting is enabled" + title: "Ensure Turn off Windows Error reporting is enabled" compliance: - pci_dss: "10.6.1" - hipaa: "164.312.b" @@ -117,19 +115,12 @@ checks: - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> DoReport -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeKernelFaults -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeMicrosoftApps -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeWindowsApps -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> IncludeShutdownErrs -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting -> ShowUI -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - id: 2507 title: "Ensure Automatic Logon is disabled" @@ -139,7 +130,6 @@ checks: - nist_800_53: "AU.6" condition: any rules: - - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' From 3d0394a4ea7a4f9f7b673be402aea115053e75ac Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 25 Jun 2019 18:54:53 +0200 Subject: [PATCH 132/247] Change some Solaris rules --- sca/sunos/cis_solaris11_rcl.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml index 8eeaf8d92..4428214b7 100644 --- a/sca/sunos/cis_solaris11_rcl.yml +++ b/sca/sunos/cis_solaris11_rcl.yml @@ -46,9 +46,9 @@ checks: remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" compliance: - cis: "2.2" - condition: all + condition: none rules: - - 'f:/etc/mail/local.cf' + - 'c:netstat -an -> r:.25\s*\t* && !r:127.0.0.1.25|::1' - id: 11502 title: "Disable RPC Encryption Key" @@ -173,6 +173,7 @@ checks: - ipfilter(5) man page condition: all rules: + - 'c:inetadm -p -> r:tcp_wrappers=TRUE' - 'f:/etc/hosts.allow' - 'f:/etc/hosts.deny' @@ -309,6 +310,12 @@ checks: - cis: "4.5" condition: all rules: + - 'c:auditconfig -getcond -> audit condition = auditing' + - 'c:auditconfig -getpolicy -> r:active audit policies = argv,cnt,zonename' + - 'c:auditconfig -getflags -> r:active user default audit flags = lo(0x1000,0x1000)' + - 'c:auditconfig -getnaflags -> r:active non-attributable audit flags = lo(0x1000,0x1000)' + - 'c:auditconfig -getplugin audit_binfile -> r:audit_binfile (active)' + - 'c:userattr audit_flags root -> r:lo,ad,ft,ex,cis:no' - 'd:/var/spool/cron/crontabs -> r:/usr/sbin/audit -n' # 5 File/Directory Permissions/Access @@ -321,7 +328,7 @@ checks: - cis: "5.1" condition: all rules: - - 'f:/etc/profile -> r:^umask\s*022' + - 'c:svcprop -p umask/umask svc:/system/environment:init -> 022' # 6 System Access, Authentication, and Authorization - id: 11522 @@ -334,7 +341,7 @@ checks: condition: all rules: - 'f:/etc/default/keyserv' - - 'f:/etc/default/keyserv -> r:^ENABLE\.NOBODY\.KEYS\pNO' + - 'f:/etc/default/keyserv -> r:^ENABLE\sNOBODY\sKEYS\pNO' - id: 11523 title: "Disable X11 Forwarding for SSH" From e1f49248db8ba26355add857bd40230908a37c49 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 25 Jun 2019 10:34:53 -0700 Subject: [PATCH 133/247] Fixing CIS Debian 7-8 policy --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 565 ++++++++++++----------- 1 file changed, 306 insertions(+), 259 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index 09d8dfdf1..fb41f2117 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -317,10 +317,9 @@ checks: - cis_csc: "13" condition: all rules: - - 'c:ulimit -H -c -> 0' - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' - - 'c:grep -Rh ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - id: 10517 title: "Ensure address space layout randomization (ASLR) is enabled" @@ -332,7 +331,7 @@ checks: - cis_csc: "8.3, 8.4" condition: all rules: - - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' # 1.7 Warning Banners @@ -591,349 +590,357 @@ checks: rules: - 'c:dpkg -s telnet -> r:install ok installed' ---------------------------------------------------- #ToDo - # 3 Network Configuration - id: 10544 - title: "Disable IP Forwarding" - description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." - rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + title: "Ensure IP forwarding is disabled" + description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.1.1" + - cis: "3.1.1" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' - id: 10545 - title: "Disable Send Packet Redirects" + title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." - remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.1.2" + - cis: "3.1.2" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - id: 10546 - title: "Disable Source Routed Packet Acceptance" + title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.2.1" + - cis: "3.2.1" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:=\s*\t*0$' + - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - id: 10547 - title: "Disable ICMP Redirect Acceptance" + title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." - remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.2.2" + - cis: "3.2.2" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' - id: 10548 - title: "Disable Secure ICMP Redirect Acceptance" + title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." - remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.3" + - cis: "3.2.3" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' - - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - id: 10549 - title: "Log Suspicious Packets" + title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." - remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.4" + - cis: "3.2.4" + - cis_csc: "6, 6.2, 6.3" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' - - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - id: 10550 - title: "Enable Ignore Broadcast Requests" + title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.5" + - cis: "3.2.5" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - id: 10551 - title: "Enable Bad Error Message Protection" + title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." - remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.6" + - cis: "3.2.6" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - id: 10552 - title: "Enable RFC-recommended Source Route Validation" + title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." - rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." - remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.7" + - cis: "3.2.7" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' - - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - id: 10553 - title: "Enable TCP SYN Cookies" - description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." - rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." - remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + title: "Ensure TCP SYN Cookies is enabled" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.8" + - cis: "3.2.8" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' - id: 10554 - title: "Disable IPv6 Router Advertisements" + title: "Ensure IPv6 router advertisements are not accepted" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." - remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" - compliance: - - cis: "7.3.1" - condition: all - rules: - - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' - - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$' - - - id: 10555 - title: "Disable IPv6 Redirect Acceptance" - description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." - rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." - remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.3.2" + - cis: "3.2.9" + - cis_csc: "3, 11, 5.1" condition: all rules: - - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' - - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$' - - - id: 10556 - title: "Disable IPv6" - description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." - rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." - remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" - compliance: - - cis: "7.3.3" - condition: none - rules: - - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:=\s*\t*1$' - - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:=\s*\t*1$' - - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> r:=\s*\t*1$' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6\s*\t*=\s*\t*1' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6\s*\t*=\s*\t*1' - - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6\s*\t*=\s*\t*1' + - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' + - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' - id: 10557 - title: "Create /etc/hosts.allow" + title: "Ensure /etc/hosts.allow is configured" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." - rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." - remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." + rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." + remediation: "Run the following command to create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow. Where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "7.4.2" + - cis: "3.3.2" + - cis_csc: "9.2, 9.4" condition: all rules: - 'f:/etc/hosts.allow' - id: 10558 - title: "Create /etc/hosts.deny" + title: "Ensure /etc/hosts.deny is configured" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." - remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" + remediation: "Run the following command to create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "7.4.4" + - cis: "3.3.3" + - cis_csc: "9.2, 9.4" condition: all rules: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - id: 10559 - title: "Disable DCCP" - description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." - rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." - remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" + title: "Ensure DCCP is disabled" + description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." + rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true" compliance: - - cis: "7.5.1" + - cis: "3.4.1" + - cis_csc: "9.1, 9.2" condition: none rules: + - 'not c:modprobe -n -v dccp -> r:install /bin/true' - 'c:lsmod -> r:dccp' - id: 10560 - title: "Disable SCTP" + title: "Ensure SCTP is disabled" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." - remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true" compliance: - - cis: "7.5.2" + - cis: "3.4.2" + - cis_csc: "9.1, 9.2" condition: none rules: + - 'not c:modprobe -n -v sctp -> r:install /bin/true' - 'c:lsmod -> r:sctp' - id: 10561 - title: "Disable RDS" + title: "Ensure RDS is disabled" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." - remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true" compliance: - - cis: "7.5.3" + - cis: "3.4.3" + - cis_csc: "9.1, 9.2" condition: none rules: + - 'not c:modprobe -n -v rds -> r:install /bin/true' - 'c:lsmod -> r:rds' - id: 10562 - title: "Disable TIPC" + title: "Ensure TIPC is disabled" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." - remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true" compliance: - - cis: "7.5.4" + - cis: "3.4.4" + - cis_csc: "9.1, 9.2" condition: none rules: + - 'not c:modprobe -n -v tipc -> r:install /bin/true' - 'c:lsmod -> r:tipc' +# 3.5 Firewall configuration + - id: 10563 - title: "Ensure Firewall is active" - description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules. Other methods are available which may be in use in your environment and may conflict with these steps." - rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." - remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" + title: "Ensure default deny firewall policy" + description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." + rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." + remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "7.7" + - cis: "3.5.1.1" + - cis_csc: "9.1, 9.4" condition: all rules: - - 'c:dpkg -s iptables -> r:install ok installed' - - 'c:dpkg -s iptables-persistent -> r:install ok installed' - - 'c:find /etc -regex "/etc/rc.*iptables-persistent" -> r:S\.*iptables-persistent' + - 'c:iptables -L -> r:^Chain INPUT && r:policy DROP' + - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' + - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' -# 8 Logging and Auditing - - id: 10564 - title: "Ensure the rsyslog Service is activated" - description: "Once the rsyslog package is installed it needs to be activated." - rationale: "If the rsyslog service is not activated the system will not have a syslog service running." - remediation: "Enable rsyslog: # update-rc.d rsyslog enable" + - id: 10563 + title: " Ensure IPv6 default deny firewall policy" + description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." + rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." + remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "8.2.2" + - cis: "3.5.2.1" + - cis_csc: "9.1, 9.4" condition: all rules: - - 'c:find /etc -regex "/etc/rc.*rsyslog" -> r:S\.*rsyslog' + - 'c:ip6tables -L -> r:^Chain INPUT && r:policy DROP' + - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' + - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 10565 - title: "Configure /etc/rsyslog.conf" - description: "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." - rationale: "A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)." - remediation: "Edit the following lines in the /etc/rsyslog.conf or /etc/rsyslog.d/* file as appropriate for your environment: *.emerg :omusrmsg:* mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none -/var/log/messages local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages Execute the following command to restart rsyslogd # pkill -HUP rsyslogd" + - id: 10563 + title: "Ensure iptables is installed" + description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." + rationale: "iptables is required for firewall management and configuration." + remediation: "Run the following command to install iptables: # apt-get install iptables" compliance: - - cis: "8.2.3" - references: - - rsyslog.conf(5) man page + - cis: "3.5.3" + - cis_csc: "9.2, 9.4" condition: all rules: - - 'c:grep -Rh ^*.emerg\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^mail.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^mail.info\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^mail.warning\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^mail.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^news.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^news.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^news.notice\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^*.=warning;*.=err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^*.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^*.*;mail.none;news.none\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^local0,local1.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^local2,local3.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^local4,local5.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -Rh ^local6,local7.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:dpkg -s iptables -> r:install ok installed' + +# 4 Logging and Auditing + - id: 10564 + title: "Ensure rsyslog Service is enabled" + description: "Once the rsyslog package is installed it needs to be activated." + rationale: "If the rsyslog service is not activated the system will not have a syslog service running." + remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" + compliance: + - cis: "4.2.1.1" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'c:systemctl is-enabled rsyslog -> r:^enabled' - id: 10566 - title: "Configure rsyslog to Send Logs to a Remote Log Host" + title: "Ensure rsyslog is configured to send logs to a remote log host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." - rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" - remediation: "Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host). *.* @@loghost.example.com # Execute the following command to restart rsyslogd # pkill -HUP rsyslogd Note: The double \"at\" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol." + rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." + remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "8.2.5" + - cis: "4.2.1.4" + - cis_csc: "6.6, 6.8" references: - rsyslog.conf(5) man page condition: all rules: - - 'f:/etc/rsyslog.conf -> r:^*.* @@\w+.\w+.\w+' + - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - id: 10567 - title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" + title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." - remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so $InputTCPServerRun 514 Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd" + remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp +# $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "8.2.6" + - cis: "4.2.1.5" + - cis_csc: "9.1, 9.2" references: - rsyslog.conf(8) man page condition: all rules: - - 'c:grep -Rh ^\$ModLoad imtcp.so /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' - - 'c:grep -Rh ^\$InputTCPServerRun 514 /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' + - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp' + - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' - - id: 10568 - title: "Configure logrotate" - description: "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog." - rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files." - remediation: "Edit the /etc/logrotate.d/rsyslog file to include appropriate system logs according to your site policy." - compliance: - - cis: "8.4" - condition: all - rules: - - 'f:/etc/logrotate.d/rsyslog' - - 'f:/etc/logrotate.d/rsyslog -> r:\S+' - -# 9 System Access, Authentication and Authorization +# 5 Access, Authentication and Authorization - id: 10569 - title: "Enable cron Daemon" + title: "Ensure cron daemon is enabled" description: "The cron daemon is used to execute batch jobs on the system." - rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." - remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" + rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." + remediation: "Run the following command to enable cron: systemctl enable cron" compliance: - - cis: "9.1.1" + - cis: "5.1.1" + - cis_csc: "6, 5.1" condition: all rules: - - 'f:/etc/rc2.d/S15anacron' - - 'f:/etc/rc2.d/S15cron' - - 'f:/etc/rc3.d/S15anacron' - - 'f:/etc/rc3.d/S15cron' - - 'f:/etc/rc4.d/S15anacron' - - 'f:/etc/rc4.d/S15cron' - - 'f:/etc/rc5.d/S15anacron' - - 'f:/etc/rc5.d/S15cron' + - 'c:systemctl is-enabled cron -> r:^enabled$' - id: 10570 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." - rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." - remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" + rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." + remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - cis: "5.1.8" + - cis_csc: "16" condition: all rules: - 'f:/etc/cron.allow' @@ -943,172 +950,212 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 10571 - title: "Set Password Creation Requirement Parameters Using pam_cracklib" - description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Install the libpam-cracklib package: # apt-get install libpam-cracklib Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" - compliance: - - cis: "9.2.1" - condition: all - rules: - - 'c:dpkg -s libpam-cracklib -> install ok installed' - - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so\s*\t*retry=\d\s*\t*minlen=\d\d+\s*\t*dcredit=-\d+\s*\t*ucredit=-\d+\s*\t*ocredit=-\d+\s*\t*lcredit=-\d+' - - - id: 10572 - title: "Set Lockout for Failed Password Attempts" - description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." - rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." - remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." - compliance: - - cis: "9.2.2" - condition: all - rules: - - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d\s*\t*unlock_time=\d\d\d+' - - - id: 10573 - title: "Limit Password Reuse" - description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." - rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." - remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." + - id: 10574 + title: "Ensure permissions on /etc/ssh/sshd_config are configured" + description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." + rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." + remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config" compliance: - - cis: "9.2.3" + - cis: "5.2.1" + - cis_csc: "5.1" condition: all rules: - - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*[success=1 default=ignore]\s*\t*pam_unix.so\s*\t*obscure\s*\t*sha512\s*\t*remember=\d' + - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' - id: 10574 - title: "Set SSH Protocol to 2" + title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "9.3.1" + - cis: "5.2.4" + - cis_csc: "3.4, 4.5" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - id: 10575 - title: "Set LogLevel to INFO" - description: "The INFO parameter specifices that record login and logout activity will be logged." - rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + title: "Ensure SSH LogLevel is appropriate" + description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE or LogLevel INFO" + references: + - https://www.ssh.com/ssh/sshd_config/ compliance: - - cis: "9.3.2" + - cis: "5.2.5" + - cis_csc: "16, 6.2, 6.3" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' - id: 10576 - title: "Disable SSH X11 Forwarding" + title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" + remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - - cis: "9.3.4" + - cis: "5.2.6" + - cis_csc: "16, 9.2" condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - id: 10577 - title: "Set SSH MaxAuthTries to 4 or Less" + title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." - rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "9.3.5" + - cis: "5.2.7" + - cis_csc: "16, 16.13" condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' + - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - id: 10578 - title: "Set SSH IgnoreRhosts to Yes" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "9.3.6" + - cis: "5.2.8" + - cis_csc: "9, 9.2" condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - id: 10579 - title: "Set SSH HostbasedAuthentication to No" + title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "9.3.7" + - cis: "5.2.9" + - cis_csc: "9, 16.3" condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - id: 10580 - title: "Disable SSH Root Login" + title: "Ensure SSH root login is disabled " description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." - rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "9.3.8" + - cis: "5.2.10" + - cis_csc: "5.8, 4.3" condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' +# 5.2 SSH Server Configuration + - id: 10581 - title: "Set SSH PermitEmptyPasswords to No" + title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "9.3.9" + - cis: "5.2.11" + - cis_csc: "16, 16.3" condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - id: 10582 - title: "Do Not Allow Users to Set Environment Options" + title: "Ensure SSH PermitUserEnvironment is disabled" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "9.3.10" + - cis: "5.2.12" + - cis_csc: "16, 5.1" condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - id: 10583 - title: "Set Idle Timeout Interval for User Login" + title: "Ensure SSH Idle Timeout Interval is configured" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." - rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" + rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "9.3.12" + - cis: "5.2.16" + - cis_csc: "16.4, 16.11" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' - - 'f:/etc/ssh/sshd_config -> !r:^# && r:ClientAliveCountMax\s+0' + - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' + - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' - id: 10584 - title: "Limit Access via SSH" + title: "Ensure SSH access is limited" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "9.3.13" + - cis: "5.2.18" + - cis_csc: "5.1, 5.8, 4.3" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - id: 10585 - title: "Set SSH Banner" + title: "Ensure SSH warning banner is configured" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." - rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." + rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "9.3.14" + - cis: "5.2.19" + - cis_csc: "5.1" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|Banner\s\t*/etc/issue' + +# 5.3 Configure PAM + + - id: 10571 + title: "Ensure password creation requirements are configured" + description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol." + compliance: + - cis: "5.3.1" + - cis_csc: "5.7, 16.12, 4.4" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' + - 'c:dpkg -s libpam-cracklib -> install ok installed' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d' + - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:dcredit' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:ucredit' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' + + - id: 10572 + title: "Ensure lockout for failed password attempts is configured" + description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." + rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." + remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the "audit" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." + compliance: + - cis: "5.3.2" + - cis_csc: "16.7" + condition: all + rules: + - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' + + - id: 10573 + title: "Ensure password reuse is limited" + description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." + rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." + remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here." + compliance: + - cis: "5.3.3" + - cis_csc: "16" + condition: all + rules: + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' + +--------------------------------------------------- #ToDo - id: 10586 title: "Restrict Access to the su Command" From f4c107da895ff1c4a3eab402de972ec71007676f Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 26 Jun 2019 13:02:09 +0200 Subject: [PATCH 134/247] Check Office 2016 policy --- sca/windows/acsc_office2016_rcl.yml | 253 +++++++++++++++------------- 1 file changed, 134 insertions(+), 119 deletions(-) diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016_rcl.yml index b76d3f2c7..81b215e13 100644 --- a/sca/windows/acsc_office2016_rcl.yml +++ b/sca/windows/acsc_office2016_rcl.yml @@ -23,167 +23,182 @@ policy: requirements: title: "Check that the installed Office is version 2016" description: "Requirements for running the CIS benchmark against Office 2016" - condition: "any required" + condition: any rules: - - 'r:HKLM\Software\Microsoft\Office\16.0\Word\InstallRoot::Path' + - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' checks: # ACSC - Attack Surface Reduction - - id: 10000 - title: "Ensure Attack Surface Reduction is set to 'Enabled'" + - id: 14500 + title: "Ensure 'Attack Surface Reduction' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - - id: 10001 + - id: 14501 title: "Ensure 'Block executable content from email client and webmail' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - - id: 10002 + - id: 14502 title: "Ensure 'block Office applications from creating child processes' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' - - id: 10003 + - id: 14503 title: "Ensure 'block Office applications from creating executable content' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' - - id: 10004 + - id: 14504 title: "Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' - - id: 10005 + - id: 14505 title: "Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' - - id: 10006 + - id: 14506 title: "Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - - id: 10007 + - id: 14507 title: "Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'" description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' # ACSC - Active X - - id: 10008 + - id: 14508 #* title: "Ensure 'Disable All Active X' is set to 'Enabled'" description: "While ActiveX controls can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, ActiveX controls should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> 1' # ACSC - Add-ins - - id: 10009 + - id: 14509 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Excel" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> 1' - - id: 10010 + - id: 14510 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Excel" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> 1' - - id: 10011 + - id: 14511 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for PowerPoint" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> 1' - - id: 10012 + - id: 14512 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> 1' - - id: 10013 + - id: 14513 title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Word" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> 1' - - id: 10014 + - id: 14514 title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Word" description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> 1' # ACSC - Extension Hardening - - id: 10015 - title: "Ensure if Extension Hardening functionality in Microsoft Excel is enabled" + - id: 14515 + title: "Ensure 'Extension Hardening functionality' in Microsoft Excel is enabled" description: "Extension Hardening mitigates a number of scenarios whereby an adversary would deceive users into opening malicious Microsoft Excel files. By default, users will be warned when file content or MIME type doesn’t match the file extension;however, users can still allow such files to open. As such, it is important that only Microsoft Excel files that pass integrity checks are allowed to be opened. To reduce this risk, Extension Hardening functionality should be enabled for Microsoft Excel." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -193,8 +208,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> 2' # ACSC - File Type Blocking - - id: 10016 - title: "Ensure dBase III / IV files are blocked in Microsoft Excel" + - id: 14516 + title: "Ensure 'dBase III / IV files' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -203,18 +218,18 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> 2' - - id: 10017 - title: "Ensure Dif and Sylk files are blocked in Microsoft Excel" + - id: 14517 + title: "Ensure 'Dif and Sylk files' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles' - - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\excel\\security\\fileblock ->\tdifandsylkfiles -> 2" + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> 2' - - id: 10018 - title: "Ensure Excel 2 macrosheets and add-in files are blocked in Microsoft Excel" + - id: 14518 + title: "Ensure 'Excel 2 macrosheets and add-in files' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -223,18 +238,18 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> 2' - - id: 10019 - title: "Ensure Excel 2 worksheets are blocked in Microsoft Excel" + - id: 14519 + title: "Ensure 'Excel 2 worksheets' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets' - - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\excel\\security\\fileblock ->\txl2worksheets -> 2" + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> 2' - - id: 10020 - title: "Ensure Excel 3 macrosheets and add-in files are blocked in Microsoft Excel" + - id: 14520 + title: "Ensure 'Excel 3 macrosheets and add-in files' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -243,8 +258,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> 2' - - id: 10021 - title: "Ensure Excel 3 worksheets and add-in files are blocked in Microsoft Excel" + - id: 14521 + title: "Ensure 'Excel 3 worksheets and add-in files' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -253,8 +268,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> 2' - - id: 10022 - title: "Ensure Excel 4 macrosheets and add-in files are blocked in Microsoft Excel" + - id: 14522 + title: "Ensure 'Excel 4 macrosheets and add-in files' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -263,8 +278,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> 2' - - id: 10023 - title: "Ensure Excel 4 workbooks are blocked in Microsoft Excel" + - id: 14523 + title: "Ensure 'Excel 4 workbooks are blocked' in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -273,8 +288,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> 2' - - id: 10024 - title: "Ensure Excel 4 worksheets are blocked in Microsoft Excel" + - id: 14524 + title: "Ensure 'Excel 4 worksheets are blocked' in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -283,8 +298,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> 2' - - id: 10025 - title: "Ensure Excel 95 workbooks are blocked in Microsoft Excel" + - id: 14525 + title: "Ensure 'Excel 95 workbooks are blocked' in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -293,8 +308,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> 2' - - id: 10026 - title: "Ensure Excel 95-97 workbooks and templates are blocked in Microsoft Excel" + - id: 14526 + title: "Ensure 'Excel 95-97 workbooks and templates' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -303,8 +318,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> 2' - - id: 10027 - title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel" + - id: 14527 + title: "Ensure 'Set default file block behavior' is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -313,16 +328,16 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> 0' - - id: 10028 - title: "Ensure Web pages and Excel 2003 XML spreadsheets are blocked in Microsoft Excel" + - id: 14528 + title: "Ensure 'Web pages and Excel 2003 XML spreadsheets' are blocked in Microsoft Excel" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles' - - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\excel\\security\\fileblock ->\thtmlandxmlssfiles -> 2" + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> 2' # CIS 2.22 - Office Converters - - id: 10029 + - id: 14529 #* title: "Ensure 'Block Opening of Pre-Release Versions of File Formats New to PowerPoint Through the Compatibility Pack for Office and PowerPoint Converter' is set to Enabled" description: "This policy setting controls whether users with the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats installed can open Office Open XML files saved with pre-release versions of PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. The recommended state for this setting is: Enabled." rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." @@ -335,8 +350,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> 2' # ACSC - File Type Blocking (Cont'd) - - id: 10030 - title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint" + - id: 14530 + title: "Ensure 'Set default file block behavior' is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -345,8 +360,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> 0' - - id: 10031 - title: "Ensure Set default file block behavior is set to 'Enabled' (Blocked files are not opened) in Microsoft Word" + - id: 14531 + title: "Ensure 'Set default file block behavior' is set to 'Enabled' (Blocked files are not opened) in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -355,8 +370,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> 0' - - id: 10032 - title: "Ensure Word 2 and earlier binary documents and templates are blocked in Microsoft Word" + - id: 14532 + title: "Ensure 'Word 2 and earlier binary documents and templates' are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -364,8 +379,8 @@ checks: rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> 2' - - id: 10033 - title: "Ensure Word 6.0 binary documents and templates are blocked in Microsoft Word" + - id: 14533 + title: "Ensure 'Word 6.0 binary documents and templates' are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -374,8 +389,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> 2' - - id: 10034 - title: "Ensure Word 95 binary documents and templates are blocked in Microsoft Word" + - id: 14534 + title: "Ensure 'Word 95 binary documents and templates' are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -384,8 +399,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> 2' - - id: 10035 - title: "Ensure Word 97 binary documents and templates are blocked in Microsoft Word" + - id: 14535 + title: "Ensure 'Word 97 binary documents and templates' are blocked in Microsoft Word" description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -395,8 +410,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> 2' # ACSC - Hidden Markup - - id: 10036 - title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft PowerPoint" + - id: 14536 + title: "Ensure 'Make hidden markup visible' is set to 'Enabled' in Microsoft PowerPoint" description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -405,8 +420,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> 1' - - id: 10037 - title: "Ensure Make hidden markup visible is set to 'Enabled' in Microsoft Word" + - id: 14537 + title: "Ensure 'Make hidden markup visible' is set to 'Enabled' in Microsoft Word" description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -416,8 +431,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> 1' # ACSC - Office File Validation - - id: 10038 - title: "Ensure Turn off error reporting for files that fail file validation is set to 'Enabled' in Microsoft Office" + - id: 14538 + title: "Ensure 'Turn off error reporting for files that fail file validation' is set to 'Enabled' in Microsoft Office" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -426,8 +441,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> 1' - - id: 10039 - title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Excel" + - id: 14539 + title: "Ensure 'Turn off file validation' is set to 'Disabled' in Microsoft Excel" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -436,8 +451,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> 1' - - id: 10040 - title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft PowerPoint" + - id: 14540 + title: "Ensure 'Turn off file validation' is set to 'Disabled' in Microsoft PowerPoint" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -446,8 +461,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> 1' - - id: 10041 - title: "Ensure Turn off file validation ins set to 'Disabled' in Microsoft Word" + - id: 14541 + title: "Ensure 'Turn off file validation' is set to 'Disabled' in Microsoft Word" description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -457,8 +472,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> 1' # ACSC - Protected View - - id: 10042 - title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Excel" + - id: 14542 + title: "Ensure 'Do not open files from the Internet zone in Protected View' is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -467,8 +482,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> 0' - - id: 10043 - title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Excel" + - id: 14543 + title: "Ensure 'Do not open files in unsafe locations in Protected View' is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -477,8 +492,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> 0' - - id: 10044 - title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft Excel" + - id: 14544 + title: "Ensure 'Set document behaviour if file validation fails' is set to 'Enabled' (Block files) in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -487,8 +502,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> 0' - - id: 10045 - title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Excel" + - id: 14545 + title: "Ensure 'Turn off Protected View for attachments opened from Outlook' is set to 'Disabled' in Microsoft Excel" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -497,8 +512,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> 0' - - id: 10046 - title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft PowerPoint" + - id: 14546 + title: "Ensure 'Do not open files from the Internet zone in Protected View' is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -507,8 +522,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> 0' - - id: 10047 - title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft PowerPoint" + - id: 14547 + title: "Ensure 'Do not open files in unsafe locations in Protected View' is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -517,8 +532,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> 0' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv' - - id: 10048 - title: "Ensure Set document behaviour if file validation fails is set to 'Enabled' (Block files) in Microsoft PowerPoint" + - id: 14548 + title: "Ensure 'Set document behaviour if file validation fails' is set to 'Enabled' (Block files) in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -527,8 +542,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> 0' - - id: 10049 - title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft PowerPoint" + - id: 14549 + title: "Ensure 'Turn off Protected View for attachments opened from Outlook' is set to 'Disabled' in Microsoft PowerPoint" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -537,8 +552,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> 0' - - id: 10050 - title: "Ensure Do not open files from the Internet zone in Protected View is set to 'Disabled' in Microsoft Word" + - id: 14550 + title: "Ensure 'Do not open files from the Internet zone in Protected View' is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -547,8 +562,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> 0' - - id: 10051 - title: "Ensure Do not open files in unsafe locations in Protected View is set to 'Disabled' in Microsoft Word" + - id: 14551 + title: "Ensure 'Do not open files in unsafe locations in Protected View' is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -557,8 +572,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> 0' - - id: 10052 - title: "Ensure Set document behaviour if file validation fails is set to 'Enable' (Block files) in Microsoft Word" + - id: 14552 + title: "Ensure 'Set document behaviour if file validation fails' is set to 'Enable' (Block files) in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -567,8 +582,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> 0' - - id: 10053 - title: "Ensure Turn off Protected View for attachments opened from Outlook is set to 'Disabled' in Microsoft Word" + - id: 14553 + title: "Ensure 'Turn off Protected View for attachments opened from Outlook' is set to 'Disabled' in Microsoft Word" description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -578,8 +593,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> 0' # ACSC - Trusted Documents - - id: 10054 - title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Excel" + - id: 14554 + title: "Ensure 'Turn off trusted documents' is set to 'Enabled' in Microsoft Excel" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -588,8 +603,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> 1' - - id: 10055 - title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Excel" + - id: 14555 + title: "Ensure 'Turn off Trusted Documents on the network' is set to 'Enabled' in Microsoft Excel" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -598,8 +613,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> 1' - - id: 10056 - title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Powerpoint" + - id: 14556 + title: "Ensure 'Turn off trusted documents' is set to 'Enabled' in Microsoft Powerpoint" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -608,8 +623,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> 1' - - id: 10057 - title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Powerpoint" + - id: 14557 + title: "Ensure 'Turn off Trusted Documents on the network' is set to 'Enabled' in Microsoft Powerpoint" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -618,8 +633,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments -> 1' - - id: 10058 - title: "Ensure Turn off trusted documents is set to 'Enabled' in Microsoft Word" + - id: 14558 + title: "Ensure 'Turn off trusted documents' is set to 'Enabled' in Microsoft Word" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -628,8 +643,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> 1' - - id: 10059 - title: "Ensure Turn off Trusted Documents on the network is set to 'Enabled' in Microsoft Word" + - id: 14559 + title: "Ensure 'Turn off Trusted Documents on the network' is set to 'Enabled' in Microsoft Word" description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." references: - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf @@ -639,7 +654,7 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> 1' # CIS 2.24 - Privacy - - id: 10060 + - id: 14560 title: "Ensure 'Disable Opt-in Wizard on First Run' is set to Enabled" description: "This policy setting controls whether users see the Opt-in Wizard the first time they run a Microsoft Office application. The recommended state for this setting is: Enabled." rationale: "By default, the Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies." @@ -651,7 +666,7 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> 1' - - id: 10061 + - id: 14561 title: "Ensure 'Enable Customer Experience Improvement Program' is set to Disabled" description: "This policy setting controls whether users can participate in the Microsoft Office Customer Experience Improvement Program to help improve Microsoft Office. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. The recommended state for this setting is: Disabled" rationale: "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies." @@ -663,7 +678,7 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> 0' - - id: 10062 + - id: 14562 title: "Ensure 'Allow including screenshot with Office Feedback' is set to Disabled" description: "This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." @@ -672,10 +687,10 @@ checks: - cis: "2.24.1.3" condition: all rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' - - "r:HKEY_CURRENT_USER\\software\\policies\\microsoft\\office\\16.0\\common\\feedback -> \tincludescreenshot -> 0" + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' + - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> 0' - - id: 10063 + - id: 14563 title: "Ensure 'Send Office Feedback' is set to Disabled" description: "This policy setting manages the Office Feedback Tool (a.k.a. Send a Smile). The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." @@ -687,7 +702,7 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> 0' - - id: 10064 + - id: 14564 title: "Ensure 'Send personal information' is set to Disabled" description: "This policy setting controls whether users can send personal information to Office. When users choose to send information Office applications automatically send information to Office." rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." @@ -699,8 +714,8 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> 0' - - id: 10065 - title: "Ensure Set 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled" + - id: 14565 + title: "Ensure 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled" description: "This policy setting controls whether Microsoft Office Diagnostics is enabled. Office Diagnostics enables Microsoft to diagnose system problems by periodically downloading a small file to the computer. If you enable this policy setting, Office Diagnostics collects information about specific errors and the IP address of the computer. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. If you disable this policy setting, users will not receive updates from Office Diagnostics. If you do not configure this policy setting, this policy setting is not enabled, but users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run an Office application. The recommended state for this setting is: Disabled." rationale: "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" From 1df82b3a9c593accd19d85424e5c5e14c154d97e Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 26 Jun 2019 14:19:39 +0200 Subject: [PATCH 135/247] Fix GRUB rule for RHEL7 --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index f492bd062..9e57fbf8d 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -286,7 +286,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub2/grub.cfg -> !r:^# && r:^\s*GRUB2_PASSWORD\.$' + - 'f:/boot/grub2/grub.cfg -> r:^GRUB2_PASSWORD=\.+' ############################################### # 1.5 Additional Process Hardening From 01860fd9209be77273fc7b12708da111c97c96b7 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 26 Jun 2019 14:39:39 +0200 Subject: [PATCH 136/247] Add chrony check to RHEL7 --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 65 ++++++++++++++++++------------ 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index 9e57fbf8d..de71d7879 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -604,8 +604,23 @@ checks: - 'f:/etc/sysconfig/ntpd -> r:^OPTIONS\s*=\s* && r:-u ntp:ntp' - 'f:/usr/lib/systemd/system/ntpd.service -> r:^Execstart\s*=\s*/usr/sbin/ntpd\s+-u\s+ntp:ntp' -# 2.2.7 Disable NFS and RPC (Scored) +# 2.2.1.2 Configure Network Time Protocol (Chrony) (Scored) - id: 6538 + title: "Ensure chrony is configured" + description: "chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server." + rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly." + remediation: "1) Add or edit restrict lines in /etc/chrony.conf to match the following: - 1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include: - OPTIONS='-u chronyd'" + compliance: + - cis: "2.2.1.2" + - cis_csc: "6.1" + - pci_dss: "2.2.2" + condition: all + rules: + - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' + - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony' + +# 2.2.7 Disable NFS and RPC (Scored) + - id: 6539 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -621,7 +636,7 @@ checks: - 'c:systemctl is-enabled rpcbind -> r:^enabled' # 2.2.9 Remove FTP Server (Scored) - - id: 6539 + - id: 6540 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." @@ -635,7 +650,7 @@ checks: - 'c:systemctl is-enabled vsftpd -> r:^enabled' # 2.2.10 Remove HTTP Server (Scored) - - id: 6540 + - id: 6541 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -648,7 +663,7 @@ checks: - 'c:systemctl is-enabled httpd -> r:^enabled' # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored) - - id: 6541 + - id: 6542 title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." @@ -662,7 +677,7 @@ checks: - 'c:systemctl is-enabled dovecot -> r:^enabled' # 2.2.12 Remove Samba (Scored) - - id: 6542 + - id: 6543 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." @@ -676,7 +691,7 @@ checks: - 'c:systemctl is-enabled smb -> r:^enabled' # 2.2.13 Remove HTTP Proxy Server (Scored) - - id: 6543 + - id: 6544 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." @@ -690,7 +705,7 @@ checks: - 'c:systemctl is-enabled squid -> r:^enabled' # 2.2.14 Remove SNMP Server (Not Scored) - - id: 6544 + - id: 6545 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -710,7 +725,7 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 6545 + - id: 6546 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -725,7 +740,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 6546 + - id: 6547 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -745,7 +760,7 @@ checks: # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 6547 + - id: 6548 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -762,7 +777,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 6548 + - id: 6549 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -779,7 +794,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 6549 + - id: 6550 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -796,7 +811,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - - id: 6550 + - id: 6551 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -813,7 +828,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6551 + - id: 6552 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -828,7 +843,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6552 + - id: 6553 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -843,7 +858,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - - id: 6553 + - id: 6554 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." @@ -860,7 +875,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6554 + - id: 6555 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -881,7 +896,7 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6555 + - id: 6556 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -897,7 +912,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 6556 + - id: 6557 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -913,7 +928,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 6557 + - id: 6558 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -927,7 +942,7 @@ checks: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6558 + - id: 6559 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -943,7 +958,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6559 + - id: 6560 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -959,7 +974,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 6560 + - id: 6561 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -975,7 +990,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6561 + - id: 6562 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." @@ -997,7 +1012,7 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6562 + - id: 6563 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." From af518ebda712e840e40c521d53fecfded5de3dd8 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 26 Jun 2019 16:29:44 +0200 Subject: [PATCH 137/247] Review system audit password policies --- sca/generic/system_audit_pw.yml | 59 ++++++++++----------------------- 1 file changed, 17 insertions(+), 42 deletions(-) diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml index d9c4e553e..15b601fe5 100644 --- a/sca/generic/system_audit_pw.yml +++ b/sca/generic/system_audit_pw.yml @@ -46,8 +46,8 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' - - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' - id: 13001 title: "Ensure passwords are longer than 13 characters" @@ -61,8 +61,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' - - 'f:/etc/security/pwquality.conf -> n:minlen=(\d+) compare >= 14' + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' - id: 13002 title: "Ensure passwords contain at least one digit" @@ -76,8 +75,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^dcredit=\p*\d' + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:dcredit=-1' - id: 13003 title: "Ensure passwords contain at least one lowercase character" @@ -91,8 +89,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:lcredit=-1' - id: 13004 title: "Ensure passwords contain at least one uppercase character" @@ -106,25 +103,9 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^lcredit=\p*\d' + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ucredit=-1' - id: 13005 - title: "Ensure passwords contain at least one uppercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^ucredit=\p*\d' - - - id: 13006 title: "Ensure passwords contain at least one special character" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -136,27 +117,21 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit=\p*\d' - - 'f:/etc/security/pwquality.conf -> r:^ocredit=\p*\d' + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ocredit=-1' - - id: 13007 - title: "Ensure password hashing algorithm is SHA-256 or higher" - description: "Password hashing should use a cryptographically secure algorithm such as SHA-256 or SHA-512 instead of MD5." - rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." - remediation: "Edit the /etc/pam.d/common-password file or /etc/pam.d/password-auth and /etc/pam.d/system-auth files (depending on the Linux distribution used) to include the sha512 option for pam_unix.so." + - id: 13006 + title: "Ensure password hashing algorithm is SHA-512" + description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." + remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" compliance: - cis: "5.3.4" - - cis_csc: "16.4, 16.14" - references: - - https://security.stackexchange.com/questions/77349/how-can-i-find-out-the-password-hashing-schemes-used-by-the-specific-unix-accoun - - https://docs.oracle.com/cd/E26505_01/html/E27224/secsystask-42.html + - cis_csc: "16.14" condition: any rules: - - 'f:/etc/security/policy.conf -> r:^CRYPT_DEFAULT=\d && !r:^CRYPT_DEFAULT=1|^CRYPT_DEFAULT=2|^CRYPT_DEFAULT=2a|^CRYPT_DEFAULT=2x|^CRYPT_DEFAULT=2y|^CRYPT_DEFAULT=md5|^CRYPT_DEFAULT=__unix__' - - 'f:$pam_d_files -> n:^password\.+pam_unix.so\.+sha(\d+) compare >= 256' - - 'f:/etc/login.defs -> r:^ENCRYPT_METHOD\s+ && n:SHA(\d+) compare >= 256' + - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' - - id: 13008 + - id: 13007 title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." @@ -169,7 +144,7 @@ checks: - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' # 5.4 User accounts and Environment - - id: 13009 + - id: 13008 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -182,4 +157,4 @@ checks: condition: any rules: - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' - - 'f:/etc/login.defs -> n:PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' From 06445f29409091c08f3805f3391830dc014f5030 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 26 Jun 2019 16:58:09 +0200 Subject: [PATCH 138/247] Review system_audit_ssh policy --- sca/generic/system_audit_ssh.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index 6dfc61f4e..ca889bf51 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -86,9 +86,9 @@ checks: remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+yes' + - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' - id: 1506 title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" @@ -97,9 +97,9 @@ checks: remediation: "Change the IgnoreRhosts option value in the sshd_config file." compliance: - pci_dss: "2.2.4" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+no' + - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' - id: 1507 title: "SSH Hardening - 8: Grace Time should be 30 or less." @@ -132,6 +132,6 @@ checks: - pci_dss: "4.1" - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - nist_800_53: "SC.8" - condition: none + condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+yes' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' From 4cc9ab7d99ed9de65859ab20b8ddcfd4fb8035c5 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 26 Jun 2019 08:32:12 -0700 Subject: [PATCH 139/247] Fixed SCA policies for Debian 8 --- sca/debian/cis_debianlinux7-8_L1_rcl.yml | 350 ++++++++++------------- sca/debian/cis_debianlinux7-8_L2_rcl.yml | 350 +++++++++++++---------- 2 files changed, 358 insertions(+), 342 deletions(-) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debianlinux7-8_L1_rcl.yml index fb41f2117..fdfb101df 100644 --- a/sca/debian/cis_debianlinux7-8_L1_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L1_rcl.yml @@ -11,8 +11,8 @@ # Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 policy: - id: "cis_debianlinux8_L1" - file: "cis_debianlinux8_L1_rcl.yml" + id: "cis_debian8_L1" + file: "cis_debian8_L1.yml" name: "CIS benchmark for Debian/Linux 8 L1" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 8." references: @@ -120,7 +120,7 @@ checks: - 'not c:lsmod -> r:udf' # 2 Filesystem Configuration - - id: 10500 + - id: 11007 title: "Ensure /tmp is configured" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." @@ -135,7 +135,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s' - - id: 10501 + - id: 11008 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -147,7 +147,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nodev' - - id: 10502 + - id: 11009 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." @@ -159,7 +159,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' - - id: 10501 + - id: 11010 title: "Ensure nodev option set on /var/tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." @@ -171,7 +171,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' - - id: 10501 + - id: 11011 title: "Ensure nosuid option set on /var/tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." @@ -183,7 +183,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' - - id: 10501 + - id: 11012 title: "Ensure noexec option set on /var/tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." @@ -195,7 +195,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' - - id: 10509 + - id: 11013 title: "Ensure nodev option set on /home partition" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." @@ -207,7 +207,7 @@ checks: rules: - 'c:mount -> r:\s/home\s && r:nodev' - - id: 10510 + - id: 11014 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -219,7 +219,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' - - id: 10511 + - id: 11015 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -231,7 +231,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - - id: 10512 + - id: 11016 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -243,7 +243,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' - - id: 10513 + - id: 11017 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -256,7 +256,7 @@ checks: - 'c:systemctl is-enabled autofs -> r:^enabled' # 1.3 Filesystem Integrity Checking - - id: 11026 + - id: 11018 title: "Ensure AIDE is installed" description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system." rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." @@ -268,7 +268,7 @@ checks: rules: - 'c:dpkg -s aide -> r:install ok installed' - - id: 11027 + - id: 11019 title: "Ensure filesystem integrity is regularly checked" description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem." rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." @@ -281,7 +281,7 @@ checks: - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*|\s*\t*/usr/bin/aide\s*\t* && r:\s*\t*--check' # 1.4 Secure Boot Settings - - id: 10514 + - id: 11020 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -294,7 +294,7 @@ checks: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - - id: 10515 + - id: 11021 title: "Ensure authentication required for single user mode" description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -307,7 +307,7 @@ checks: - 'f:/etc/shadow -> r:^root:*:|^root:!:' # 1.5 Additional Process Hardening - - id: 10516 + - id: 11022 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -321,7 +321,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - - id: 10517 + - id: 11023 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -335,7 +335,7 @@ checks: - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' # 1.7 Warning Banners - - id: 10593 + - id: 11024 title: "Ensure local login warning banner is configured properly" description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture \r - operating system release \s - operating system name \v - operating system version" rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in." @@ -348,7 +348,7 @@ checks: - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' # 2 Services - - id: 10523 + - id: 11025 title: "Ensure xinetd is not installed" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." @@ -360,7 +360,7 @@ checks: rules: - 'c:dpkg -s xinetd -> r:install ok installed' - - id: 10523 + - id: 11026 title: "Ensure inetd is not installed" description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no inetd services required, it is recommended that the daemon be removed." @@ -373,7 +373,7 @@ checks: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - id: 10532 + - id: 11027 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -391,7 +391,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 10529 + - id: 11028 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." @@ -403,7 +403,7 @@ checks: rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' - - id: 10530 + - id: 11029 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -415,7 +415,7 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' - - id: 10531 + - id: 11030 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -430,7 +430,7 @@ checks: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' - - id: 10533 + - id: 11031 title: "Ensure LDAP server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -444,7 +444,7 @@ checks: rules: - 'c:systemctl is-enabled slapd -> r:^enabled' - - id: 10534 + - id: 11032 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -457,7 +457,7 @@ checks: - 'c:systemctl is-enabled nfs-server -> r:^enabled' - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - id: 10535 + - id: 11033 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -469,7 +469,7 @@ checks: rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' - - id: 10536 + - id: 11034 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -481,7 +481,7 @@ checks: rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' - - id: 10537 + - id: 11035 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -493,7 +493,7 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' - - id: 10539 + - id: 11036 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -505,7 +505,7 @@ checks: rules: - 'c:systemctl is-enabled smbd -> r:^enabled' - - id: 10540 + - id: 11037 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -517,7 +517,7 @@ checks: rules: - 'c:systemctl is-enabled squid -> r:^enabled' - - id: 10541 + - id: 11038 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -529,7 +529,7 @@ checks: rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' - - id: 10543 + - id: 11039 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -541,7 +541,7 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 10518 + - id: 11040 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -553,7 +553,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 10519 + - id: 11041 title: "Ensure rsh client is not installed" description: "The rshpackage contains the client commands for the rsh services." rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." @@ -566,7 +566,7 @@ checks: - 'c:dpkg -s rsh-client -> r:install ok installed' - 'c:dpkg -s rsh-redone-client -> r:install ok installed' - - id: 10520 + - id: 11042 title: "Ensure talk client is not installed" description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -578,7 +578,7 @@ checks: rules: - 'c:dpkg -s talk -> r:install ok installed' - - id: 10521 + - id: 11043 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -591,7 +591,7 @@ checks: - 'c:dpkg -s telnet -> r:install ok installed' # 3 Network Configuration - - id: 10544 + - id: 11044 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -606,7 +606,7 @@ checks: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' - - id: 10545 + - id: 11045 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -621,7 +621,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - id: 10546 + - id: 11046 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -640,7 +640,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - id: 10547 + - id: 11047 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -659,7 +659,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' - - id: 10548 + - id: 11048 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -674,7 +674,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - id: 10549 + - id: 11049 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -689,7 +689,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - id: 10550 + - id: 11050 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -702,7 +702,7 @@ checks: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - id: 10551 + - id: 11051 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -715,7 +715,7 @@ checks: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - id: 10552 + - id: 11052 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -730,7 +730,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - id: 10553 + - id: 11053 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -743,7 +743,7 @@ checks: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' - - id: 10554 + - id: 11054 title: "Ensure IPv6 router advertisements are not accepted" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -758,7 +758,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' - - id: 10557 + - id: 11055 title: "Ensure /etc/hosts.allow is configured" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." @@ -770,7 +770,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 10558 + - id: 11056 title: "Ensure /etc/hosts.deny is configured" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -783,7 +783,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 10559 + - id: 11057 title: "Ensure DCCP is disabled" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -796,7 +796,7 @@ checks: - 'not c:modprobe -n -v dccp -> r:install /bin/true' - 'c:lsmod -> r:dccp' - - id: 10560 + - id: 11058 title: "Ensure SCTP is disabled" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -809,7 +809,7 @@ checks: - 'not c:modprobe -n -v sctp -> r:install /bin/true' - 'c:lsmod -> r:sctp' - - id: 10561 + - id: 11059 title: "Ensure RDS is disabled" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -822,7 +822,7 @@ checks: - 'not c:modprobe -n -v rds -> r:install /bin/true' - 'c:lsmod -> r:rds' - - id: 10562 + - id: 11060 title: "Ensure TIPC is disabled" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -837,7 +837,7 @@ checks: # 3.5 Firewall configuration - - id: 10563 + - id: 11061 title: "Ensure default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -851,7 +851,7 @@ checks: - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 10563 + - id: 11062 title: " Ensure IPv6 default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -865,7 +865,7 @@ checks: - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 10563 + - id: 11063 title: "Ensure iptables is installed" description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." rationale: "iptables is required for firewall management and configuration." @@ -878,7 +878,7 @@ checks: - 'c:dpkg -s iptables -> r:install ok installed' # 4 Logging and Auditing - - id: 10564 + - id: 11064 title: "Ensure rsyslog Service is enabled" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -890,7 +890,7 @@ checks: rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' - - id: 10566 + - id: 11065 title: "Ensure rsyslog is configured to send logs to a remote log host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." @@ -904,7 +904,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 10567 + - id: 11066 title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -921,7 +921,7 @@ checks: - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' # 5 Access, Authentication and Authorization - - id: 10569 + - id: 11067 title: "Ensure cron daemon is enabled" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." @@ -933,7 +933,7 @@ checks: rules: - 'c:systemctl is-enabled cron -> r:^enabled$' - - id: 10570 + - id: 11068 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -950,7 +950,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 10574 + - id: 11069 title: "Ensure permissions on /etc/ssh/sshd_config are configured" description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." @@ -962,7 +962,7 @@ checks: rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' - - id: 10574 + - id: 11070 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -974,7 +974,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 10575 + - id: 11071 title: "Ensure SSH LogLevel is appropriate" description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -988,7 +988,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' - - id: 10576 + - id: 11072 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -1000,7 +1000,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - - id: 10577 + - id: 11073 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -1012,7 +1012,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 10578 + - id: 11074 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -1024,7 +1024,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 10579 + - id: 11075 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -1036,7 +1036,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 10580 + - id: 11076 title: "Ensure SSH root login is disabled " description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -1050,7 +1050,7 @@ checks: # 5.2 SSH Server Configuration - - id: 10581 + - id: 11077 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -1062,7 +1062,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 10582 + - id: 11078 title: "Ensure SSH PermitUserEnvironment is disabled" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -1074,7 +1074,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 10583 + - id: 11079 title: "Ensure SSH Idle Timeout Interval is configured" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1087,7 +1087,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' - - id: 10584 + - id: 11080 title: "Ensure SSH access is limited" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1099,7 +1099,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 10585 + - id: 11081 title: "Ensure SSH warning banner is configured" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." @@ -1113,7 +1113,7 @@ checks: # 5.3 Configure PAM - - id: 10571 + - id: 11082 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -1131,7 +1131,7 @@ checks: - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' - - id: 10572 + - id: 11083 title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -1143,7 +1143,7 @@ checks: rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' - - id: 10573 + - id: 11084 title: "Ensure password reuse is limited" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -1155,183 +1155,151 @@ checks: rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' ---------------------------------------------------- #ToDo - - - id: 10586 - title: "Restrict Access to the su Command" - description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." - rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." - remediation: "Add the following line to the /etc/pam.d/su file. auth required pam_wheel.so use_uid Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." - compliance: - - cis: "9.5" - condition: all - rules: - - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid' - - 'f:/etc/group -> !r:^# && r:wheel' +# 5.4 User Accounts and Environment -# 10 User Accounts and Environment - - id: 10587 - title: "Set Password Expiration Days" - description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." + - id: 11085 + title: "Ensure password expiration is 365 days or less" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." - remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." compliance: - - cis: "10.1.1" + - cis: "5.4.1.1" + - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' + - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' - - id: 10588 - title: "Set Password Change Minimum Number of Days" + - id: 11086 + title: "Ensure minimum days between password changes is 7 or more" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." - remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " + remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." compliance: - - cis: "10.1.2" + - cis: "5.4.1.2" + - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' - - id: 10589 - title: "Set Password Expiring Warning Days" + - id: 11087 + title: "Ensure password expiration warning days is 7 or more" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." - remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " + remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." compliance: - - cis: "10.1.3" + - cis: "5.4.1.3" + - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare <= 7' - - id: 10590 - title: "Set Default Group for root Account" - description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." - rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." - remediation: "# usermod -g 0 root" + - id: 11088 + title: "Ensure inactive password lock is 30 days or less" + description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled." + rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." + remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." compliance: - - cis: "10.3" + - cis: "5.4.1.4" + - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' + - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' - - id: 10591 - title: "Set Default umask for Users" - description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." - rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." - remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" + - id: 11089 + title: "Ensure default group for the root account is GID 0" + description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." + rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." + remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root" compliance: - - cis: "10.4" + - cis: "5.4.3" + - cis_csc: "5, 5.1" condition: all rules: - - 'c:grep -Rh ^umask 077 /etc/profile.d/' - - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' + - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 10592 - title: "Lock Inactive User Accounts" - description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." - rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." - remediation: "# useradd -D -f 35" + - id: 11090 + title: "Ensure access to the su command is restricted" + description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." + rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." + remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root, Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default." compliance: - - cis: "10.5" + - cis: "5.6" + - cis_csc: "5.1" condition: all rules: - - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' + - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so' + - 'f:/etc/group -> !r:^# && r:sudo:\w+:\d+:\.' + +# 6.2 User and Group Settings -# 13 Review User and Group Settings - - id: 10595 - title: "Ensure Password Fields are Not Empty" + - id: 11091 + title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "13.1" + - cis: "6.2.1" + - cis_csc: "16, 4.4" condition: none rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 10596 - title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" + - id: 11092 + title: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." - remediation: "Delete these entries if they exist." + remediation: "Remove any legacy + entries from /etc/passwd if they exist." compliance: - - cis: "13.2" + - cis: "6.2.2" + - cis_csc: "16.9, 16.2" condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 10597 - title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" + - id: 11093 + title: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." - remediation: "Delete these entries if they exist." + remediation: "Remove any legacy + entries from /etc/shadow if they exist." compliance: - - cis: "13.3" + - cis: "6.2.3" + - cis_csc: "16.9, 16.2" condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 10598 + + - id: 11094 title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." - remediation: "Delete these entries if they exist." + remediation: "Remove any legacy + entries from /etc/group if they exist." compliance: - - cis: "13.4" + - cis: "6.2.4" + - cis_csc: "16.9, 16.2" condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 10599 - title: "Verify No UID 0 Accounts Exist Other Than root" + - id: 11095 + title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." - remediation: "Delete any other entries that are displayed." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "13.5" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - - id: 10600 - title: "Check for Presence of User .rhosts Files" - description: "While no .rhosts files are shipped by default, users can easily create them." - rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." - remediation: "If any users have .rhosts files determine why they have them." - compliance: - - cis: "13.10" - condition: none - rules: - - 'd:/home -> r:^.rhosts$' - - - id: 10601 - title: "Check for Presence of User .netrc Files" - description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." - rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." - compliance: - - cis: "13.18" - condition: none - rules: - - 'd:/home -> r:^.netrc$' - - - id: 10602 - title: "Check for Presence of User .forward Files" - description: "The .forward file specifies an email address to forward the user's mail to." - rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." - compliance: - - cis: "13.19" + - cis: "6.2.5" + - cis_csc: "5.1" condition: none rules: - - 'd:/home -> r:^.forward$' + - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - - id: 10603 + - id: 11096 title: "Ensure shadow group is empty" - description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." - rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." + description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." + rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "13.20" + - cis: "6.2.20" + - cis_csc: "5.1" condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debianlinux7-8_L2_rcl.yml index a897e6625..8ce438831 100644 --- a/sca/debian/cis_debianlinux7-8_L2_rcl.yml +++ b/sca/debian/cis_debianlinux7-8_L2_rcl.yml @@ -11,8 +11,8 @@ # Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 policy: - id: "cis_debianlinux8_L2" - file: "cis_debianlinux8_L2_rcl.yml" + id: "cis_debian8_L2" + file: "cis_debian8_L2.yml" name: "CIS benchmark for Debian/Linux 8 L2" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 8." references: @@ -28,7 +28,7 @@ requirements: checks: - - id: 10504 + - id: 10500 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -42,7 +42,7 @@ checks: rules: - 'c:mount -> r:\s/var\s' - - id: 10504 + - id: 10501 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." @@ -56,7 +56,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s' - - id: 10506 + - id: 10502 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -70,7 +70,7 @@ checks: rules: - 'c:mount -> r:\s/var/log\s' - - id: 10507 + - id: 10503 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." @@ -84,7 +84,7 @@ checks: rules: - 'c:mount -> r:\s/var/log/audit\s' - - id: 10508 + - id: 10504 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -98,7 +98,7 @@ checks: rules: - 'c:mount -> r:\s/home\s' - - id: 10513 + - id: 10505 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -111,7 +111,7 @@ checks: - 'c:systemctl is-enabled autofs -> r:^enabled' # 4 Additional Process Hardening - - id: 11007 + - id: 10506 title: "Ensure SELinux or AppArmor are installed" description: "SELinux and AppArmor provide Mandatory Access Controls." rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." @@ -126,7 +126,7 @@ checks: # 2 Services - - id: 10530 + - id: 10507 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -138,267 +138,315 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' ---------------------------------------------------- #ToDo +# 4 Logging and Auditing -# 8.1 Configure System Accounting (auditd) - - id: 11008 - title: "Configure Audit Log Storage Size" + - id: 10508 + title: "Ensure audit log storage size is configured" description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." - remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." + remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." compliance: - - cis: "8.1.1.1" + - cis: "4.1.1.1" + - cis_csc: "6.3, 6.4" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/auditd.conf' - - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+' - - id: 11009 - title: "Disable System on Audit Log Full" + - id: 10509 + title: "Ensure system is disabled when audit logs are full" description: "The auditd daemon can be configured to halt the system when the audit logs are full." rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." - remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" + remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "8.1.1.2" + - cis: "4.1.1.2" + - cis_csc: "6.3, 6.4" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/auditd.conf' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt' - - id: 11010 - title: "Keep All Auditing Information" - description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." + - id: 10510 + title: "Ensure audit logs are not automatically deleted" + description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs." rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." - remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" + remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" compliance: - - cis: "8.1.1.3" + - cis: "4.1.1.3" + - cis_csc: "6.3, 6.4" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/auditd.conf' - - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs' + + - id: 10511 + title: "Ensure auditd service is enabled" + description: "Turn on the auditd daemon to record system events." + rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." + remediation: "Run the following command to enable auditd: # systemctl enable auditd" + compliance: + - cis: "4.1.2" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'c:systemctl is-enabled auditd -> r:^enabled' - - id: 11011 - title: "Enable Auditing for Processes That Start Prior to auditd" + - id: 10512 + title: "Ensure auditing for processes that start prior to auditd is enabled" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." - remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" + remediation: "1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "8.1.3" + - cis: "4.1.3" + - cis_csc: "6.2, 6.3" condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' - - id: 11012 - title: "Record Events That Modify Date and Time Information" + - id: 10513 + title: "Ensure events that modify date and time information are collected" description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" compliance: - - cis: "8.1.4" + - cis: "4.1.4" + - cis_csc: "3.6, 5.5" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S clock_settime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S clock_settime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime -p wa -k time-change' - - - id: 11013 - title: "Record Events That Modify User/Group Information" - description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change' + + - id: 10514 + title: "Ensure events that modify user/group information are collected" + description: "Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file." rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.5" + - cis: "4.1.5" + - cis_csc: "5.4, 4.8" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/group -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/passwd -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/gshadow -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd -p wa -k identity' - - - id: 11014 - title: "Record Events That Modify the System's Network Environment" - description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." - rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/group && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity' + + - id: 10515 + title: "Ensure events that modify the system's network environment are collected" + description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files." + rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.6" + - cis: "4.1.6" + - cis_csc: "3.6, 5.5" condition: all rules: - 'f:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/network -p wa -k system-locale' - - - id: 11015 - title: "Record Events That Modify the System's Mandatory Access Controls" - description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." - rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." - remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale' + + - id: 10516 + title: "Ensure events that modify the system's Mandatory Access Controls are collected (SELinux)" + description: "Monitor SELinux mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." + rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." + remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.7" + - cis_csc: "3.6, 5.5" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/ && r:-p wa && r:-k MAC-policy' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/ && r:-p wa && r:-k MAC-policy' + + - id: 10517 + title: "Ensure events that modify the system's Mandatory Access Controls are collected (AppArmor)" + description: "Monitor AppArmor mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor and /etc/apparmor.d directories." + rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." + remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.7" + - cis: "4.1.7" + - cis_csc: "3.6, 5.5" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ -p wa -k MAC-policy' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy' - - id: 11016 - title: "Collect Login and Logout Events" + - id: 10518 + title: "Ensure login and logout events are collected" description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.8" - condition: all + - cis: "4.1.8" + - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" + condition: all&& r: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/faillog -p wa -k logins' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog -p wa -k logins' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins' - - id: 11017 - title: "Collect Session Initiation Information" - description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" + - id: 10519 + title: "Ensure session initiation information is collected" + description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier \"logins.\"" rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.9" + - cis: "4.1.9" + - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/run/utmp -p wa -k session' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp -p wa -k session' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins' - - id: 11018 - title: "Collect Discretionary Access Control Permission Modification Events" - description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" + - id: 10520 + title: "Ensure discretionary access control permission modification events are collected" + description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.10" + - cis: "4.1.10" + - cis_csc: "3.6, 5.5" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - - id: 11019 - title: "Collect Unsuccessful Unauthorized Access Attempts to Files" - description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + + - id: 10521 + title: "Ensure unsuccessful unauthorized file access attempts are collected" + description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.11" + - cis: "4.1.11" + - cis_csc: "14.6, 14.9" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - - id: 11020 - title: "Collect Successful File System Mounts" - description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" - rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." - remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + + - id: 10522 + title: "Ensure successful file system mounts are collected" + description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user." + rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.13" + - cis: "4.1.13" + - cis_csc: "13, 5.1" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - - id: 11021 - title: "Collect File Deletion Events by User" + - id: 10523 + title: "Ensure file deletion events by users are collected" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." - remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.14" + - cis: "4.1.14" + - cis_csc: "13" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - - id: 11022 - title: "Collect Changes to System Administration Scope (sudoers)" + - id: 10524 + title: "Ensure changes to system administration scope (sudoers) is collected" description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.15" + - cis: "4.1.15" + - cis_csc: "5.4, 4.8" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers -p wa -k scope' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope' - - id: 11023 - title: "Collect System Administrator Actions (sudolog)" - description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." + - id: 10525 + title: "Ensure system administrator actions (sudolog) are collected" + description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.16" + - cis: "4.1.16" + - cis_csc: "5.1, 5.5, 4.9" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log -p wa -k actions' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions' - - id: 11024 - title: "Collect Kernel Module Loading and Unloading" + - id: 10526 + title: "Ensure kernel module loading and unloading is collected" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "8.1.17" + - cis: "4.1.17" + - cis_csc: "3, 5.1" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/insmod -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|^-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' - - - id: 11025 - title: "Make the Audit Configuration Immutable" - description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" + - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S init_module && r:-S delete_module && r:-k modules' + + - id: 10527 + title: "Ensure the audit configuration is immutable" + description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot." rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" + remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." compliance: - - cis: "8.1.18" + - cis: "4.1.18" + - cis_csc: "3, 6, 6.2, 6.3" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-e 2$' + - 'f:/etc/audit/audit.rules -> r:^\s*\t*-e 2$' From 8d7741eab22260ac7b79e82cd142ef29f126f74d Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 26 Jun 2019 08:33:37 -0700 Subject: [PATCH 140/247] Renamed Debian 8 policies --- sca/debian/{cis_debianlinux7-8_L1_rcl.yml => cis_debian8_L1.yml} | 0 sca/debian/{cis_debianlinux7-8_L2_rcl.yml => cis_debian8_L2.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename sca/debian/{cis_debianlinux7-8_L1_rcl.yml => cis_debian8_L1.yml} (100%) rename sca/debian/{cis_debianlinux7-8_L2_rcl.yml => cis_debian8_L2.yml} (100%) diff --git a/sca/debian/cis_debianlinux7-8_L1_rcl.yml b/sca/debian/cis_debian8_L1.yml similarity index 100% rename from sca/debian/cis_debianlinux7-8_L1_rcl.yml rename to sca/debian/cis_debian8_L1.yml diff --git a/sca/debian/cis_debianlinux7-8_L2_rcl.yml b/sca/debian/cis_debian8_L2.yml similarity index 100% rename from sca/debian/cis_debianlinux7-8_L2_rcl.yml rename to sca/debian/cis_debian8_L2.yml From fe19cab636137ce67adc5300dea32fe2fd01e996 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 26 Jun 2019 17:49:12 +0200 Subject: [PATCH 141/247] Fix empty condition in El Capitan policy --- sca/darwin/15/cis_apple_macOS_10.11.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 101a00443..e5cd8b3ab 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -365,7 +365,7 @@ checks: remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." compliance: - cis: "5.9" - condition: + condition: all rules: - 'c:defaults read com.apple.screensaver askForPassword -> 1' From 9d3331abb3beeeee642fc2823cb11d500bfa5898 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 26 Jun 2019 10:31:48 -0700 Subject: [PATCH 142/247] Add SCA policies for Debian 7 --- sca/debian/cis_debian7_L1.yml | 1282 +++++++++++++++++++++++++++++++++ sca/debian/cis_debian7_L2.yml | 418 +++++++++++ 2 files changed, 1700 insertions(+) create mode 100644 sca/debian/cis_debian7_L1.yml create mode 100644 sca/debian/cis_debian7_L2.yml diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml new file mode 100644 index 000000000..3aae7b362 --- /dev/null +++ b/sca/debian/cis_debian7_L1.yml @@ -0,0 +1,1282 @@ +# Security Configuration assessment +# Level 1 CIS Checks for Debian Linux 7 +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Based on: +# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 + +policy: + id: "cis_debian7_L1" + file: "cis_debian7_L1.yml" + name: "CIS benchmark for Debian/Linux 7 L1" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 7." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check Debian version" + description: "Requirements for running the SCA scan against Debian/Ubuntu." + condition: all + rules: + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' + +checks: + +# 2 Filesystem Configuration + + - id: 10500 + title: "Create Separate Partition for /tmp" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." + compliance: + - cis: "2.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/tmp\s' + + - id: 10501 + title: "Set nodev option for /tmp Partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" + compliance: + - cis: "2.2" + condition: all + rules: + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nodev' + + - id: 10502 + title: "Set nosuid option for /tmp Partition" + description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" + compliance: + - cis: "2.3" + condition: all + rules: + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:nosuid' + + - id: 10503 + title: "Set noexec option for /tmp partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" + compliance: + - cis: "2.4" + condition: all + rules: + - 'not c:mount -> r:\s/tmp\s' + - 'c:mount -> r:\s/tmp\s && r:noexec' + + - id: 10504 + title: "Create Separate Partition for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.5" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var\s' + + - id: 10505 + title: "Bind mount the /var/tmp directory to /tmp" + description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." + rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." + remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" + compliance: + - cis: "2.6" + condition: all + rules: + - 'c:findmnt -> r:/var/tmp && r:[/tmp]' + - 'f:/etc/fstab -> r:^/tmp && r:\s*/var/tmp\s* && r:bind' + + - id: 10506 + title: "Create Separate Partition for /var/log" + description: "The /var/log directory is used by system services to store log data." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.7" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var/log\s' + + - id: 10507 + title: "Create Separate Partition for /var/log/audit" + description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.8" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var/log/audit\s' + + - id: 10508 + title: "Create Separate Partition for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "2.9" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/home\s' + + - id: 10509 + title: "Add nodev Option to /home" + description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + compliance: + - cis: "2.10" + condition: all + rules: + - 'not c:mount -> r:\s/home\s' + - 'c:mount -> r:\s/home\s && r:nodev' + + - id: 10510 + title: "Add nodev Option to /run/shm Partition" + description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" + compliance: + - cis: "2.14" + condition: all + rules: + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:nodev' + + - id: 10511 + title: "Add nosuid Option to /run/shm Partition" + description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" + compliance: + - cis: "2.15" + condition: all + rules: + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:nosuid' + + - id: 10512 + title: "Add noexec Option to /run/shm Partition" + description: "Set noexec on the shared memory partition to prevent programs from executing from there." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" + compliance: + - cis: "2.16" + condition: all + rules: + - 'not c:mount -> r:\s/run/shm\s' + - 'c:mount -> r:\s/run/shm\s && r:noexec' + + - id: 10513 + title: "Disable Automounting" + description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." + rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." + remediation: "Disable autofs: # update-rc.d autofs disable" + compliance: + - cis: "2.25" + condition: none + rules: + - 'c:find /etc/rc* -name *autofsc* -> r:S\.' + +# 3 Secure Boot Settings + + - id: 10514 + title: "Set Boot Loader Password" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" + compliance: + - cis: "3.3" + condition: all + rules: + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' + + - id: 10515 + title: "Require authentication for Single-User mode" + description: "Setting a password for the root user will force authentication in single user mode." + rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." + remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" + compliance: + - cis: "3.4" + condition: none + rules: + - 'f:/etc/shadow -> r:^root:*:|^root:!:' + +# 4 Additional Process Hardening + - id: 10516 + title: "Restrict Core Dumps" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" + compliance: + - cis: "4.1" + condition: all + rules: + - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + + - id: 10517 + title: "Enable Randomized Virtual Memory Region Placement" + description: "Set the system flag to force randomized virtual memory region placement." + rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" + compliance: + - cis: "4.3" + condition: all + rules: + - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' + +# 5 OS Services + + - id: 10518 + title: "Ensure NIS is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Uninstall the nis package: # apt-get purge nis" + compliance: + - cis: "5.1.1" + condition: none + rules: + - 'c:dpkg -s nis -> r:install ok installed' + + - id: 10519 + title: "Ensure rsh server is not enabled" + description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." + rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." + remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" + compliance: + - cis: "5.1.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:^shell|^login|^exec' + + - id: 10520 + title: "Ensure talk server is not enabled" + description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" + compliance: + - cis: "5.1.4" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:^talk|^ntalk' + + - id: 10521 + title: "Ensure telnet server is not enabled" + description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." + remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" + compliance: + - cis: "5.1.6" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:telnet' + + - id: 10522 + title: "Ensure tftp-server is not enabled" + description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." + rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." + remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" + compliance: + - cis: "5.1.7" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:tftp' + + - id: 10523 + title: "Ensure xinetd is not enabled" + description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." + rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." + remediation: "Disable xinetd: # update-rc.d xinetd disable" + compliance: + - cis: "5.1.8" + condition: none + rules: + - 'c:find /etc/rc* -name *xinetd* -> r:S\.' + + - id: 10524 + title: "Ensure chargen is not enabled" + description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" + compliance: + - cis: "5.2" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:chargen' + + - id: 10525 + title: "Ensure daytime is not enabled" + description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" + compliance: + - cis: "5.3" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:daytime' + + - id: 10526 + title: "Ensure echo is not enabled" + description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" + compliance: + - cis: "5.4" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:echo' + + - id: 10527 + title: "Ensure discard is not enabled" + description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" + compliance: + - cis: "5.5" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:discard' + + - id: 10528 + title: "Ensure time is not enabled" + description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." + rationale: "Disabling this service will reduce the remote attack surface of the system." + remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" + compliance: + - cis: "5.6" + condition: none + rules: + - 'f:/etc/inetd.conf -> !r:^# && r:time' + +# 6 Special Purpose Services + + - id: 10529 + title: "Ensure Avahi Server is not enabled" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." + rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." + remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" + compliance: + - cis: "6.2" + condition: none + rules: + - 'c:find /etc/rc* -name *avahi-daemon* -> r:S\.' + + - id: 10530 + title: "Ensure print server is not enabled" + description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." + rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." + remediation: "Disable cups: # update-rc.d cups disable" + compliance: + - cis: "6.3" + condition: none + rules: + - 'c:find /etc/rc* -name *cups* -> r:S\.' + + - id: 10531 + title: "Ensure DHCP Server is not enabled" + description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." + rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." + remediation: "Disable isc-dhcp-server: # update-rc.d isc-dhcp-server disable" + references: + - "https://www.isc.org/dhcp/" + compliance: + - cis: "6.4" + condition: none + rules: + - 'c:find /etc/rc* -name *isc-dhcp-server* -> r:S\.' + + - id: 10532 + title: "Configure Network Time Protocol (NTP)" + description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." + rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." + remediation: "Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." + compliance: + - cis: "6.5" + references: + - http://www.ntp.org/ + condition: all + rules: + - 'c:dpkg -s ntp -> r:install ok installed' + - 'f:/etc/ntp.conf -> r:^restrict -4 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' + - 'f:/etc/ntp.conf -> r:^restrict -6 default && r:kod && r:nomodify && r:notrap && r:nopeer && r:noquery' + - 'f:/etc/ntp.conf -> r:^server\s\.+' + - 'f:/etc/ntp.conf -> r:^RUNASUSER\s*\t*=\s*\t*ntp' + + - id: 10533 + title: "Ensure LDAP is not enabled" + description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." + rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." + remediation: "Uninstall the slapd package: # apt-get purge slapd" + compliance: + - cis: "6.6" + references: + - http://www.openldap.org + condition: none + rules: + - 'c:dpkg -s slapd -> install ok installed' + + - id: 10534 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" + compliance: + - cis: "6.7" + condition: none + rules: + - 'c:find /etc/rc* -name *rpcbind* -> r:S\.' + - 'c:find /etc/rc* -name *nfs-kernel-server* -> r:S\.' + + - id: 10535 + title: "Ensure DNS Server is not enabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Disable bind9: # update-rc.d bind9 disable" + compliance: + - cis: "6.8" + condition: none + rules: + - 'c:find /etc/rc* -name *bind9* -> r:S\.' + + - id: 10536 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Disable vsftpd: # update-rc.d vsftpd disable" + compliance: + - cis: "6.9" + condition: none + rules: + - 'c:find /etc/rc* -name *vsftpd* -> r:S\.' + + - id: 10537 + title: "Ensure HTTP Server is not enabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Disable apache2: # update-rc.d apache2 disable" + compliance: + - cis: "6.10" + condition: none + rules: + - 'c:find /etc/rc* -name *apache2* -> r:S\.' + + - id: 10538 + title: "Ensure IMAP and POP server is not enabled" + description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." + remediation: "Disable dovecot: # update-rc.d dovecot disable" + compliance: + - cis: "6.11" + condition: none + rules: + - 'c:find /etc/rc* -name *dovecot* -> r:S\.' + + - id: 10539 + title: "Ensure Samba is not enabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "Disable samba: # update-rc.d samba disable" + compliance: + - cis: "6.12" + condition: none + rules: + - 'c:find /etc/rc* -name *smb* -> r:S\.' + + - id: 10540 + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "Disable squid3: # update-rc.d squid3 disable" + compliance: + - cis: "6.13" + condition: none + rules: + - 'c:find /etc/rc* -name *squid3* -> r:S\.' + + - id: 10541 + title: "Ensure SNMP Server is not enabled" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." + remediation: "Disable snmpd: # update-rc.d snmpd disable" + compliance: + - cis: "6.14" + condition: none + rules: + - 'c:find /etc/rc* -name *snmpd* -> r:S\.' + +# ToDo + + - id: 10542 + title: "Configure Mail Transfer Agent for Local-Only Mode" + description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." + rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." + remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" + compliance: + - cis: "6.15" + condition: all + rules: + - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' + + - id: 10543 + title: "Ensure rsync service is not enabled" + description: "The rsyncd service can be used to synchronize files between systems over network links." + rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." + remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" + compliance: + - cis: "6.16" + condition: none + rules: + - 'c:dpkg -s rsync -> install ok installed' + - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE\s*\t*=\s*\t*false' + +# 7 Network Configuration and Firewall + - id: 10544 + title: "Disable IP Forwarding" + description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." + rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.1.1" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' + + - id: 10545 + title: "Disable Send Packet Redirects" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.1.2" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$' + + - id: 10546 + title: "Disable Source Routed Packet Acceptance" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.1" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$' + + - id: 10547 + title: "Disable ICMP Redirect Acceptance" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.2" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$' + + - id: 10548 + title: "Disable Secure ICMP Redirect Acceptance" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.3" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$' + + - id: 10549 + title: "Log Suspicious Packets" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." + remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.4" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$' + + - id: 10550 + title: "Enable Ignore Broadcast Requests" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.5" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' + + - id: 10551 + title: "Enable Bad Error Message Protection" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.6" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' + + - id: 10552 + title: "Enable RFC-recommended Source Route Validation" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." + rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." + remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.7" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' + - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$' + + - id: 10553 + title: "Enable TCP SYN Cookies" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "7.2.8" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' + + - id: 10554 + title: "Disable IPv6 Router Advertisements" + description: "This setting disables the systems ability to accept router advertisements" + rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." + remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "7.3.1" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$' + + - id: 10555 + title: "Disable IPv6 Redirect Acceptance" + description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." + rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." + remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "7.3.2" + condition: all + rules: + - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$' + + - id: 10556 + title: "Disable IPv6" + description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." + rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." + remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" + compliance: + - cis: "7.3.3" + condition: none + rules: + - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:=\s*\t*1$' + - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:=\s*\t*1$' + - 'c:sysctl net.ipv6.conf.lo.disable_ipv6 -> r:=\s*\t*1$' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.all.disable_ipv6\s*\t*=\s*\t*1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6\s*\t*=\s*\t*1' + - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6\s*\t*=\s*\t*1' + + - id: 10557 + title: "Create /etc/hosts.allow" + description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." + rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." + remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." + compliance: + - cis: "7.4.2" + condition: all + rules: + - 'f:/etc/hosts.allow' + + - id: 10558 + title: "Create /etc/hosts.deny" + description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." + rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." + remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" + compliance: + - cis: "7.4.4" + condition: all + rules: + - 'f:/etc/hosts.deny' + - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' + + - id: 10559 + title: "Disable DCCP" + description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." + rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." + remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.1" + condition: none + rules: + - 'c:lsmod -> r:dccp' + + - id: 10560 + title: "Disable SCTP" + description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.2" + condition: none + rules: + - 'c:lsmod -> r:sctp' + + - id: 10561 + title: "Disable RDS" + description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.3" + condition: none + rules: + - 'c:lsmod -> r:rds' + + - id: 10562 + title: "Disable TIPC" + description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" + compliance: + - cis: "7.5.4" + condition: none + rules: + - 'c:lsmod -> r:tipc' + + - id: 10563 + title: "Ensure Firewall is active" + description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules. Other methods are available which may be in use in your environment and may conflict with these steps." + rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." + remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" + compliance: + - cis: "7.7" + condition: all + rules: + - 'c:dpkg -s iptables -> r:install ok installed' + - 'c:dpkg -s iptables-persistent -> r:install ok installed' + - 'c:find /etc/rc* -name *iptables-persistent* -> r:S\.' + +# 8 Logging and Auditing + - id: 10564 + title: "Ensure the rsyslog Service is activated" + description: "Once the rsyslog package is installed it needs to be activated." + rationale: "If the rsyslog service is not activated the system will not have a syslog service running." + remediation: "Enable rsyslog: # update-rc.d rsyslog enable" + compliance: + - cis: "8.2.2" + condition: all + rules: + - 'c:find /etc/rc* -name *rsyslog* -> r:S\.' + + - id: 10565 + title: "Configure /etc/rsyslog.conf" + description: "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." + rationale: "A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)." + remediation: "Edit the following lines in the /etc/rsyslog.conf or /etc/rsyslog.d/* file as appropriate for your environment: *.emerg :omusrmsg:* mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none -/var/log/messages local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages Execute the following command to restart rsyslogd # pkill -HUP rsyslogd" + compliance: + - cis: "8.2.3" + references: + - rsyslog.conf(5) man page + condition: all + rules: + - 'c:grep -R ^*.emerg\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.info\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.warning\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^mail.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^news.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^news.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^news.notice\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^*.=warning;*.=err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^*.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^*.*;mail.none;news.none\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local0,local1.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local2,local3.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local4,local5.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + - 'c:grep -R ^local6,local7.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' + + - id: 10566 + title: "Configure rsyslog to Send Logs to a Remote Log Host" + description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." + rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" + remediation: "Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host). *.* @@loghost.example.com # Execute the following command to restart rsyslogd # pkill -HUP rsyslogd Note: The double \"at\" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol." + compliance: + - cis: "8.2.5" + references: + - rsyslog.conf(5) man page + condition: all + rules: + - 'f:/etc/rsyslog.conf -> r:^*.* @@\w+.\w+.\w+' + + - id: 10567 + title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" + description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." + rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." + remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so $InputTCPServerRun 514 Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd" + compliance: + - cis: "8.2.6" + references: + - rsyslog.conf(8) man page + condition: all + rules: + - 'c:grep -R ^\$ModLoad imtcp.so /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' + - 'c:grep -R ^\$InputTCPServerRun 514 /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' + + - id: 10568 + title: "Configure logrotate" + description: "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog." + rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files." + remediation: "Edit the /etc/logrotate.d/rsyslog file to include appropriate system logs according to your site policy." + compliance: + - cis: "8.4" + condition: all + rules: + - 'f:/etc/logrotate.d/rsyslog' + - 'f:/etc/logrotate.d/rsyslog -> r:\S+' + +# 9 System Access, Authentication and Authorization + - id: 10569 + title: "Enable cron Daemon" + description: "The cron daemon is used to execute batch jobs on the system." + rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." + remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" + compliance: + - cis: "9.1.1" + condition: all + rules: + - 'f:/etc/rc2.d/S15anacron' + - 'f:/etc/rc2.d/S15cron' + - 'f:/etc/rc3.d/S15anacron' + - 'f:/etc/rc3.d/S15cron' + - 'f:/etc/rc4.d/S15anacron' + - 'f:/etc/rc4.d/S15cron' + - 'f:/etc/rc5.d/S15anacron' + - 'f:/etc/rc5.d/S15cron' + + - id: 10570 + title: "Ensure at/cron is restricted to authorized users" + description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." + rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." + remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" + compliance: + - cis: "5.1.8" + condition: all + rules: + - 'f:/etc/cron.allow' + - 'f:/etc/at.allow' + - 'not f:/etc/cron.deny' + - 'not f:/etc/at.deny' + - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' + - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' + + - id: 10571 + title: "Set Password Creation Requirement Parameters Using pam_cracklib" + description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Install the libpam-cracklib package: # apt-get install libpam-cracklib Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" + compliance: + - cis: "9.2.1" + condition: all + rules: + - 'c:dpkg -s libpam-cracklib -> install ok installed' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so\s*\t*retry=\d\s*\t*minlen=\d\d+\s*\t*dcredit=-\d+\s*\t*ucredit=-\d+\s*\t*ocredit=-\d+\s*\t*lcredit=-\d+' + + - id: 10572 + title: "Set Lockout for Failed Password Attempts" + description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." + rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." + remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." + compliance: + - cis: "9.2.2" + condition: all + rules: + - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d\s*\t*unlock_time=\d\d\d+' + + - id: 10573 + title: "Limit Password Reuse" + description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." + rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." + remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." + compliance: + - cis: "9.2.3" + condition: all + rules: + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*[success=1 default=ignore]\s*\t*pam_unix.so\s*\t*obscure\s*\t*sha512\s*\t*remember=\d' + + - id: 10574 + title: "Set SSH Protocol to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "9.3.1" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' + + - id: 10575 + title: "Set LogLevel to INFO" + description: "The INFO parameter specifices that record login and logout activity will be logged." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" + compliance: + - cis: "9.3.2" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' + + - id: 10576 + title: "Disable SSH X11 Forwarding" + description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." + rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" + compliance: + - cis: "9.3.4" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' + + - id: 10577 + title: "Set SSH MaxAuthTries to 4 or Less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "9.3.5" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' + + - id: 10578 + title: "Set SSH IgnoreRhosts to Yes" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "9.3.6" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' + + - id: 10579 + title: "Set SSH HostbasedAuthentication to No" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "9.3.7" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' + + - id: 10580 + title: "Disable SSH Root Login" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." + rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "9.3.8" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' + + - id: 10581 + title: "Set SSH PermitEmptyPasswords to No" + description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "9.3.9" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' + + - id: 10582 + title: "Do Not Allow Users to Set Environment Options" + description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." + rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" + compliance: + - cis: "9.3.10" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' + + - id: 10583 + title: "Set Idle Timeout Interval for User Login" + description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." + rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" + compliance: + - cis: "9.3.12" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:ClientAliveCountMax\s+0' + + - id: 10584 + title: "Limit Access via SSH" + description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." + rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." + remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " + compliance: + - cis: "9.3.13" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' + + - id: 10585 + title: "Set SSH Banner" + description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." + rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" + compliance: + - cis: "9.3.14" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' + + - id: 10586 + title: "Restrict Access to the su Command" + description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." + rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." + remediation: "Add the following line to the /etc/pam.d/su file. auth required pam_wheel.so use_uid Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." + compliance: + - cis: "9.5" + condition: all + rules: + - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid' + - 'f:/etc/group -> !r:^# && r:wheel' + +# 10 User Accounts and Environment + - id: 10587 + title: "Set Password Expiration Days" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." + rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." + remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " + compliance: + - cis: "10.1.1" + condition: all + rules: + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' + + - id: 10588 + title: "Set Password Change Minimum Number of Days" + description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." + rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." + remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " + compliance: + - cis: "10.1.2" + condition: all + rules: + - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' + + - id: 10589 + title: "Set Password Expiring Warning Days" + description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." + rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." + remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " + compliance: + - cis: "10.1.3" + condition: all + rules: + - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare <= 7' + + - id: 10590 + title: "Set Default Group for root Account" + description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." + rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." + remediation: "# usermod -g 0 root" + compliance: + - cis: "10.3" + condition: all + rules: + - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' + + - id: 10591 + title: "Set Default umask for Users" + description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." + rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." + remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" + compliance: + - cis: "10.4" + condition: all + rules: + - 'c:grep -R ^umask 077 /etc/profile.d/' + - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' + + - id: 10592 + title: "Lock Inactive User Accounts" + description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." + rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." + remediation: "# useradd -D -f 35" + compliance: + - cis: "10.5" + condition: all + rules: + - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' + +# 11 Warning Banners + - id: 10593 + title: "Set Warning Banner for Standard Login Services" + description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." + remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" + compliance: + - cis: "11.1" + condition: all + rules: + - 'f:/etc/motd' + - 'f:/etc/issue' + - 'f:/etc/issue.net' + - 'c:stat -c%u-%g-%a /etc/motd -> 0-0-644' + - 'c:stat -c%u-%g-%a /etc/issue -> 0-0-644' + - 'c:stat -c%u-%g-%a /etc/issue.net -> 0-0-644' + + - id: 10594 + title: "Remove OS Information from Login Warning Banners" + description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." + rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." + remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." + compliance: + - cis: "11.2" + condition: none + rules: + - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' + - 'c:grep (\\v|\\r|\\m|\\s) /etc/motd' + - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue.net' + +# 13 Review User and Group Settings + - id: 10595 + title: "Ensure Password Fields are Not Empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + compliance: + - cis: "13.1" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 10596 + title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Delete these entries if they exist." + compliance: + - cis: "13.2" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && r:^+:' + + - id: 10597 + title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Delete these entries if they exist." + compliance: + - cis: "13.3" + condition: none + rules: + - 'f:/etc/shadow -> !r:^# && r:^+:' + - id: 10598 + title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Delete these entries if they exist." + compliance: + - cis: "13.4" + condition: none + rules: + - 'f:/etc/group -> !r:^# && r:^+:' + + - id: 10599 + title: "Verify No UID 0 Accounts Exist Other Than root" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." + remediation: "Delete any other entries that are displayed." + compliance: + - cis: "13.5" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' + + - id: 10600 + title: "Check for Presence of User .rhosts Files" + description: "While no .rhosts files are shipped by default, users can easily create them." + rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." + remediation: "If any users have .rhosts files determine why they have them." + compliance: + - cis: "13.10" + condition: none + rules: + - 'd:/home -> r:^.rhosts$' + + - id: 10601 + title: "Check for Presence of User .netrc Files" + description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." + rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." + compliance: + - cis: "13.18" + condition: none + rules: + - 'd:/home -> r:^.netrc$' + + - id: 10602 + title: "Check for Presence of User .forward Files" + description: "The .forward file specifies an email address to forward the user's mail to." + rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." + compliance: + - cis: "13.19" + condition: none + rules: + - 'd:/home -> r:^.forward$' + + - id: 10603 + title: "Ensure shadow group is empty" + description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." + rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." + remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." + compliance: + - cis: "13.20" + condition: none + rules: + - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml new file mode 100644 index 000000000..ca5dac2be --- /dev/null +++ b/sca/debian/cis_debian7_L2.yml @@ -0,0 +1,418 @@ +# Security Configuration assessment +# Level 2 CIS Checks for Debian Linux 7 +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Based on: +# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 + +policy: + id: "cis_debian7_L2" + file: "cis_debian7_L2.yml" + name: "CIS benchmark for Debian/Linux 7 L2" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 7." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check Debian version" + description: "Requirements for running the SCA scan against Debian/Ubuntu" + condition: all + rules: + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' + +checks: + +# 2 Filesystem Configuration + + - id: 11000 + title: "Disable Mounting of cramfs Filesystems" + description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" + compliance: + - cis: "2.18" + condition: all + rules: + - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' + - 'not c:/sbin/lsmod -> r:cramfs' + + - id: 11001 + title: "Disable Mounting of freevxfs Filesystems" + description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" + compliance: + - cis: "2.19" + condition: all + rules: + - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' + - 'not c:/sbin/lsmod -> r:freevxfs' + + - id: 11002 + title: "Disable Mounting of jffs2 Filesystems" + description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" + compliance: + - cis: "2.20" + condition: all + rules: + - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' + - 'not c:/sbin/lsmod -> r:jffs2' + + - id: 11003 + title: "Disable Mounting of hfs Filesystems" + description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" + compliance: + - cis: "2.21" + condition: all + rules: + - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' + - 'not c:/sbin/lsmod -> r:hfs' + + - id: 11004 + title: "Disable Mounting of hfsplus Filesystems" + description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" + compliance: + - cis: "2.22" + condition: all + rules: + - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' + - 'not c:/sbin/lsmod -> r:hfsplus' + + - id: 11005 + title: "Disable Mounting of squashfs Filesystems" + description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" + compliance: + - cis: "2.23" + condition: all + rules: + - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' + - 'not c:/sbin/lsmod -> r:squashfs' + + - id: 11006 + title: "Disable Mounting of udf Filesystems" + description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." + remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" + compliance: + - cis: "2.24" + condition: all + rules: + - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' + - 'not c:/sbin/lsmod -> r:udf' + +# 4 Additional Process Hardening + + - id: 11007 + title: "Activate AppArmor" + description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model." + rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." + remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." + compliance: + - cis: "4.5" + condition: all + rules: + - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0' + - 'c:apparmor_status -> r:^0\s*processes are in complain mode' + - 'c:apparmor_status -> r:^0\s*processes are unconfined' + +# ToDo + +# 8.1 Configure System Accounting (auditd) + - id: 11008 + title: "Configure Audit Log Storage Size" + description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." + rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." + remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." + compliance: + - cis: "8.1.1.1" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' + + - id: 11009 + title: "Disable System on Audit Log Full" + description: "The auditd daemon can be configured to halt the system when the audit logs are full." + rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." + remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" + compliance: + - cis: "8.1.1.2" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*=\s*root' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' + + - id: 11010 + title: "Keep All Auditing Information" + description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." + rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." + remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" + compliance: + - cis: "8.1.1.3" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' + + - id: 11011 + title: "Enable Auditing for Processes That Start Prior to auditd" + description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." + rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." + remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" + compliance: + - cis: "8.1.3" + condition: all + rules: + - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' + + - id: 11012 + title: "Record Events That Modify Date and Time Information" + description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" + rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.4" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S clock_settime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S clock_settime -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime -p wa -k time-change' + + - id: 11013 + title: "Record Events That Modify User/Group Information" + description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." + rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.5" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/group -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/passwd -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/gshadow -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd -p wa -k identity' + + - id: 11014 + title: "Record Events That Modify the System's Network Environment" + description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." + rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.6" + condition: all + rules: + - 'f:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts -p wa -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/network -p wa -k system-locale' + + - id: 11015 + title: "Record Events That Modify the System's Mandatory Access Controls" + description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." + rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." + remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.7" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ -p wa -k MAC-policy' + + - id: 11016 + title: "Collect Login and Logout Events" + description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" + rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.8" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/faillog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog -p wa -k logins' + + - id: 11017 + title: "Collect Session Initiation Information" + description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" + rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" + compliance: + - cis: "8.1.9" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/run/utmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp -p wa -k session' + + - id: 11018 + title: "Collect Discretionary Access Control Permission Modification Events" + description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" + rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.10" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + + - id: 11019 + title: "Collect Unsuccessful Unauthorized Access Attempts to Files" + description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" + rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.11" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + - id: 11020 + title: "Collect Successful File System Mounts" + description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" + rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." + remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.13" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + + - id: 11021 + title: "Collect File Deletion Events by User" + description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." + rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." + remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" + compliance: + - cis: "8.1.14" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + + - id: 11022 + title: "Collect Changes to System Administration Scope (sudoers)" + description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" + rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + compliance: + - cis: "8.1.15" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers -p wa -k scope' + + - id: 11023 + title: "Collect System Administrator Actions (sudolog)" + description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." + rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" + compliance: + - cis: "8.1.16" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log -p wa -k actions' + + - id: 11024 + title: "Collect Kernel Module Loading and Unloading" + description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." + rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" + compliance: + - cis: "8.1.17" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/insmod -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe -p x -k modules' + - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|^-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' + + - id: 11025 + title: "Make the Audit Configuration Immutable" + description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" + rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." + remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" + compliance: + - cis: "8.1.18" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-e 2$' + +# 8.3 Advanced Intrusion Detection Environment (AIDE) + - id: 11026 + title: "Install AIDE" + description: "In some installations, AIDE is not installed automatically" + rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." + remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." + compliance: + - cis: "8.3.1" + condition: all + rules: + - 'c:dpkg -s aide -> r:install ok installed' + + - id: 11027 + title: "Implement Periodic Execution of File Integrity" + description: "Implement periodic file checking, in compliance with site policy" + rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." + remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." + compliance: + - cis: "8.3.2" + condition: all + rules: + - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*--check' From 17dc6d561dda59bff4550820d38a48bb77680805 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Thu, 27 Jun 2019 08:54:31 +0200 Subject: [PATCH 143/247] Fix some ssh rules --- sca/generic/system_audit_ssh.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index ca889bf51..ee36e376c 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -18,7 +18,7 @@ policy: requirements: title: "Check that the SSH service is installed on the system" description: "Requirements for running the SCA scan against the SSH policy." - condition: "all" + condition: all rules: - 'f:/etc/ssh/sshd_config' @@ -46,7 +46,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*\D2\D*$' + - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' - id: 1502 title: "SSH Hardening - 3: Root account should not be able to log in" @@ -110,7 +110,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+) compare <= 30' + - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 30' - id: 1508 title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" From d29a27657adef4f801eb5fc0666d6b3a078700af Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Thu, 27 Jun 2019 11:20:05 +0200 Subject: [PATCH 144/247] Review web_vulnerabilities policy --- sca/generic/web_vulnerabilities.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml index 3890c089e..aa57f201f 100644 --- a/sca/generic/web_vulnerabilities.yml +++ b/sca/generic/web_vulnerabilities.yml @@ -28,32 +28,28 @@ requirements: # PHP checks checks: - id: 1000 - title: "PHP - Register globals are enabled" + title: "PHP - Ensure 'Register globals' are not enabled" condition: all rules: - 'f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^register_globals\s*\t*=\s*\t*On|register_globals\s*\t*=\s*\t*on' - id: 1001 - title: "PHP - Expose PHP is enabled" + title: "PHP - Ensure 'Expose PHP' is not enabled" condition: all rules: - 'f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^expose_php\s*\t*=\s*\t*On|^expose_php\s*\t*=\s*\t*on' - id: 1002 - title: "PHP - Allow URL fopen is enabled" + title: "PHP - Ensure 'Allow URL fopen' is not enabled" condition: all rules: - 'f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*On|^allow_url_fopen\s*\t*=\s*\t*on' - id: 1003 - title: "PHP - Displaying of errors is enabled" + title: "PHP - Ensure 'Displaying of errors' is not enabled" condition: all rules: - 'f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off' - - 'not f:$php.ini -> r:^display_errors\s*\t*=\s*\t*On|^display_errors\s*\t*=\s*\t*on' # WEB checks - id: 1004 @@ -157,7 +153,7 @@ checks: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' + - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond\s+\S+HTTP_REFERERS\s+\S+google' - id: 1015 title: "Web vulnerability - .htaccess file compromised - auto append" @@ -168,4 +164,4 @@ checks: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' + - 'd:$web_dirs -> ^.htaccess$ -> r:^php_value\s*auto_append_file' From e2d4baf17edd923969a7f4f38bad8e65b4a3238d Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Thu, 27 Jun 2019 13:24:59 +0200 Subject: [PATCH 145/247] Review Debian 8 policy --- sca/debian/cis_debian8_L1.yml | 17 ++++++++--------- sca/debian/cis_debian8_L2.yml | 4 +++- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index fdfb101df..ceca913bb 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -331,15 +331,15 @@ checks: - cis_csc: "8.3, 8.4" condition: all rules: - - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$ + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$' - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' # 1.7 Warning Banners - id: 11024 title: "Ensure local login warning banner is configured properly" - description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \m - machine architecture \r - operating system release \s - operating system name \v - operating system version" - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the " uname -a " command once they have logged in." - remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of\m,\r,\s, or\v: # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue" + description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version" + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." + remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" compliance: - cis: "1.7.1.2" - cis_csc: "13, 5.1" @@ -908,8 +908,7 @@ checks: title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." - remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp -# $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" + remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - cis: "4.2.1.5" - cis_csc: "9.1, 9.2" @@ -1037,7 +1036,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - id: 11076 - title: "Ensure SSH root login is disabled " + title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" @@ -1135,7 +1134,7 @@ checks: title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." - remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the "audit" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." + remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the \"audit\" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." compliance: - cis: "5.3.2" - cis_csc: "16.7" @@ -1269,7 +1268,7 @@ checks: - 'f:/etc/shadow -> !r:^# && r:^+:' - id: 11094 - title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" + title: "Verify no legacy \"+\" entries exist in /etc/group" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/group if they exist." diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 8ce438831..0943cd4bb 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -134,6 +134,8 @@ checks: compliance: - cis: "2.2.4" - cis_csc: "9.1, 9.2" + references: + - 'http://www.cups.org' condition: none rules: - 'c:systemctl is-enabled cups -> r:^enabled' @@ -228,7 +230,7 @@ checks: - id: 10514 title: "Ensure events that modify user/group information are collected" - description: "Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file." + description: "Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: From 057396712129ceb0df7a5e01ecc24a5659ee0c3b Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Thu, 27 Jun 2019 16:56:07 +0200 Subject: [PATCH 146/247] SLES12 make some checks less false-positive prone --- sca/sles/12/cis_sles12_linux_rcl.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index 113e2ed08..d6416900d 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -280,7 +280,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r:on' + - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' - id: 7519 title: "Ensure daytime services are not enabled" @@ -292,7 +292,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> r:daytime:|daytime-udp && r:on' + - 'c:chkconfig --list -> r:daytime:|daytime-udp && r::on' - id: 7520 title: "Ensure discard services are not enabled" @@ -304,7 +304,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> r:discard:|discard-udp: && r:on' + - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' - id: 7521 title: "Ensure echo services are not enabled" @@ -316,7 +316,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> r:echo:|echo-udp: && r:on' + - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' - id: 7522 title: "Ensure time services are not enabled" @@ -328,7 +328,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> r:time:|time-udp && r:on' + - 'c:chkconfig --list -> r:time:|time-udp && r::on' - id: 7523 title: "Ensure rsh server is not enabled" @@ -342,7 +342,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r:on' + - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' - id: 7524 title: "Ensure talk server is not enabled" @@ -356,7 +356,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> r:talk: && r:on' + - 'c:chkconfig --list -> r:talk: && r::on' - id: 7525 title: "Ensure telnet server is not enabled" @@ -370,7 +370,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> r:telnet: && r:on' + - 'c:chkconfig --list -> r:telnet: && r::on' - id: 7526 title: "Ensure tftp server is not enabled" @@ -384,7 +384,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> r:tftp: && r:on' + - 'c:chkconfig --list -> r:tftp: && r::on' - id: 7527 title: "Ensure rsync service is not enabled" @@ -396,7 +396,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list -> r:rsync: && r:on' + - 'c:chkconfig --list -> r:rsync: && r::on' - id: 7528 title: "Ensure xinetd is not enabled" From e519d404e4898b39d21c8015f68fdfc911ad3dc7 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Thu, 27 Jun 2019 16:57:28 +0200 Subject: [PATCH 147/247] Fix SLES11 rules --- sca/sles/11/cis_sles11_linux_rcl.yml | 81 ++++++++++++---------------- 1 file changed, 34 insertions(+), 47 deletions(-) diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index 4581c25ec..fc38ddf3a 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -21,9 +21,10 @@ policy: requirements: title: "Check Suse 11 version" description: "Requirements for running the SCA scan against SUSE Linux Enterprise Server 11" - condition: all + condition: any rules: - 'f:/etc/os-release -> r:SUSE Linux Enterprise Server 11' + - 'f:/etc/SuSE-release -> r:SUSE Linux Enterprise Server 11' variables: $sshd_file: /etc/ssh/sshd_config @@ -54,7 +55,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' - id: 7002 @@ -67,7 +67,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec @@ -82,7 +81,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. @@ -152,7 +150,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/home\s' - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev @@ -166,7 +163,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid @@ -180,7 +176,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec @@ -195,7 +190,6 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'not c:mount -> r:\s/dev/shm\s' - 'c:mount -> r:\s/dev/shm\s && r:noexec' ############################################### @@ -213,7 +207,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:/boot/grub/menu.lst -> !r:^# && r:password --md5' + - 'f:/boot/grub/menu.lst -> r:^password --md5' ############################################### # 1.5 Additional Process Hardening @@ -229,9 +223,9 @@ checks: - cis_csc: "13" condition: all rules: - - 'c:ulimit -H -c -> 0' - - 'c:sysctl fs.suid_dumpable -> r:= 0$' - - 'c:grep -Rh ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' + - 'c:sysctl fs.suid_dumpable -> r:^fs.suid_dumpable\s*=\s*0\s*$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7017 @@ -244,8 +238,8 @@ checks: - cis_csc: "8.4" condition: all rules: - - 'c:grep -Rh kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/ -> r:= 2$' - - 'c:/sbin/sysctl kernel.randomize_va_space -> r:=\s*2$' + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' + - 'c:sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' ############################################### # 2 OS Services @@ -264,8 +258,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*chargen:\s*\t*on' - - 'c:chkconfig --list -> \s*\t*chargen-udp:\s*\t*on' + - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' - id: 7019 title: "Ensure daytime services are not enabled" @@ -277,8 +270,8 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*daytime:\s*\t*on' - - 'c:chkconfig --list -> \s*\t*daytime-udp:\s*\t*on' + - 'c:chkconfig --list -> r:daytime:|daytime-udp: && r::on' + - id: 7020 title: "Ensure discard services are not enabled" @@ -290,8 +283,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*discard:\s*\t*on' - - 'c:chkconfig --list -> \s*\t*discard-udp:\s*\t*on' + - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' - id: 7021 title: "Ensure echo services are not enabled" @@ -303,8 +295,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*echo:\s*\t*on' - - 'c:chkconfig --list -> \s*\t*echo-udp:\s*\t*on' + - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' - id: 7022 title: "Ensure time services are not enabled" @@ -316,8 +307,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*time:\s*\t*on' - - 'c:chkconfig --list -> \s*\t*time-udp:\s*\t*on' + - 'c:chkconfig --list -> r:time:|time-udp: && r::on' - id: 7023 title: "Ensure rsh server is not enabled" @@ -331,9 +321,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*rexec:\s*\t*on' - - 'c:chkconfig --list -> \s*\t*rlogin:\s*\t*on' - - 'c:chkconfig --list -> \s*\t*rsh:\s*\t*on' + - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' - id: 7024 title: "Ensure talk server is not enabled" @@ -347,7 +335,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*talk:\s*\t*on' + - 'c:chkconfig --list -> r:talk: && r::on' - id: 7025 title: "Ensure telnet server is not enabled" @@ -361,7 +349,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*telnet:\s*\t*on' + - 'c:chkconfig --list -> r:telnet: && r::on' - id: 7026 title: "Ensure tftp server is not enabled" @@ -375,7 +363,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list -> \s*\t*tftp:\s*\t*:on' + - 'c:chkconfig --list -> r:tftp: && r::on' - id: 7027 title: "Ensure rsync service is not enabled" @@ -387,7 +375,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list -> r:rsync: && r:on' + - 'c:chkconfig --list -> r:rsync: && r::on' ############################################### # 2 Special Purpose Services @@ -434,7 +422,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:systemctl is-enabled avahi-daemon -> r:enabled' + - 'c:chkconfig --list -> r:avahi-daemon && r::on' - id: 7031 title: "Ensure DHCP Server is not enabled" @@ -446,7 +434,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list dhcpd -> r:dhcpd && r:on' + - 'c:chkconfig --list -> r:dhcpd && r::on' # 2.2.7 Disable NFS and RPC (Not Scored) - id: 7032 @@ -460,8 +448,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list nfs -> r:nfs && r:on' - - 'c:chkconfig --list rpcbind -> r:rpcbind && r:on' + - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' - id: 7033 title: "Ensure DNS Server is not enabled" @@ -474,7 +461,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list named -> r:named && r:on' + - 'c:chkconfig --list -> r:named && r::on' - id: 7034 title: "Ensure FTP Server is not enabled" @@ -487,7 +474,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list vsftpd -> r:vsftpd && r:on' + - 'c:chkconfig --list -> r:vsftpd && r::on' # 2.2.10 Remove HTTP Server (Not Scored) - id: 7035 @@ -500,7 +487,7 @@ checks: - cis_csc: "9.1" condition: none rules: - - 'c:chkconfig --list apache2 -> r:apache2 && r:on' + - 'c:chkconfig --list -> r:apache2 && r::on' - id: 7036 title: "Ensure IMAP and POP3 server is not enabled" @@ -513,7 +500,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list cyrus -> r:cyrus && r:on' + - 'c:chkconfig --list cyrus -> r:cyrus && r::on' # 2.2.12 Remove Samba (Not Scored) - id: 7037 @@ -527,7 +514,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list smb -> r:smb && r:on' + - 'c:chkconfig --list -> r:smb && r::on' - id: 7038 title: "Ensure HTTP Proxy Server is not enabled" @@ -540,7 +527,7 @@ checks: - pci_dss: "2.2.2" condition: none rules: - - 'c:chkconfig --list squid -> r:squid && r:on' + - 'c:chkconfig --list -> r:squid && r::on' - id: 7039 title: "Ensure SNMP Server is not enabled" @@ -553,7 +540,7 @@ checks: - pci_dss: "2.2.2" condition: node rules: - - 'c:chkconfig --list snmpd -> r:snmpd && r:on' + - 'c:chkconfig --list -> r:snmpd && r::on' - id: 7040 title: "Ensure NIS Server is not enabled" @@ -567,7 +554,7 @@ checks: - nist_800_53: "CM.1" condition: none rules: - - 'c:chkconfig --list ypserv -> r:ypserv && r:on' + - 'c:chkconfig --list -> r:ypserv && r::on' # Section 2.3 - Service Clients - id: 7041 @@ -602,8 +589,8 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 7044 @@ -617,10 +604,10 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:=\s*0$' ############################################### # 3.2 Modify Network Parameters (Host and Router) @@ -705,7 +692,7 @@ checks: condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' - - 'c:/sbin/sysctl net.ipv4.icpm_echo_ignore_broadcasts -> r:=\s*1$' + - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - id: 7050 From 1b46d9b517a86ef1c7dd6b122b39cf903141760c Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Thu, 27 Jun 2019 17:09:16 +0200 Subject: [PATCH 148/247] Add rule for chrony and some references --- sca/debian/cis_debian8_L1.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index ceca913bb..8ca6ad761 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -389,7 +389,19 @@ checks: - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' - 'f:/etc/ntp.conf -> r:^server\s\.+' - - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' + - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' + + - id: 11027 + title: "Ensure chrony is configured" + description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." + rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." + remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server " + compliance: + - cis: "2.2.1.3" + - cis_csc: "6.1" + condition: all + rules: + - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' - id: 11028 title: "Ensure Avahi Server is not enabled" @@ -411,6 +423,8 @@ checks: compliance: - cis: "2.2.4" - cis_csc: "9.1, 9.2" + references: + - https://www.cups.org condition: none rules: - 'c:systemctl is-enabled cups -> r:^enabled' From f9346befc5c0cabec4279602bc5c1fadc7257c89 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Thu, 27 Jun 2019 10:05:11 -0700 Subject: [PATCH 149/247] Update of Debian 7 policies and some minor fixes --- sca/debian/cis_debian7_L1.yml | 72 +++------------ sca/debian/cis_debian7_L2.yml | 166 ++++++++++++++++++---------------- sca/debian/cis_debian8_L1.yml | 4 +- sca/debian/cis_debian8_L2.yml | 2 +- 4 files changed, 107 insertions(+), 137 deletions(-) diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 3aae7b362..05bb456a5 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -530,8 +530,6 @@ checks: rules: - 'c:find /etc/rc* -name *snmpd* -> r:S\.' -# ToDo - - id: 10542 title: "Configure Mail Transfer Agent for Local-Only Mode" description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." @@ -541,7 +539,7 @@ checks: - cis: "6.15" condition: all rules: - - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:''127.0.0.1\s*\p\s*::1''$|''::1\s*\p\s*127.0.0.1''$|''127.0.0.1''$|''::1''$' + - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:\p127.0.0.1\s*\p\s*::1\p$|\p::1\s*\p\s*127.0.0.1\p$|\p127.0.0.1\p$|\p::1\p$' - id: 10543 title: "Ensure rsync service is not enabled" @@ -553,9 +551,10 @@ checks: condition: none rules: - 'c:dpkg -s rsync -> install ok installed' - - 'f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE\s*\t*=\s*\t*false' + - 'not f:/etc/default/rsync -> !r:^# && r:RSYNC_ENABLE\s*\t*=\s*\t*false' # 7 Network Configuration and Firewall + - id: 10544 title: "Disable IP Forwarding" description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." @@ -703,7 +702,7 @@ checks: remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" compliance: - cis: "7.3.3" - condition: none + condition: all rules: - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:=\s*\t*1$' - 'c:sysctl net.ipv6.conf.default.disable_ipv6 -> r:=\s*\t*1$' @@ -793,6 +792,7 @@ checks: - 'c:find /etc/rc* -name *iptables-persistent* -> r:S\.' # 8 Logging and Auditing + - id: 10564 title: "Ensure the rsyslog Service is activated" description: "Once the rsyslog package is installed it needs to be activated." @@ -804,33 +804,6 @@ checks: rules: - 'c:find /etc/rc* -name *rsyslog* -> r:S\.' - - id: 10565 - title: "Configure /etc/rsyslog.conf" - description: "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." - rationale: "A great deal of important security-related information is sent via rsyslog (e.g., successful and failed su attempts, failed login attempts, root login attempts, etc.)." - remediation: "Edit the following lines in the /etc/rsyslog.conf or /etc/rsyslog.d/* file as appropriate for your environment: *.emerg :omusrmsg:* mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none -/var/log/messages local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages Execute the following command to restart rsyslogd # pkill -HUP rsyslogd" - compliance: - - cis: "8.2.3" - references: - - rsyslog.conf(5) man page - condition: all - rules: - - 'c:grep -R ^*.emerg\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.info\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.warning\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^mail.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^news.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^news.err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^news.notice\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^*.=warning;*.=err\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^*.crit\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^*.*;mail.none;news.none\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local0,local1.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local2,local3.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local4,local5.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - 'c:grep -R ^local6,local7.*\s*\t*\s*\S /etc/rsyslog.conf /etc/rsyslog.d/' - - id: 10566 title: "Configure rsyslog to Send Logs to a Remote Log Host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." @@ -842,7 +815,7 @@ checks: - rsyslog.conf(5) man page condition: all rules: - - 'f:/etc/rsyslog.conf -> r:^*.* @@\w+.\w+.\w+' + - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - id: 10567 title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" @@ -855,22 +828,11 @@ checks: - rsyslog.conf(8) man page condition: all rules: - - 'c:grep -R ^\$ModLoad imtcp.so /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' - - 'c:grep -R ^\$InputTCPServerRun 514 /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' - - - id: 10568 - title: "Configure logrotate" - description: "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/rsyslog is the configuration file used to rotate log files created by rsyslog." - rationale: "By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files." - remediation: "Edit the /etc/logrotate.d/rsyslog file to include appropriate system logs according to your site policy." - compliance: - - cis: "8.4" - condition: all - rules: - - 'f:/etc/logrotate.d/rsyslog' - - 'f:/etc/logrotate.d/rsyslog -> r:\S+' + - 'c:grep -Rh ^\$ModLoad[[:space:]][[:space:]]*imtcp.so /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$ModLoad\s*\t*imtcp.so' + - 'c:grep -Rh ^\$InputTCPServerRun[[:space:]][[:space:]]*514 /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^$InputTCPServerRun\s*\t*514' # 9 System Access, Authentication and Authorization + - id: 10569 title: "Enable cron Daemon" description: "The cron daemon is used to execute batch jobs on the system." @@ -880,22 +842,16 @@ checks: - cis: "9.1.1" condition: all rules: - - 'f:/etc/rc2.d/S15anacron' - - 'f:/etc/rc2.d/S15cron' - - 'f:/etc/rc3.d/S15anacron' - - 'f:/etc/rc3.d/S15cron' - - 'f:/etc/rc4.d/S15anacron' - - 'f:/etc/rc4.d/S15cron' - - 'f:/etc/rc5.d/S15anacron' - - 'f:/etc/rc5.d/S15cron' + - 'c:find /etc/rc* -name *cron* -> r:S\.' + - 'c:find /etc/rc* -name *anacron* -> r:S\.' - id: 10570 - title: "Ensure at/cron is restricted to authorized users" + title: "Restrict at/cron to Authorized Users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "5.1.8" + - cis: "9.1.8" condition: all rules: - 'f:/etc/cron.allow' @@ -905,6 +861,8 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' +# ToDo + - id: 10571 title: "Set Password Creation Requirement Parameters Using pam_cracklib" description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index ca5dac2be..887b14e21 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -30,7 +30,7 @@ checks: # 2 Filesystem Configuration - - id: 11000 + - id: 15000 title: "Disable Mounting of cramfs Filesystems" description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -42,7 +42,7 @@ checks: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:cramfs' - - id: 11001 + - id: 15001 title: "Disable Mounting of freevxfs Filesystems" description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -54,7 +54,7 @@ checks: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:freevxfs' - - id: 11002 + - id: 15002 title: "Disable Mounting of jffs2 Filesystems" description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -66,7 +66,7 @@ checks: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:jffs2' - - id: 11003 + - id: 15003 title: "Disable Mounting of hfs Filesystems" description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -78,7 +78,7 @@ checks: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:hfs' - - id: 11004 + - id: 15004 title: "Disable Mounting of hfsplus Filesystems" description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -90,7 +90,7 @@ checks: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:hfsplus' - - id: 11005 + - id: 15005 title: "Disable Mounting of squashfs Filesystems" description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -102,7 +102,7 @@ checks: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:squashfs' - - id: 11006 + - id: 15006 title: "Disable Mounting of udf Filesystems" description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -116,7 +116,7 @@ checks: # 4 Additional Process Hardening - - id: 11007 + - id: 15007 title: "Activate AppArmor" description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model." rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." @@ -129,10 +129,8 @@ checks: - 'c:apparmor_status -> r:^0\s*processes are in complain mode' - 'c:apparmor_status -> r:^0\s*processes are unconfined' -# ToDo - # 8.1 Configure System Accounting (auditd) - - id: 11008 + - id: 15008 title: "Configure Audit Log Storage Size" description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." @@ -145,7 +143,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' - - id: 11009 + - id: 15009 title: "Disable System on Audit Log Full" description: "The auditd daemon can be configured to halt the system when the audit logs are full." rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." @@ -160,7 +158,7 @@ checks: - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' - - id: 11010 + - id: 15010 title: "Keep All Auditing Information" description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." @@ -173,7 +171,19 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' - - id: 11011 + - id: 15011 + title: "Install and Enable auditd Service" + description: "Install and turn on the auditd daemon to record system events." + rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." + remediation: "Install auditd: # apt-get install auditd If needed enable auditd in /etc/rc*.d: # update-rc.d auditd enable" + compliance: + - cis: "8.1.2" + condition: all + rules: + - 'c:dpkg -s auditd -> r:install ok installed' + - 'c:find /etc/rc* -name *auditd* -> r:S\.' + + - id: 15012 title: "Enable Auditing for Processes That Start Prior to auditd" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." @@ -182,9 +192,9 @@ checks: - cis: "8.1.3" condition: all rules: - - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' + - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\p*audit\s*=\s*1\p*' - - id: 11012 + - id: 15013 title: "Record Events That Modify Date and Time Information" description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." @@ -195,13 +205,13 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S clock_settime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S clock_settime -k time-change' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime -p wa -k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b32 && r:-S clock_settime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b64 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime && r:-p wa && r:-k time-change' - - id: 11013 + - id: 15014 title: "Record Events That Modify User/Group Information" description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." @@ -212,13 +222,13 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/group -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/passwd -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/gshadow -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow -p wa -k identity' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd -p wa -k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/group && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/passwd && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/gshadow && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd && r:-p wa && r:-k identity' - - id: 11014 + - id: 15015 title: "Record Events That Modify the System's Network Environment" description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" @@ -229,14 +239,14 @@ checks: rules: - 'f:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts -p wa -k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/network -p wa -k system-locale' - - - id: 11015 + - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-a exit,always|always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/issue.net && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/network && r:-p wa && r:-k system-locale' + + - id: 15016 title: "Record Events That Modify the System's Mandatory Access Controls" description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." @@ -247,24 +257,24 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ -p wa -k MAC-policy' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ && r:-p wa && r:-k MAC-policy' - - id: 11016 + - id: 15017 title: "Collect Login and Logout Events" description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." - remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" + remediation: "Add the following lines to the /etc/audit/audit.&& r:rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - cis: "8.1.8" condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/faillog -p wa -k logins' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog -p wa -k logins' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog -p wa -k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/faillog && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog && r:-p wa && r:-k logins' - - id: 11017 + - id: 15018 title: "Collect Session Initiation Information" description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." @@ -275,13 +285,13 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/run/utmp -p wa -k session' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp -p wa -k session' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp -p wa -k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/run/utmp && r:-p wa && r:-k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp && r:-p wa && r:-k session' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp && r:-p wa && r:-k session' - - id: 11018 + - id: 15019 title: "Collect Discretionary Access Control Permission Modification Events" - description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" + description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permis&& r:sions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: @@ -290,14 +300,14 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' - - - id: 11019 + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + + - id: 15020 title: "Collect Unsuccessful Unauthorized Access Attempts to Files" description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." @@ -308,11 +318,12 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' - - id: 11020 + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + + - id: 15021 title: "Collect Successful File System Mounts" description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." @@ -323,9 +334,10 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - - id: 11021 + - id: 15022 title: "Collect File Deletion Events by User" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." @@ -336,10 +348,10 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - - id: 11022 + - id: 15023 title: "Collect Changes to System Administration Scope (sudoers)" description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." @@ -350,9 +362,9 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers -p wa -k scope' + - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers && r:-p wa && r:-k scope' - - id: 11023 + - id: 15024 title: "Collect System Administrator Actions (sudolog)" description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." @@ -363,9 +375,9 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log -p wa -k actions' + - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log && r:-p wa && r:-k actions' - - id: 11024 + - id: 15025 title: "Collect Kernel Module Loading and Unloading" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." @@ -376,12 +388,12 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/insmod -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe -p x -k modules' - - 'f:/etc/audit/audit.rules -> r:^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules|^-a always,exit -F arch=b64 -S init_module -S delete_module -k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/insmod && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/rmmod && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S init_module && r:-S delete_module && r:-k modules' - - id: 11025 + - id: 15026 title: "Make the Audit Configuration Immutable" description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." @@ -395,7 +407,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-e 2$' # 8.3 Advanced Intrusion Detection Environment (AIDE) - - id: 11026 + - id: 15027 title: "Install AIDE" description: "In some installations, AIDE is not installed automatically" rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." @@ -406,7 +418,7 @@ checks: rules: - 'c:dpkg -s aide -> r:install ok installed' - - id: 11027 + - id: 15028 title: "Implement Periodic Execution of File Integrity" description: "Implement periodic file checking, in compliance with site policy" rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 8ca6ad761..90d0a009b 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -389,8 +389,8 @@ checks: - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' - 'f:/etc/ntp.conf -> r:^server\s\.+' - - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - + - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' + - id: 11027 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 0943cd4bb..cda0d786e 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -135,7 +135,7 @@ checks: - cis: "2.2.4" - cis_csc: "9.1, 9.2" references: - - 'http://www.cups.org' + - 'https://www.cups.org' condition: none rules: - 'c:systemctl is-enabled cups -> r:^enabled' From 7d51a9986dece359ef593063025c1b37b6fe76af Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 28 Jun 2019 11:52:39 +0200 Subject: [PATCH 150/247] Add Debian 9 checks --- sca/debian/cis_debian9_L1.yml | 1292 +++++++++++++++++++++++++++++++++ sca/debian/cis_debian9_L2.yml | 466 ++++++++++++ 2 files changed, 1758 insertions(+) create mode 100644 sca/debian/cis_debian9_L1.yml create mode 100644 sca/debian/cis_debian9_L2.yml diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml new file mode 100644 index 000000000..ca5b4fbe0 --- /dev/null +++ b/sca/debian/cis_debian9_L1.yml @@ -0,0 +1,1292 @@ +# Security Configuration assessment +# Level 1 CIS Checks for Debian Linux 9 +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Based on: +# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 + +policy: + id: "cis_debian9_L1" + file: "cis_debian9_L1.yml" + name: "CIS benchmark for Debian/Linux 9 L1" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check Debian version" + description: "Requirements for running the SCA scan against Debian/Ubuntu." + condition: all + rules: + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' + +checks: +# 1.1.1 Disable unused filesystems + - id: 16000 + title: "Ensure mounting of freevxfs filesystems is disabled" + description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs" + compliance: + - cis: "1.1.1.1" + - cis_csc: "5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' + - 'not c:lsmod -> r:freevxfs' + + - id: 16001 + title: "Ensure mounting of jffs2 filesystems is disabled" + description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2" + compliance: + - cis: "1.1.1.2" + - cis_csc: "5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' + - 'not c:lsmod -> r:jffs2' + + - id: 16002 + title: "Ensure mounting of hfs filesystems is disabled" + description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs" + compliance: + - cis: "1.1.1.3" + - cis_csc: "5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' + - 'not c:lsmod -> r:hfs' + + - id: 16003 + title: "Ensure mounting of hfsplus filesystems is disabled" + description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus" + compliance: + - cis: "1.1.1.4" + - cis_csc: "5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' + - 'not c:lsmod -> r:hfsplus' + + - id: 16004 + title: "Ensure mounting of udf filesystems is disabled" + description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats." + rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf" + compliance: + - cis: "1.1.1.5" + - cis_csc: "5.1" + condition: all + rules: + - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' + - 'not c:lsmod -> r:udf' + +# 2 Filesystem Configuration + - id: 16005 + title: "Ensure /tmp is configured" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 or Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount" + compliance: + - cis: "1.1.2" + - cis_csc: "5.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ + condition: any + rules: + - 'c:mount -> r:\s/tmp\s' + + - id: 16006 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount and run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount" + compliance: + - cis: "1.1.3" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/tmp\s && r:nodev' + + - id: 16007 + title: "Ensure nosuid option set on /tmp partition" + description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." + rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,nodev /tmp" + compliance: + - cis: "1.1.4" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/tmp\s && r:nosuid' + + - id: 16008 + title: "Ensure nodev option set on /var/tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp" + compliance: + - cis: "1.1.8" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s && r:nodev' + + - id: 16009 + title: "Ensure nosuid option set on /var/tmp partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp" + compliance: + - cis: "1.1.9" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s && r:nosuid' + + - id: 16010 + title: "Ensure noexec option set on /var/tmp partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp" + compliance: + - cis: "1.1.10" + - cis_csc: "2.6" + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s && r:noexec' + + - id: 16011 + title: "Ensure nodev option set on /home partition" + description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + compliance: + - cis: "1.1.14" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/home\s && r:nodev' + + - id: 16012 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" + compliance: + - cis: "1.1.15" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:nodev' + + - id: 16013 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" + compliance: + - cis: "1.1.16" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' + + - id: 16014 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm" + compliance: + - cis: "1.1.17" + - cis_csc: "2.6, 8" + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:noexec' + + - id: 16015 + title: "Disable Automounting" + description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." + rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." + remediation: "Disable autofs: # update-rc.d autofs disable" + compliance: + - cis: "1.1.21" + - cis_csc: "8.4, 8.5" + condition: none + rules: + - 'c:systemctl is-enabled autofs -> r:^enabled' + +# 1.3 Filesystem Integrity Checking + - id: 16016 + title: "Ensure AIDE is installed" + description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system." + rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." + remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" + compliance: + - cis: "1.3.1" + - cis_csc: "14.9" + condition: all + rules: + - 'c:dpkg -s aide -> r:install ok installed' + + - id: 16017 + title: "Ensure filesystem integrity is regularly checked" + description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem." + rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." + remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." + compliance: + - cis: "1.3.2" + - cis_csc: "14.9" + condition: all + rules: + - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*|\s*\t*/usr/bin/aide\s*\t* && r:\s*\t*--check' + +# 1.4 Secure Boot Settings + - id: 16018 + title: "Ensure bootloader password is set" + description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." + rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." + remediation: "1) Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is 2) Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" 3) Run the following to update the grub configuration: # update-grub" + compliance: + - cis: "1.4.2" + - cis_csc: "5.1" + condition: all + rules: + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' + - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' + + - id: 16019 + title: "Ensure authentication required for single user mode" + description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." + rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." + remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" + compliance: + - cis: "1.4.3" + - cis_csc: "5.1" + condition: none + rules: + - 'f:/etc/shadow -> r:^root:*:|^root:!:' + +# 1.5 Additional Process Hardening + - id: 16020 + title: "Ensure core dumps are restricted" + description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." + rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." + remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0 and set the active kernel parameter." + compliance: + - cis: "1.5.1" + - cis_csc: "13" + condition: all + rules: + - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' + + - id: 16021 + title: "Ensure address space layout randomization (ASLR) is enabled" + description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." + rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." + remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + compliance: + - cis: "1.5.3" + - cis_csc: "8.3" + condition: all + rules: + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$' + - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' + +# 1.7 Warning Banners + - id: 16022 + title: "Ensure local login warning banner is configured properly" + description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version" + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." + remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" + compliance: + - cis: "1.7.1.2" + - cis_csc: "5.1" + condition: none + rules: + - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' + +# 2 Services + - id: 16023 + title: "Ensure xinetd is not installed" + description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." + remediation: "Run the following command to disable xinetd: # apt-get remove xinetd" + compliance: + - cis: "2.1.1" + - cis_csc: "9.2" + condition: none + rules: + - 'c:dpkg -s xinetd -> r:install ok installed' + + - id: 16024 + title: "Ensure openbsd-inetd is not installed" + description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no inetd services required, it is recommended that the daemon be removed." + remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd" + compliance: + - cis: "2.1.2" + - cis_csc: "9.2" + condition: none + rules: + - 'c:dpkg -s openbsd-inetd -> r:install ok installed' + - 'c:dpkg -s inetutils-inetd -> r:install ok installed' + + - id: 16025 + title: "Ensure ntp is configured" + description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." + rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." + remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." + compliance: + - cis: "2.2.1.2" + - cis_csc: "6.1" + references: + - http://www.ntp.org/ + condition: all + rules: + - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' + - 'f:/etc/ntp.conf -> r:^server\s\.+' + - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' + + - id: 16026 + title: "Ensure chrony is configured" + description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." + rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." + remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server " + compliance: + - cis: "2.2.1.3" + - cis_csc: "6.1" + condition: all + rules: + - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' + + - id: 16027 + title: "Ensure Avahi Server is not enabled" + description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." + rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." + remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" + compliance: + - cis: "2.2.3" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' + + - id: 16028 + title: "Ensure CUPS is not enabled" + description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." + rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable cups: # systemctl disable cups" + compliance: + - cis: "2.2.4" + - cis_csc: "9.2" + references: + - https://www.cups.org + condition: none + rules: + - 'c:systemctl is-enabled cups -> r:^enabled' + + - id: 16029 + title: "Ensure DHCP Server is not enabled" + description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." + rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." + remediation: "Run the following commands to disable dhcpd: # systemctl disable isc-dhcp-server # systemctl disable isc-dhcp-server6" + references: + - https://www.isc.org/dhcp/ + compliance: + - cis: "2.2.5" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' + - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' + + - id: 16030 + title: "Ensure LDAP server is not enabled" + description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." + rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable slapd: # systemctl disable slapd" + compliance: + - cis: "2.2.6" + - cis_csc: "9.2" + references: + - https://www.openldap.org + condition: none + rules: + - 'c:systemctl is-enabled slapd -> r:^enabled' + + - id: 16031 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind" + compliance: + - cis: "2.2.7" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled nfs-server -> r:^enabled' + - 'c:systemctl is-enabled rpcbind -> r:^enabled' + + - id: 16032 + title: "Ensure DNS Server is not enabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable named: # systemctl disable bind9" + compliance: + - cis: "2.2.8" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled bind9 -> r:^enabled' + + - id: 16033 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" + compliance: + - cis: "2.2.9" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled vsftpd -> r:^enabled' + + - id: 16034 + title: "Ensure HTTP Server is not enabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable apache2: # systemctl disable apache2" + compliance: + - cis: "2.2.10" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled apache2 -> r:^enabled' + + - id: 16035 + title: "Ensure Samba is not enabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable smbd: # systemctl disable smbd" + compliance: + - cis: "2.2.12" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled smbd -> r:^enabled' + + - id: 16036 + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable squid: # systemctl disable squid" + compliance: + - cis: "2.2.13" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled squid -> r:^enabled' + + - id: 16037 + title: "Ensure SNMP Server is not enabled" + description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." + rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." + remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" + compliance: + - cis: "2.2.14" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled snmpd -> r:^enabled' + + - id: 16038 + title: "Ensure rsync service is not enabled" + description: "The rsyncd service can be used to synchronize files between systems over network links." + rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to disable rsync: # systemctl disable rsync" + compliance: + - cis: "2.2.16" + - cis_csc: "9.2" + condition: none + rules: + - 'c:systemctl is-enabled rsync -> r:^enabled' + + - id: 16039 + title: "Ensure NIS Client is not installed" + description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." + remediation: "Uninstall the nis package: # apt-get remove nis" + compliance: + - cis: "2.3.1" + - cis_csc: "2.6" + condition: none + rules: + - 'c:dpkg -s nis -> r:install ok installed' + + - id: 16040 + title: "Ensure rsh client is not installed" + description: "The rshpackage contains the client commands for the rsh services." + rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." + remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" + compliance: + - cis: "2.3.2" + - cis_csc: "2.6, 4.5" + condition: none + rules: + - 'c:dpkg -s rsh-client -> r:install ok installed' + - 'c:dpkg -s rsh-redone-client -> r:install ok installed' + + - id: 16041 + title: "Ensure talk client is not installed" + description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." + rationale: "The software presents a security risk as it uses unencrypted protocols for communication." + remediation: "Run the following command to uninstall talk: apt-get remove talk" + compliance: + - cis: "2.3.3" + - cis_csc: "2.6" + condition: none + rules: + - 'c:dpkg -s talk -> r:install ok installed' + + - id: 16042 + title: "Ensure telnet client is not installed" + description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." + remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" + compliance: + - cis: "2.3.4" + - cis_csc: "2.6, 4.5" + condition: none + rules: + - 'c:dpkg -s telnet -> r:install ok installed' + +# 3 Network Configuration + - id: 16043 + title: "Ensure IP forwarding is disabled" + description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "3.1.1" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' + + - id: 16044 + title: "Ensure packet redirect sending is disabled" + description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." + rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." + remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.1.2" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' + + - id: 16045 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "3.2.1" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:=\s*\t*0$' + - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + + - id: 16046 + title: "Ensure ICMP redirects are not accepted" + description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." + rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "3.2.2" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' + + - id: 16047 + title: "Ensure secure ICMP redirects are not accepted" + description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." + rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.3" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' + - 'c:sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' + + - id: 16048 + title: "Ensure suspicious packets are logged" + description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." + rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.4" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' + + - id: 16049 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.5" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + + - id: 16050 + title: "Ensure bogus ICMP responses are ignored" + description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." + rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.6" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' + + - id: 16051 + title: "Ensure Reverse Path Filtering is enabled" + description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." + rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.7" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' + - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' + + - id: 16052 + title: "Ensure TCP SYN Cookies is enabled" + description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." + rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" + compliance: + - cis: "3.2.8" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' + + - id: 16053 + title: "Ensure IPv6 router advertisements are not accepted" + description: "This setting disables the systems ability to accept router advertisements" + rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1" + compliance: + - cis: "3.2.9" + - cis_csc: "5.1" + condition: all + rules: + - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' + - 'c:sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' + + - id: 16054 + title: "Ensure /etc/hosts.allow is configured" + description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." + rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." + remediation: "Run the following command to create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow. Where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." + compliance: + - cis: "3.3.2" + - cis_csc: "9.4" + condition: all + rules: + - 'f:/etc/hosts.allow' + + - id: 16055 + title: "Ensure /etc/hosts.deny is configured" + description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." + rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." + remediation: "Run the following command to create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" + compliance: + - cis: "3.3.3" + - cis_csc: "9.4" + condition: all + rules: + - 'f:/etc/hosts.deny' + - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' + + - id: 16056 + title: "Ensure DCCP is disabled" + description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." + rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true" + compliance: + - cis: "3.4.1" + - cis_csc: "9.2" + condition: none + rules: + - 'not c:modprobe -n -v dccp -> r:install /bin/true' + - 'c:lsmod -> r:dccp' + + - id: 16057 + title: "Ensure SCTP is disabled" + description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true" + compliance: + - cis: "3.4.2" + - cis_csc: "9.2" + condition: none + rules: + - 'not c:modprobe -n -v sctp -> r:install /bin/true' + - 'c:lsmod -> r:sctp' + + - id: 16058 + title: "Ensure RDS is disabled" + description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true" + compliance: + - cis: "3.4.3" + - cis_csc: "9.2" + condition: none + rules: + - 'not c:modprobe -n -v rds -> r:install /bin/true' + - 'c:lsmod -> r:rds' + + - id: 16059 + title: "Ensure TIPC is disabled" + description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." + rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." + remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true" + compliance: + - cis: "3.4.4" + - cis_csc: "9.2" + condition: none + rules: + - 'not c:modprobe -n -v tipc -> r:install /bin/true' + - 'c:lsmod -> r:tipc' + +# 3.5 Firewall configuration + + - id: 16060 + title: "Ensure default deny firewall policy" + description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." + rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." + remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." + compliance: + - cis: "3.5.1.1" + - cis_csc: "9.4" + condition: all + rules: + - 'c:iptables -L -> r:^Chain INPUT && r:policy DROP' + - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' + - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' + + - id: 16061 + title: "Ensure IPv6 default deny firewall policy" + description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." + rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." + remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." + compliance: + - cis: "3.5.2.1" + - cis_csc: "9.4" + condition: all + rules: + - 'c:ip6tables -L -> r:^Chain INPUT && r:policy DROP' + - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' + - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' + + - id: 16062 + title: "Ensure iptables is installed" + description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." + rationale: "iptables is required for firewall management and configuration." + remediation: "Run the following command to install iptables: # apt-get install iptables" + compliance: + - cis: "3.5.3" + - cis_csc: "9.4" + condition: all + rules: + - 'c:dpkg -s iptables -> r:install ok installed' + +# 4 Logging and Auditing + - id: 16063 + title: "Ensure rsyslog Service is enabled" + description: "Once the rsyslog package is installed it needs to be activated." + rationale: "If the rsyslog service is not activated the system will not have a syslog service running." + remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" + compliance: + - cis: "4.2.1.1" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'c:systemctl is-enabled rsyslog -> r:^enabled' + + - id: 16064 + title: "Ensure rsyslog is configured to send logs to a remote log host" + description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." + rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." + remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" + compliance: + - cis: "4.2.1.4" + - cis_csc: "6.6, 6.8" + references: + - rsyslog.conf(5) man page + condition: all + rules: + - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' + + - id: 16065 + title: "Ensure remote rsyslog messages are only accepted on designated log hosts" + description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." + rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." + remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" + compliance: + - cis: "4.2.1.5" + - cis_csc: "9.2" + references: + - rsyslog.conf(8) man page + condition: all + rules: + - 'c:grep -Rh ^\$ModLoad[[:space:]]*imtcp /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$ModLoad\s*\t*imtcp' + - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' + +# 5 Access, Authentication and Authorization + - id: 16066 + title: "Ensure cron daemon is enabled" + description: "The cron daemon is used to execute batch jobs on the system." + rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." + remediation: "Run the following command to enable cron: systemctl enable cron" + compliance: + - cis: "5.1.1" + - cis_csc: "5.1" + condition: all + rules: + - 'c:systemctl is-enabled cron -> r:^enabled$' + + - id: 16067 + title: "Ensure at/cron is restricted to authorized users" + description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." + rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." + remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" + compliance: + - cis: "5.1.8" + - cis_csc: "16" + condition: all + rules: + - 'f:/etc/cron.allow' + - 'f:/etc/at.allow' + - 'not f:/etc/cron.deny' + - 'not f:/etc/at.deny' + - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' + - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' + + - id: 16068 + title: "Ensure permissions on /etc/ssh/sshd_config are configured" + description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." + rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." + remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config" + compliance: + - cis: "5.2.1" + - cis_csc: "5.1" + condition: all + rules: + - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' + + - id: 16069 + title: "Ensure SSH Protocol is set to 2" + description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis: "5.2.4" + - cis_csc: "14.4" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' + + - id: 16070 + title: "Ensure SSH LogLevel is appropriate" + description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." + rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE or LogLevel INFO" + references: + - https://www.ssh.com/ssh/sshd_config/ + compliance: + - cis: "5.2.5" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' + + - id: 16071 + title: "Ensure SSH X11 forwarding is disabled" + description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." + rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." + remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" + compliance: + - cis: "5.2.6" + - cis_csc: "9.2" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' + + - id: 16072 + title: "Ensure SSH MaxAuthTries is set to 4 or less" + description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." + rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" + compliance: + - cis: "5.2.7" + - cis_csc: "16.13" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' + + - id: 16073 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis: "5.2.8" + - cis_csc: "9.2" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' + + - id: 16074 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis: "5.2.9" + - cis_csc: "16.3" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' + + - id: 16075 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." + rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis: "5.2.10" + - cis_csc: "4.3" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' + +# 5.2 SSH Server Configuration + + - id: 16076 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis: "5.2.11" + - cis_csc: "16.3" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' + + - id: 16077 + title: "Ensure SSH PermitUserEnvironment is disabled" + description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." + rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" + compliance: + - cis: "5.2.12" + - cis_csc: "5.1" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' + + - id: 16078 + title: "Ensure SSH Idle Timeout Interval is configured" + description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." + rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 ClientAliveCountMax 0" + compliance: + - cis: "5.2.16" + - cis_csc: "16.11" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' + - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' + + - id: 16079 + title: "Ensure SSH access is limited" + description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." + rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." + remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " + compliance: + - cis: "5.2.18" + - cis_csc: "5.1" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' + + - id: 16080 + title: "Ensure SSH warning banner is configured" + description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." + rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" + compliance: + - cis: "5.2.19" + - cis_csc: "5.1" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|Banner\s\t*/etc/issue' + +# 5.3 Configure PAM + + - id: 16081 + title: "Ensure password creation requirements are configured" + description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol." + compliance: + - cis: "5.3.1" + - cis_csc: "4.4" + condition: all + rules: + - 'c:dpkg -s libpam-cracklib -> install ok installed' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d' + - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:dcredit' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:ucredit' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' + - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' + + - id: 16082 + title: "Ensure lockout for failed password attempts is configured" + description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." + rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." + remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the \"audit\" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." + compliance: + - cis: "5.3.2" + - cis_csc: "16.7" + condition: all + rules: + - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' + + - id: 16083 + title: "Ensure password reuse is limited" + description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." + rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." + remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here." + compliance: + - cis: "5.3.3" + - cis_csc: "16" + condition: all + rules: + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' + +# 5.4 User Accounts and Environment + + - id: 16084 + title: "Ensure password expiration is 365 days or less" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." + rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." + compliance: + - cis: "5.4.1.1" + - cis_csc: "4.4, 16" + condition: all + rules: + - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' + + - id: 16085 + title: "Ensure minimum days between password changes is 7 or more" + description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." + rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." + remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." + compliance: + - cis: "5.4.1.2" + - cis_csc: "4.4, 16" + condition: all + rules: + - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' + + - id: 16086 + title: "Ensure password expiration warning days is 7 or more" + description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." + rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." + remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." + compliance: + - cis: "5.4.1.3" + - cis_csc: "4.4, 16" + condition: all + rules: + - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare <= 7' + + - id: 16087 + title: "Ensure inactive password lock is 30 days or less" + description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled." + rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." + remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." + compliance: + - cis: "5.4.1.4" + - cis_csc: "4.4, 16" + condition: all + rules: + - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' + + - id: 16088 + title: "Ensure default group for the root account is GID 0" + description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." + rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." + remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root" + compliance: + - cis: "5.4.3" + - cis_csc: "5.1" + condition: all + rules: + - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' + + - id: 16089 + title: "Ensure access to the su command is restricted" + description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." + rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." + remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root, Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default." + compliance: + - cis: "5.6" + - cis_csc: "5.1" + condition: all + rules: + - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so' + - 'f:/etc/group -> !r:^# && r:sudo:\w+:\d+:\.' + +# 6.2 User and Group Settings + + - id: 16090 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." + compliance: + - cis: "6.2.1" + - cis_csc: "4.4" + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 16091 + title: "Ensure no legacy \"+\" entries exist in /etc/passwd" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Remove any legacy + entries from /etc/passwd if they exist." + compliance: + - cis: "6.2.2" + - cis_csc: "16.2" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && r:^+:' + + - id: 16092 + title: "Ensure no legacy \"+\" entries exist in /etc/shadow" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Remove any legacy + entries from /etc/shadow if they exist." + compliance: + - cis: "6.2.3" + - cis_csc: "16.2" + condition: none + rules: + - 'f:/etc/shadow -> !r:^# && r:^+:' + + - id: 16093 + title: "Verify no legacy \"+\" entries exist in /etc/group" + description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." + rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." + remediation: "Remove any legacy + entries from /etc/group if they exist." + compliance: + - cis: "6.2.4" + - cis_csc: "16.2" + condition: none + rules: + - 'f:/etc/group -> !r:^# && r:^+:' + + - id: 16094 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis: "6.2.5" + - cis_csc: "5.1" + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' + + - id: 16095 + title: "Ensure shadow group is empty" + description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." + rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." + remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." + compliance: + - cis: "6.2.20" + - cis_csc: "5.1" + condition: none + rules: + - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml new file mode 100644 index 000000000..3a41f7124 --- /dev/null +++ b/sca/debian/cis_debian9_L2.yml @@ -0,0 +1,466 @@ +Ensure SSH X11 forwarding is disabled + +# Security Configuration assessment +# Level 2 CIS Checks for Debian Linux 9 +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Based on: +# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 + +policy: + id: "cis_debian9_L2" + file: "cis_debian9_L2.yml" + name: "CIS benchmark for Debian/Linux 9 L2" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux 9." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check Debian version" + description: "Requirements for running the SCA scan against Debian/Ubuntu" + condition: all + rules: + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' + +checks: + + - id: 16500 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.6" + - cis_csc: "5.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var\s' + + - id: 16501 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis: "1.1.7" + - cis_csc: "5.1" + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s' + + - id: 16502 + title: "Ensure separate partition exists for /var/log" + description: "The /var/log directory is used by system services to store log data." + rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.11" + - cis_csc: "6.4" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var/log\s' + + - id: 16503 + title: "Ensure separate partition exists for /var/log/audit" + description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." + rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.12" + - cis_csc: "6.4" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var/log/audit\s' + + - id: 16504 + title: "Ensure separate partition exists for /home" + description: "The /home directory is used to support disk storage needs of local users." + rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + compliance: + - cis: "1.1.13" + - cis_csc: "5.1" + references: + - http://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/home\s' + + - id: 16505 + title: "Disable Automounting" + description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." + rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." + remediation: "Disable autofs: # update-rc.d autofs disable" + compliance: + - cis: "1.1.22" + - cis_csc: "8.3, 8.5" + condition: none + rules: + - 'c:systemctl is-enabled autofs -> r:^enabled' + +# 4 Additional Process Hardening + - id: 16506 + title: "Ensure SELinux or AppArmor are installed" + description: "SELinux and AppArmor provide Mandatory Access Controls." + rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." + remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" + compliance: + - cis: "1.6.3" + - cis_csc: "14.6" + condition: any + rules: + - 'c:dpkg -s selinux -> r:install ok installed' + - 'c:dpkg -s apparmor -> r:install ok installed' + +# 2 Services + + - id: 16507 + title: "Ensure CUPS is not enabled" + description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." + rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable cups: # systemctl disable cups" + compliance: + - cis: "2.2.4" + - cis_csc: "9.2" + references: + - 'http://www.cups.org' + condition: none + rules: + - 'c:systemctl is-enabled cups -> r:^enabled' + +# 4 Logging and Auditing + + - id: 16508 + title: "Ensure audit log storage size is configured" + description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." + rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." + remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." + compliance: + - cis: "4.1.1.1" + - cis_csc: "6.4" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+' + + - id: 16509 + title: "Ensure system is disabled when audit logs are full" + description: "The auditd daemon can be configured to halt the system when the audit logs are full." + rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." + remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" + compliance: + - cis: "4.1.1.2" + - cis_csc: "6.4" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*action_mail_acct\s*\t*=\s*\t*root' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt' + + - id: 16510 + title: "Ensure audit logs are not automatically deleted" + description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs." + rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." + remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" + compliance: + - cis: "4.1.1.3" + - cis_csc: "6.4" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/auditd.conf' + - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs' + + - id: 16511 + title: "Ensure auditd service is enabled" + description: "Turn on the auditd daemon to record system events." + rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." + remediation: "Run the following command to enable auditd: # systemctl enable auditd" + compliance: + - cis: "4.1.2" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'c:systemctl is-enabled auditd -> r:^enabled' + + - id: 16512 + title: "Ensure auditing for processes that start prior to auditd is enabled" + description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." + rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." + remediation: "1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." + compliance: + - cis: "4.1.3" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' + + - id: 16513 + title: "Ensure events that modify date and time information are collected" + description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" + rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." + remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" + compliance: + - cis: "4.1.4" + - cis_csc: "5.5" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change' + + - id: 16514 + title: "Ensure events that modify user/group information are collected" + description: "Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." + rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.5" + - cis_csc: "4.8" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/group && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/passwd && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/gshadow && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity' + + - id: 16515 + title: "Ensure events that modify the system's network environment are collected" + description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files." + rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.6" + - cis_csc: "5.5" + condition: all + rules: + - 'f:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale' + + - id: 16516 + title: "Ensure events that modify the system's Mandatory Access Controls are collected (SELinux)" + description: "Monitor SELinux mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." + rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." + remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.7" + - cis_csc: "5.5" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/ && r:-p wa && r:-k MAC-policy' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/ && r:-p wa && r:-k MAC-policy' + + - id: 16517 + title: "Ensure events that modify the system's Mandatory Access Controls are collected (AppArmor)" + description: "Monitor AppArmor mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor and /etc/apparmor.d directories." + rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." + remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.7" + - cis_csc: "5.5" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy' + + - id: 16518 + title: "Ensure login and logout events are collected" + description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" + rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.8" + - cis_csc: "4.9, 16.11, 16.13" + condition: all&& r: + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/faillog && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins' + + - id: 16519 + title: "Ensure session initiation information is collected" + description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier \"logins.\"" + rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.9" + - cis_csc: "4.9, 16.11, 16.13" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/run/utmp && r:-p wa && r:-k session' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins' + + - id: 16520 + title: "Ensure discretionary access control permission modification events are collected" + description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" + rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.10" + - cis_csc: "5.5" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chmod && r:-S fchmod && r:-S fchmodat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S chown && r:-S fchown && r:-S fchownat && r:-S lchown && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' + + - id: 16521 + title: "Ensure unsuccessful unauthorized file access attempts are collected" + description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" + rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.11" + - cis_csc: "14.9" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EACCES && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' + + - id: 16522 + title: "Ensure successful file system mounts are collected" + description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user." + rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.13" + - cis_csc: "13" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' + + - id: 16523 + title: "Ensure file deletion events by users are collected" + description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." + rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.14" + - cis_csc: "6.2, 13" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' + + - id: 16524 + title: "Ensure changes to system administration scope (sudoers) is collected" + description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" + rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." + remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.15" + - cis_csc: "4.8" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope' + + - id: 16525 + title: "Ensure system administrator actions (sudolog) are collected" + description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." + rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." + remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.16" + - cis_csc: "4.9" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions' + + - id: 16526 + title: "Ensure kernel module loading and unloading is collected" + description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." + rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." + remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." + compliance: + - cis: "4.1.17" + - cis_csc: "5.1" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/insmod && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/rmmod && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S init_module && r:-S delete_module && r:-k modules' + + - id: 16527 + title: "Ensure the audit configuration is immutable" + description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot." + rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." + remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." + compliance: + - cis: "4.1.18" + - cis_csc: "6.2, 6.3" + condition: all + rules: + - 'd:/etc/audit' + - 'f:/etc/audit/audit.rules' + - 'f:/etc/audit/audit.rules -> r:^\s*\t*-e 2$' + + - id: 16528 + title: "Ensure SSH X11 forwarding is disabled" + description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." + rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." + remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" + compliance: + - cis: "5.2.6" + - cis_csc: "9.2" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' From 5c42df9d1bc2c665c448a931d00e3209f3e6b99f Mon Sep 17 00:00:00 2001 From: Skeptor Date: Fri, 28 Jun 2019 12:25:19 +0200 Subject: [PATCH 151/247] Change compliance format --- sca/applications/cis_apache2224_rcl.yml | 144 +-- .../cis_mysql5-6_community_rcl.yml | 38 +- .../cis_mysql5-6_enterprise_rcl.yml | 52 +- sca/darwin/15/cis_apple_macOS_10.11.yml | 66 +- sca/darwin/16/cis_apple_macOS_10.12.yml | 60 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 60 +- sca/darwin/web_vulnerabilities.yml | 48 +- sca/debian/cis_debian7_L1.yml | 204 ++-- sca/debian/cis_debian7_L2.yml | 58 +- sca/debian/cis_debian8_L1.yml | 392 ++++---- sca/debian/cis_debian8_L2.yml | 112 +-- sca/debian/cis_debian_linux_rcl.yml | 214 ++-- sca/generic/system_audit_pw.yml | 32 +- sca/generic/system_audit_ssh.yml | 22 +- sca/generic/web_vulnerabilities.yml | 48 +- sca/rhel/5/cis_rhel5_linux_rcl.yml | 272 +++--- sca/rhel/6/cis_rhel6_linux_rcl.yml | 330 +++---- sca/rhel/7/cis_rhel7_linux_rcl.yml | 392 ++++---- sca/sles/11/cis_sles11_linux_rcl.yml | 346 +++---- sca/sles/12/cis_sles12_linux_rcl.yml | 358 +++---- sca/sunos/cis_solaris11_rcl.yml | 110 +-- sca/windows/acsc_office2016_rcl.yml | 14 +- sca/windows/cis_win10_enterprise_L1_rcl.yml | 918 +++++++++--------- sca/windows/cis_win10_enterprise_L2_rcl.yml | 332 +++---- sca/windows/cis_win2012r2_domainL1_rcl.yml | 614 ++++++------ sca/windows/cis_win2012r2_domainL2_rcl.yml | 148 +-- sca/windows/cis_win2012r2_memberL1_rcl.yml | 634 ++++++------ sca/windows/cis_win2012r2_memberL2_rcl.yml | 170 ++-- sca/windows/win_audit_rcl.yml | 52 +- 29 files changed, 3120 insertions(+), 3120 deletions(-) diff --git a/sca/applications/cis_apache2224_rcl.yml b/sca/applications/cis_apache2224_rcl.yml index b8d4c57a2..203911a86 100644 --- a/sca/applications/cis_apache2224_rcl.yml +++ b/sca/applications/cis_apache2224_rcl.yml @@ -51,8 +51,8 @@ checks: rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls." remediation: "For source builds with static modules run the Apache ./configure script without including the mod_dav , and mod_dav_fs in the --enable-modules=configure script options. For dynamically loaded modules comment out the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file." compliance: - - cis: "2.3" - - cis_csc: "9.1" + - cis: ["2.3"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_dav.html - https://httpd.apache.org/docs/2.4/mod/mod_dav.html @@ -67,8 +67,8 @@ checks: rationale: "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files." remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file." compliance: - - cis: "2.4" - - cis_csc: "9.1" + - cis: ["2.4"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_status.html - https://httpd.apache.org/docs/2.4/mod/mod_status.html @@ -83,8 +83,8 @@ checks: rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed." remediation: "For source builds with static modules, run the Apache ./configure script with the - -disable-autoindex configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_autoindex module from the httpd.conf file." compliance: - - cis: "2.5" - - cis_csc: "18" + - cis: ["2.5"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html @@ -99,8 +99,8 @@ checks: rationale: "A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended." remediation: "For source builds with static modules, run the Apache ./configure script without including the mod_proxy and all other proxy modules in the --enable- modules=configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_proxy module and all other proxy modules from the httpd.conf file." compliance: - - cis: "2.6" - - cis_csc: "9.1" + - cis: ["2.6"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html @@ -115,8 +115,8 @@ checks: rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network." remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script option. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_userdir module from the httpd.conf file." compliance: - - cis: "2.7" - - cis_csc: "18" + - cis: ["2.7"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html @@ -131,8 +131,8 @@ checks: rationale: "Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory .htaccess files. This can leak sensitive information from the configuration directives of other Apache modules." remediation: "For source builds with static modules, run the Apache ./configure script without including mod_info in the --enable-modules= configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file." compliance: - - cis: "2.8" - - cis_csc: "9.1" + - cis: ["2.8"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_info.html - https://httpd.apache.org/docs/2.4/mod/mod_info.html @@ -147,8 +147,8 @@ checks: rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system." remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" compliance: - - cis: "3.2" - - cis_csc: "16" + - cis: ["3.2"] + - cis_csc: ["16"] condition: none rules: - 'f:/etc/passwd -> r:apache' @@ -160,8 +160,8 @@ checks: rationale: "As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from su-ing to apache using the password." remediation: "Use the passwd command to lock the apache account: # passwd -l apache" compliance: - - cis: "3.3" - - cis_csc: "16" + - cis: ["3.3"] + - cis_csc: ["16"] condition: all rules: - 'c:passwd -S apache -> r:Password locked' @@ -173,8 +173,8 @@ checks: rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." compliance: - - cis: "4.4" - - cis_csc: "14.4" + - cis: ["4.4"] + - cis_csc: ["14.4"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride @@ -193,8 +193,8 @@ checks: rationale: "The options for other directories and hosts should be restricted to the minimal options required. A setting of None is recommended; however, other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, Indexes." remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." compliance: - - cis: "5.3" - - cis_csc: "18" + - cis: ["5.3"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_include.html - https://httpd.apache.org/docs/2.2/mod/core.html#options @@ -212,8 +212,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:/var/www -> index.html' @@ -226,8 +226,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$confdirs -> r:manual.conf|apache2-doc.conf' @@ -239,8 +239,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' @@ -253,8 +253,8 @@ checks: rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The printenv script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via the Script , ScriptAlias , ScriptAliasMatch , or ScriptInterpreterSource directives. Remove the printenv default CGI in the cgi-bin directory if it is installed." compliance: - - cis: "5.5" - - cis_csc: "18" + - cis: ["5.5"] + - cis_csc: ["18"] condition: none rules: - 'd:/var/www/cgi-bin -> printenv' @@ -267,8 +267,8 @@ checks: rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The test-cgi script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. Remove the test-cgi default CGI in the cgi-bin directory if it is installed." compliance: - - cis: "5.6" - - cis_csc: "18.9" + - cis: ["5.6"] + - cis_csc: ["18.9"] condition: none rules: - 'd:/var/www/cgi-bin -> test-cgi' @@ -281,8 +281,8 @@ checks: rationale: "The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods." remediation: "Search for the directive on the document root directory, ensure that the access control order within the directive is deny, allow. Add a directive within the group of document root directives and search in other Apache configuration files in places other than de root directory." compliance: - - cis: "5.7" - - cis_csc: "9.1" + - cis: ["5.7"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept - https://www.ietf.org/rfc/rfc2616.txt @@ -299,8 +299,8 @@ checks: rationale: "The HTTP 1.1 protocol requires support for the TRACE request method, which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled." remediation: "Locate the main Apache configuration file such as httpd.conf. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or ." compliance: - - cis: "5.8" - - cis_csc: "9.1" + - cis: ["5.8"] + - cis_csc: ["9.1"] references: - https://www.ietf.org/rfc/rfc2616.txt - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable @@ -316,8 +316,8 @@ checks: rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an IP address or interface that was not intended for the web server." remediation: "Find any Listen directives in the Apache configuration file with no IP address specified or with an IP address of all zeroes similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address and port." compliance: - - cis: "5.13" - - cis_csc: "9.1" + - cis: ["5.13"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen @@ -337,8 +337,8 @@ checks: rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site." remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frame-Options header in the Apache configuration to have the condition always , an action of append , and a value of SAMEORIGIN , as shown: Header always append X-Frame-Options SAMEORIGIN" compliance: - - cis: "5.14" - - cis_csc: "18" + - cis: ["5.14"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header @@ -355,8 +355,8 @@ checks: rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." compliance: - - cis: "6.1" - - cis_csc: "6.2" + - cis: ["6.1"] + - cis_csc: ["6.2"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -376,8 +376,8 @@ checks: rationale: "It is easy for web server error logs to be overlooked in the log monitoring process, yet application-level attacks have become the most common and are extremely important for detecting attacks early, as well as detecting non-malicious problems such as a broken link or internal errors." remediation: "Add an ErrorLog directive if not already configured. Any appropriate syslog facility may be used in place of local1. Add a similar ErrorLog directive for each virtual host if necessary." compliance: - - cis: "6.2" - - cis_csc: "6.6" + - cis: ["6.2"] + - cis_csc: ["6.6"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -396,8 +396,8 @@ checks: rationale: "The seriousness and ramification of this attack warrants that servers and clients be upgraded to support the improved SSL/TLS protocols. Therefore, the recommendation is to not enable the insecure renegotiation." remediation: "Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present, modify the value to be off. If the directive is not present, no action is required: SSLInsecureRenegotiation off" compliance: - - cis: "7.6" - - cis_csc: "14.2" + - cis: ["7.6"] + - cis_csc: ["14.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation @@ -414,8 +414,8 @@ checks: rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator that can be used to impersonate the account associated with the authenticator." remediation: "Verify the Apache version is 2.2.24 or later with httpd -v. Search the Apache configuration files for the SSLCompression directive. Update the directive to have a value of off." compliance: - - cis: "7.7" - - cis_csc: "14.2" + - cis: ["7.7"] + - cis_csc: ["14.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression @@ -432,8 +432,8 @@ checks: rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." remediation: "Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" compliance: - - cis: "8.1" - - cis_csc: "18.9" + - cis: ["8.1"] + - cis_csc: ["18.9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens condition: any @@ -448,8 +448,8 @@ checks: rationale: "Server signatures are helpful when the server is acting as a proxy because they help the user distinguish errors from the proxy rather than the destination server. However, in this context there is no need for the additional information." remediation: "Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" compliance: - - cis: "8.2" - - cis_csc: "18" + - cis: ["8.2"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature @@ -465,8 +465,8 @@ checks: rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." remediation: "The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conf file. Alternatively, the icon alias directive and the directory access control configuration can be commented out." compliance: - - cis: "8.4" - - cis_csc: "18.9" + - cis: ["8.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' @@ -479,8 +479,8 @@ checks: rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." remediation: "Add or modify the Timeout directive in the Apache configuration files to have a value of 10 seconds or less." compliance: - - cis: "9.1" - - cis_csc: "9" + - cis: ["9.1"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#timeout - https://httpd.apache.org/docs/2.4/mod/core.html#timeout @@ -495,8 +495,8 @@ checks: rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks." remediation: "Add or modify the KeepAlive directive in the Apache configuration to have a value of On." compliance: - - cis: "9.2" - - cis_csc: "9" + - cis: ["9.2"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive @@ -511,8 +511,8 @@ checks: rationale: "Limiting the number of requests per connection may improve a server's resiliency to DoS attacks." remediation: "Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more." compliance: - - cis: "9.3" - - cis_csc: "9" + - cis: ["9.3"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests @@ -527,8 +527,8 @@ checks: rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." remediation: "Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less." compliance: - - cis: "9.4" - - cis_csc: "9" + - cis: ["9.4"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout @@ -543,8 +543,8 @@ checks: rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." remediation: "Load the mod_requesttimeout module in the Apache configuration. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less." compliance: - - cis: "9.5" - - cis_csc: "9" + - cis: ["9.5"] + - cis_csc: ["9"] references: - https://ha.ckers.org/slowloris/ - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t @@ -562,8 +562,8 @@ checks: rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." remediation: "Load the mod_requesttimeout module in the Apache configuration and add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less." compliance: - - cis: "9.6" - - cis_csc: "9" + - cis: ["9.6"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html @@ -579,8 +579,8 @@ checks: rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestLine directive in the Apache configuration to have a value of 512 or less." compliance: - - cis: "10.1" - - cis_csc: "9" + - cis: ["10.1"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline @@ -595,8 +595,8 @@ checks: rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of 100." compliance: - - cis: "10.2" - - cis_csc: "9" + - cis: ["10.2"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields @@ -611,8 +611,8 @@ checks: rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFieldSize directive in the Apache configuration to have a value of 1024 or less." compliance: - - cis: "10.3" - - cis_csc: "9" + - cis: ["10.3"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize @@ -627,8 +627,8 @@ checks: rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server." compliance: - - cis: "10.4" - - cis_csc: "9" + - cis: ["10.4"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community_rcl.yml index 483bfcb98..22b6d608a 100644 --- a/sca/applications/cis_mysql5-6_community_rcl.yml +++ b/sca/applications/cis_mysql5-6_community_rcl.yml @@ -33,7 +33,7 @@ checks: rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - - cis: "1.3" + - cis: ["1.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 @@ -47,7 +47,7 @@ checks: rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: none rules: - 'c:getent passwd mysql -> r:^\s$' @@ -58,7 +58,7 @@ checks: rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." compliance: - - cis: "1.6" + - cis: ["1.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none @@ -72,7 +72,7 @@ checks: rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." compliance: - - cis: "4.3" + - cis: ["4.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs @@ -86,7 +86,7 @@ checks: rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.4" + - cis: ["4.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html @@ -100,7 +100,7 @@ checks: rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" compliance: - - cis: "4.5" + - cis: ["4.5"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all @@ -113,7 +113,7 @@ checks: rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." compliance: - - cis: "4.6" + - cis: ["4.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links @@ -127,7 +127,7 @@ checks: rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.8" + - cis: ["4.8"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all @@ -140,7 +140,7 @@ checks: rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - - cis: "4.9" + - cis: ["4.9"] condition: all rules: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' @@ -152,7 +152,7 @@ checks: rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." compliance: - - cis: "6.1" + - cis: ["6.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all @@ -165,7 +165,7 @@ checks: rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." compliance: - - cis: "6.2" + - cis: ["6.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html @@ -179,7 +179,7 @@ checks: rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.3" + - cis: ["6.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all @@ -192,7 +192,7 @@ checks: rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" compliance: - - cis: "6.4" + - cis: ["6.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw @@ -207,7 +207,7 @@ checks: rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." compliance: - - cis: "7.1" + - cis: ["7.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html @@ -224,7 +224,7 @@ checks: rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." compliance: - - cis: "7.2" + - cis: ["7.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all @@ -237,7 +237,7 @@ checks: rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " compliance: - - cis: "7.3" + - cis: ["7.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none @@ -250,7 +250,7 @@ checks: rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - - cis: "7.4" + - cis: ["7.4"] condition: all rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' @@ -261,7 +261,7 @@ checks: rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." compliance: - - cis: "7.6" + - cis: ["7.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all @@ -281,7 +281,7 @@ checks: rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." compliance: - - cis: "9.2" + - cis: ["9.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise_rcl.yml index d045e1d8b..37efb5b2d 100644 --- a/sca/applications/cis_mysql5-6_enterprise_rcl.yml +++ b/sca/applications/cis_mysql5-6_enterprise_rcl.yml @@ -33,7 +33,7 @@ checks: rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - - cis: "1.3" + - cis: ["1.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 @@ -47,7 +47,7 @@ checks: rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: none rules: - 'c:getent passwd mysql -> r:^\s$' @@ -58,7 +58,7 @@ checks: rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." compliance: - - cis: "1.6" + - cis: ["1.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none @@ -72,7 +72,7 @@ checks: rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." compliance: - - cis: "4.3" + - cis: ["4.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs @@ -86,7 +86,7 @@ checks: rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.4" + - cis: ["4.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html @@ -100,7 +100,7 @@ checks: rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" compliance: - - cis: "4.5" + - cis: ["4.5"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all @@ -113,7 +113,7 @@ checks: rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." compliance: - - cis: "4.6" + - cis: ["4.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links @@ -127,7 +127,7 @@ checks: rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.8" + - cis: ["4.8"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all @@ -140,7 +140,7 @@ checks: rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - - cis: "4.9" + - cis: ["4.9"] condition: all rules: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' @@ -152,7 +152,7 @@ checks: rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." compliance: - - cis: "6.1" + - cis: ["6.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all @@ -165,7 +165,7 @@ checks: rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." compliance: - - cis: "6.2" + - cis: ["6.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html @@ -179,7 +179,7 @@ checks: rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.3" + - cis: ["6.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all @@ -192,7 +192,7 @@ checks: rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" compliance: - - cis: "6.4" + - cis: ["6.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw @@ -207,7 +207,7 @@ checks: rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." compliance: - - cis: "7.1" + - cis: ["7.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html @@ -224,7 +224,7 @@ checks: rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." compliance: - - cis: "7.2" + - cis: ["7.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all @@ -237,7 +237,7 @@ checks: rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " compliance: - - cis: "7.3" + - cis: ["7.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none @@ -250,7 +250,7 @@ checks: rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - - cis: "7.4" + - cis: ["7.4"] condition: all rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' @@ -261,7 +261,7 @@ checks: rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." compliance: - - cis: "7.6" + - cis: ["7.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all @@ -281,7 +281,7 @@ checks: rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." compliance: - - cis: "9.2" + - cis: ["9.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all @@ -295,7 +295,7 @@ checks: rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." compliance: - - cis: "6.5" + - cis: ["6.5"] condition: none rules: - 'c:grep -Rh audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE' @@ -306,7 +306,7 @@ checks: rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." compliance: - - cis: "6.6" + - cis: ["6.6"] condition: all rules: - 'c:grep -Rh audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' @@ -317,7 +317,7 @@ checks: rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." remediation: "Set audit_log_include_accounts=NULL in my.cnf." compliance: - - cis: "6.7" + - cis: ["6.7"] condition: all rules: - 'c:grep -Rh audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' @@ -328,7 +328,7 @@ checks: rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" compliance: - - cis: "6.9" + - cis: ["6.9"] condition: all rules: - 'c:grep -Rh audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins' @@ -339,7 +339,7 @@ checks: rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." compliance: - - cis: "6.10" + - cis: ["6.10"] condition: all rules: - 'c:grep -Rh audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$' @@ -350,7 +350,7 @@ checks: rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." compliance: - - cis: "6.11" + - cis: ["6.11"] condition: all rules: - 'c:grep -Rh audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' @@ -361,7 +361,7 @@ checks: rationale: "This makes disables unloading on the plugin." remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.12" + - cis: ["6.12"] condition: all rules: - 'c:grep -Rh force_plus_permanent /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index e5cd8b3ab..1a42bb6d5 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -102,7 +102,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -114,7 +114,7 @@ checks: rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." remediation: "1. Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo" compliance: - - cis: "2.2.3" + - cis: ["2.2.3"] condition: all rules: - 'f:/etc/ntp-restrict.conf -> r:restrict lo' @@ -126,7 +126,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -138,7 +138,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -150,7 +150,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -162,7 +162,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -175,7 +175,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -c -g -> r:womp && !r:\s0$' @@ -188,7 +188,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1" + - cis: ["2.6.1"] condition: all rules: - 'c:diskutil cs list -> r:^Encryption Status && r:Unlocked' @@ -201,7 +201,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -213,7 +213,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -227,7 +227,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -241,7 +241,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -253,7 +253,7 @@ checks: rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -265,7 +265,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -277,7 +277,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -289,7 +289,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: any rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -301,7 +301,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -314,7 +314,7 @@ checks: rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'c:launchctl list -> r:com.apple.ftpd' @@ -326,7 +326,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - - cis: "4.6" + - cis: ["4.6"] condition: none rules: - 'p:nfsd' @@ -340,7 +340,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.7" + - cis: ["5.7"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -352,7 +352,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.8" + - cis: ["5.8"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -364,7 +364,7 @@ checks: rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." compliance: - - cis: "5.9" + - cis: ["5.9"] condition: all rules: - 'c:defaults read com.apple.screensaver askForPassword -> 1' @@ -376,7 +376,7 @@ checks: rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." remediation: "1. Run the following command in Terminal: sudo vi /etc/pam.d/screensaver 2. Locate \"account required pam_group.so no_warn group=admin,wheel fail_safe\" 3. Remove \"admin,\" 4. Save" compliance: - - cis: "5.11" + - cis: ["5.11"] condition: none rules: - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel && r:fail_safe' @@ -388,7 +388,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.18" + - cis: ["5.18"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -400,7 +400,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -412,7 +412,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -424,7 +424,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -436,7 +436,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: any rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 4900134d0..c227e4351 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -102,7 +102,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -114,7 +114,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -126,7 +126,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -138,7 +138,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -150,7 +150,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -163,7 +163,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -g -> r:womp && !r:\s0$' @@ -175,7 +175,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1.1" + - cis: ["2.6.1.1"] condition: all rules: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' @@ -187,7 +187,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -199,7 +199,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -213,7 +213,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -227,7 +227,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -239,7 +239,7 @@ checks: rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -251,7 +251,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -263,7 +263,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -275,7 +275,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -287,7 +287,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -300,7 +300,7 @@ checks: rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'c:launchctl list -> r:com.apple.ftpd' @@ -312,7 +312,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" compliance: - - cis: "4.6" + - cis: ["4.6"] condition: none rules: - 'p:nfsd' @@ -326,7 +326,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.8" + - cis: ["5.8"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -338,7 +338,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.9" + - cis: ["5.9"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -351,7 +351,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.20" + - cis: ["5.20"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -363,7 +363,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -375,7 +375,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -387,7 +387,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -399,7 +399,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: any rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 4b4cb7e4e..ca9d82f5e 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -103,7 +103,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -115,7 +115,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -127,7 +127,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -139,7 +139,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -151,7 +151,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -164,7 +164,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0" compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -g -> r:womp && !r:\s0$' @@ -176,7 +176,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1.1" + - cis: ["2.6.1.1"] condition: all rules: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' @@ -188,7 +188,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -200,7 +200,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services " compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -214,7 +214,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -228,7 +228,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -240,7 +240,7 @@ checks: rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming MacOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -252,7 +252,7 @@ checks: rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." compliance: - - cis: "2.13" + - cis: ["2.13"] condition: all rules: - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes' @@ -265,7 +265,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -277,7 +277,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -289,7 +289,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -301,7 +301,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -314,7 +314,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'p:nfsd' @@ -328,7 +328,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.11" + - cis: ["5.11"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -340,7 +340,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.12" + - cis: ["5.12"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -352,7 +352,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.23" + - cis: ["5.23"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -364,7 +364,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -376,7 +376,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -388,7 +388,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -400,7 +400,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: all rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml index 488455e07..ff23ba5d7 100644 --- a/sca/darwin/web_vulnerabilities.yml +++ b/sca/darwin/web_vulnerabilities.yml @@ -44,40 +44,40 @@ checks: - id: 2004 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> ^.yop$' - id: 2005 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> ^id$' - id: 2006 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> ^.ssh$' - id: 2007 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> ^...$' - id: 2008 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> ^.shell$' @@ -85,24 +85,24 @@ checks: - id: 2009 title: "Web vulnerability - Outdated WordPress installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' - id: 2010 title: "Web vulnerability - Outdated Joomla installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' - id: 2011 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" @@ -110,24 +110,24 @@ checks: - id: 2012 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' - id: 2013 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: any rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' - id: 2014 title: "Web vulnerability - .htaccess file compromised" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: any @@ -136,8 +136,8 @@ checks: - id: 2015 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: any diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 05bb456a5..ddf8dc009 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -36,7 +36,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "2.1" + - cis: ["2.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -49,7 +49,7 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - - cis: "2.2" + - cis: ["2.2"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -61,7 +61,7 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - - cis: "2.3" + - cis: ["2.3"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -73,7 +73,7 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" compliance: - - cis: "2.4" + - cis: ["2.4"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -85,7 +85,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.5" + - cis: ["2.5"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -98,7 +98,7 @@ checks: rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" compliance: - - cis: "2.6" + - cis: ["2.6"] condition: all rules: - 'c:findmnt -> r:/var/tmp && r:[/tmp]' @@ -110,7 +110,7 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.7" + - cis: ["2.7"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -123,7 +123,7 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.8" + - cis: ["2.8"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -136,7 +136,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.9" + - cis: ["2.9"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -149,7 +149,7 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'not c:mount -> r:\s/home\s' @@ -161,7 +161,7 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" compliance: - - cis: "2.14" + - cis: ["2.14"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -173,7 +173,7 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" compliance: - - cis: "2.15" + - cis: ["2.15"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -185,7 +185,7 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" compliance: - - cis: "2.16" + - cis: ["2.16"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -197,7 +197,7 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "2.25" + - cis: ["2.25"] condition: none rules: - 'c:find /etc/rc* -name *autofsc* -> r:S\.' @@ -210,7 +210,7 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' @@ -222,7 +222,7 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "3.4" + - cis: ["3.4"] condition: none rules: - 'f:/etc/shadow -> r:^root:*:|^root:!:' @@ -234,7 +234,7 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' @@ -246,7 +246,7 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" compliance: - - cis: "4.3" + - cis: ["4.3"] condition: all rules: - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' @@ -259,7 +259,7 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get purge nis" compliance: - - cis: "5.1.1" + - cis: ["5.1.1"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -270,7 +270,7 @@ checks: rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" compliance: - - cis: "5.1.2" + - cis: ["5.1.2"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:^shell|^login|^exec' @@ -281,7 +281,7 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" compliance: - - cis: "5.1.4" + - cis: ["5.1.4"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:^talk|^ntalk' @@ -292,7 +292,7 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" compliance: - - cis: "5.1.6" + - cis: ["5.1.6"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:telnet' @@ -303,7 +303,7 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" compliance: - - cis: "5.1.7" + - cis: ["5.1.7"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:tftp' @@ -314,7 +314,7 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Disable xinetd: # update-rc.d xinetd disable" compliance: - - cis: "5.1.8" + - cis: ["5.1.8"] condition: none rules: - 'c:find /etc/rc* -name *xinetd* -> r:S\.' @@ -325,7 +325,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" compliance: - - cis: "5.2" + - cis: ["5.2"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:chargen' @@ -336,7 +336,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" compliance: - - cis: "5.3" + - cis: ["5.3"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:daytime' @@ -347,7 +347,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" compliance: - - cis: "5.4" + - cis: ["5.4"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:echo' @@ -358,7 +358,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" compliance: - - cis: "5.5" + - cis: ["5.5"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:discard' @@ -369,7 +369,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" compliance: - - cis: "5.6" + - cis: ["5.6"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:time' @@ -382,7 +382,7 @@ checks: rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: none rules: - 'c:find /etc/rc* -name *avahi-daemon* -> r:S\.' @@ -393,7 +393,7 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Disable cups: # update-rc.d cups disable" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: none rules: - 'c:find /etc/rc* -name *cups* -> r:S\.' @@ -406,7 +406,7 @@ checks: references: - "https://www.isc.org/dhcp/" compliance: - - cis: "6.4" + - cis: ["6.4"] condition: none rules: - 'c:find /etc/rc* -name *isc-dhcp-server* -> r:S\.' @@ -417,7 +417,7 @@ checks: rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." remediation: "Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." compliance: - - cis: "6.5" + - cis: ["6.5"] references: - http://www.ntp.org/ condition: all @@ -434,7 +434,7 @@ checks: rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Uninstall the slapd package: # apt-get purge slapd" compliance: - - cis: "6.6" + - cis: ["6.6"] references: - http://www.openldap.org condition: none @@ -447,7 +447,7 @@ checks: rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" compliance: - - cis: "6.7" + - cis: ["6.7"] condition: none rules: - 'c:find /etc/rc* -name *rpcbind* -> r:S\.' @@ -459,7 +459,7 @@ checks: rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable bind9: # update-rc.d bind9 disable" compliance: - - cis: "6.8" + - cis: ["6.8"] condition: none rules: - 'c:find /etc/rc* -name *bind9* -> r:S\.' @@ -470,7 +470,7 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable vsftpd: # update-rc.d vsftpd disable" compliance: - - cis: "6.9" + - cis: ["6.9"] condition: none rules: - 'c:find /etc/rc* -name *vsftpd* -> r:S\.' @@ -481,7 +481,7 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable apache2: # update-rc.d apache2 disable" compliance: - - cis: "6.10" + - cis: ["6.10"] condition: none rules: - 'c:find /etc/rc* -name *apache2* -> r:S\.' @@ -492,7 +492,7 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "Disable dovecot: # update-rc.d dovecot disable" compliance: - - cis: "6.11" + - cis: ["6.11"] condition: none rules: - 'c:find /etc/rc* -name *dovecot* -> r:S\.' @@ -503,7 +503,7 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Disable samba: # update-rc.d samba disable" compliance: - - cis: "6.12" + - cis: ["6.12"] condition: none rules: - 'c:find /etc/rc* -name *smb* -> r:S\.' @@ -514,7 +514,7 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Disable squid3: # update-rc.d squid3 disable" compliance: - - cis: "6.13" + - cis: ["6.13"] condition: none rules: - 'c:find /etc/rc* -name *squid3* -> r:S\.' @@ -525,7 +525,7 @@ checks: rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Disable snmpd: # update-rc.d snmpd disable" compliance: - - cis: "6.14" + - cis: ["6.14"] condition: none rules: - 'c:find /etc/rc* -name *snmpd* -> r:S\.' @@ -536,7 +536,7 @@ checks: rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" compliance: - - cis: "6.15" + - cis: ["6.15"] condition: all rules: - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:\p127.0.0.1\s*\p\s*::1\p$|\p::1\s*\p\s*127.0.0.1\p$|\p127.0.0.1\p$|\p::1\p$' @@ -547,7 +547,7 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" compliance: - - cis: "6.16" + - cis: ["6.16"] condition: none rules: - 'c:dpkg -s rsync -> install ok installed' @@ -561,7 +561,7 @@ checks: rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.1.1" + - cis: ["7.1.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -572,7 +572,7 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.1.2" + - cis: ["7.1.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -584,7 +584,7 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.1" + - cis: ["7.2.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -596,7 +596,7 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.2" + - cis: ["7.2.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -608,7 +608,7 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.3" + - cis: ["7.2.3"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -620,7 +620,7 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.4" + - cis: ["7.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -632,7 +632,7 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.5" + - cis: ["7.2.5"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -643,7 +643,7 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.6" + - cis: ["7.2.6"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -654,7 +654,7 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.7" + - cis: ["7.2.7"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -666,7 +666,7 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.8" + - cis: ["7.2.8"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -677,7 +677,7 @@ checks: rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.3.1" + - cis: ["7.3.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -689,7 +689,7 @@ checks: rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.3.2" + - cis: ["7.3.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -701,7 +701,7 @@ checks: rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" compliance: - - cis: "7.3.3" + - cis: ["7.3.3"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:=\s*\t*1$' @@ -717,7 +717,7 @@ checks: rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "7.4.2" + - cis: ["7.4.2"] condition: all rules: - 'f:/etc/hosts.allow' @@ -728,7 +728,7 @@ checks: rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "7.4.4" + - cis: ["7.4.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -740,7 +740,7 @@ checks: rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.1" + - cis: ["7.5.1"] condition: none rules: - 'c:lsmod -> r:dccp' @@ -751,7 +751,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.2" + - cis: ["7.5.2"] condition: none rules: - 'c:lsmod -> r:sctp' @@ -762,7 +762,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.3" + - cis: ["7.5.3"] condition: none rules: - 'c:lsmod -> r:rds' @@ -773,7 +773,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.4" + - cis: ["7.5.4"] condition: none rules: - 'c:lsmod -> r:tipc' @@ -784,7 +784,7 @@ checks: rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" compliance: - - cis: "7.7" + - cis: ["7.7"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -799,7 +799,7 @@ checks: rationale: "If the rsyslog service is not activated the system will not have a syslog service running." remediation: "Enable rsyslog: # update-rc.d rsyslog enable" compliance: - - cis: "8.2.2" + - cis: ["8.2.2"] condition: all rules: - 'c:find /etc/rc* -name *rsyslog* -> r:S\.' @@ -810,7 +810,7 @@ checks: rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" remediation: "Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host). *.* @@loghost.example.com # Execute the following command to restart rsyslogd # pkill -HUP rsyslogd Note: The double \"at\" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol." compliance: - - cis: "8.2.5" + - cis: ["8.2.5"] references: - rsyslog.conf(5) man page condition: all @@ -823,7 +823,7 @@ checks: rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so $InputTCPServerRun 514 Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd" compliance: - - cis: "8.2.6" + - cis: ["8.2.6"] references: - rsyslog.conf(8) man page condition: all @@ -839,7 +839,7 @@ checks: rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" compliance: - - cis: "9.1.1" + - cis: ["9.1.1"] condition: all rules: - 'c:find /etc/rc* -name *cron* -> r:S\.' @@ -851,7 +851,7 @@ checks: rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "9.1.8" + - cis: ["9.1.8"] condition: all rules: - 'f:/etc/cron.allow' @@ -869,7 +869,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Install the libpam-cracklib package: # apt-get install libpam-cracklib Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" compliance: - - cis: "9.2.1" + - cis: ["9.2.1"] condition: all rules: - 'c:dpkg -s libpam-cracklib -> install ok installed' @@ -881,7 +881,7 @@ checks: rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." compliance: - - cis: "9.2.2" + - cis: ["9.2.2"] condition: all rules: - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d\s*\t*unlock_time=\d\d\d+' @@ -892,7 +892,7 @@ checks: rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." compliance: - - cis: "9.2.3" + - cis: ["9.2.3"] condition: all rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*[success=1 default=ignore]\s*\t*pam_unix.so\s*\t*obscure\s*\t*sha512\s*\t*remember=\d' @@ -903,7 +903,7 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "9.3.1" + - cis: ["9.3.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' @@ -914,7 +914,7 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "9.3.2" + - cis: ["9.3.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' @@ -925,7 +925,7 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' @@ -936,7 +936,7 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "9.3.5" + - cis: ["9.3.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -947,7 +947,7 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "9.3.6" + - cis: ["9.3.6"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -958,7 +958,7 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "9.3.7" + - cis: ["9.3.7"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -969,7 +969,7 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "9.3.8" + - cis: ["9.3.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -980,7 +980,7 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "9.3.9" + - cis: ["9.3.9"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -991,7 +991,7 @@ checks: rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "9.3.10" + - cis: ["9.3.10"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1002,7 +1002,7 @@ checks: rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "9.3.12" + - cis: ["9.3.12"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' @@ -1014,7 +1014,7 @@ checks: rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "9.3.13" + - cis: ["9.3.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' @@ -1025,7 +1025,7 @@ checks: rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "9.3.14" + - cis: ["9.3.14"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' @@ -1036,7 +1036,7 @@ checks: rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." remediation: "Add the following line to the /etc/pam.d/su file. auth required pam_wheel.so use_uid Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." compliance: - - cis: "9.5" + - cis: ["9.5"] condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid' @@ -1049,7 +1049,7 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " compliance: - - cis: "10.1.1" + - cis: ["10.1.1"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' @@ -1060,7 +1060,7 @@ checks: rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " compliance: - - cis: "10.1.2" + - cis: ["10.1.2"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' @@ -1071,7 +1071,7 @@ checks: rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " compliance: - - cis: "10.1.3" + - cis: ["10.1.3"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare <= 7' @@ -1082,7 +1082,7 @@ checks: rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." remediation: "# usermod -g 0 root" compliance: - - cis: "10.3" + - cis: ["10.3"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1093,7 +1093,7 @@ checks: rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" compliance: - - cis: "10.4" + - cis: ["10.4"] condition: all rules: - 'c:grep -R ^umask 077 /etc/profile.d/' @@ -1105,7 +1105,7 @@ checks: rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." remediation: "# useradd -D -f 35" compliance: - - cis: "10.5" + - cis: ["10.5"] condition: all rules: - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' @@ -1117,7 +1117,7 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" compliance: - - cis: "11.1" + - cis: ["11.1"] condition: all rules: - 'f:/etc/motd' @@ -1133,7 +1133,7 @@ checks: rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." compliance: - - cis: "11.2" + - cis: ["11.2"] condition: none rules: - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' @@ -1147,7 +1147,7 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "13.1" + - cis: ["13.1"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1158,7 +1158,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.2" + - cis: ["13.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1169,7 +1169,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.3" + - cis: ["13.3"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1179,7 +1179,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.4" + - cis: ["13.4"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' @@ -1190,7 +1190,7 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." remediation: "Delete any other entries that are displayed." compliance: - - cis: "13.5" + - cis: ["13.5"] condition: none rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -1201,7 +1201,7 @@ checks: rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." remediation: "If any users have .rhosts files determine why they have them." compliance: - - cis: "13.10" + - cis: ["13.10"] condition: none rules: - 'd:/home -> r:^.rhosts$' @@ -1212,7 +1212,7 @@ checks: rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." compliance: - - cis: "13.18" + - cis: ["13.18"] condition: none rules: - 'd:/home -> r:^.netrc$' @@ -1223,7 +1223,7 @@ checks: rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." compliance: - - cis: "13.19" + - cis: ["13.19"] condition: none rules: - 'd:/home -> r:^.forward$' @@ -1234,7 +1234,7 @@ checks: rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "13.20" + - cis: ["13.20"] condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index 887b14e21..22bf4afcb 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -36,7 +36,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" compliance: - - cis: "2.18" + - cis: ["2.18"] condition: all rules: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' @@ -48,7 +48,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" compliance: - - cis: "2.19" + - cis: ["2.19"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -60,7 +60,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" compliance: - - cis: "2.20" + - cis: ["2.20"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -72,7 +72,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" compliance: - - cis: "2.21" + - cis: ["2.21"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -84,7 +84,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" compliance: - - cis: "2.22" + - cis: ["2.22"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -96,7 +96,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" compliance: - - cis: "2.23" + - cis: ["2.23"] condition: all rules: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' @@ -108,7 +108,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" compliance: - - cis: "2.24" + - cis: ["2.24"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -122,7 +122,7 @@ checks: rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." compliance: - - cis: "4.5" + - cis: ["4.5"] condition: all rules: - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0' @@ -136,7 +136,7 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." compliance: - - cis: "8.1.1.1" + - cis: ["8.1.1.1"] condition: all rules: - 'd:/etc/audit' @@ -149,7 +149,7 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "8.1.1.2" + - cis: ["8.1.1.2"] condition: all rules: - 'd:/etc/audit' @@ -164,7 +164,7 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" compliance: - - cis: "8.1.1.3" + - cis: ["8.1.1.3"] condition: all rules: - 'd:/etc/audit' @@ -177,7 +177,7 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Install auditd: # apt-get install auditd If needed enable auditd in /etc/rc*.d: # update-rc.d auditd enable" compliance: - - cis: "8.1.2" + - cis: ["8.1.2"] condition: all rules: - 'c:dpkg -s auditd -> r:install ok installed' @@ -189,7 +189,7 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" compliance: - - cis: "8.1.3" + - cis: ["8.1.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\p*audit\s*=\s*1\p*' @@ -200,7 +200,7 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.4" + - cis: ["8.1.4"] condition: all rules: - 'd:/etc/audit' @@ -217,7 +217,7 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.5" + - cis: ["8.1.5"] condition: all rules: - 'd:/etc/audit' @@ -234,7 +234,7 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.6" + - cis: ["8.1.6"] condition: all rules: - 'f:/etc/audit' @@ -252,7 +252,7 @@ checks: rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.7" + - cis: ["8.1.7"] condition: all rules: - 'd:/etc/audit' @@ -265,7 +265,7 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.&& r:rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.8" + - cis: ["8.1.8"] condition: all rules: - 'd:/etc/audit' @@ -280,7 +280,7 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" compliance: - - cis: "8.1.9" + - cis: ["8.1.9"] condition: all rules: - 'd:/etc/audit' @@ -295,7 +295,7 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.10" + - cis: ["8.1.10"] condition: all rules: - 'd:/etc/audit' @@ -313,7 +313,7 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.11" + - cis: ["8.1.11"] condition: all rules: - 'd:/etc/audit' @@ -329,7 +329,7 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.13" + - cis: ["8.1.13"] condition: all rules: - 'd:/etc/audit' @@ -343,7 +343,7 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.14" + - cis: ["8.1.14"] condition: all rules: - 'd:/etc/audit' @@ -357,7 +357,7 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.15" + - cis: ["8.1.15"] condition: all rules: - 'd:/etc/audit' @@ -370,7 +370,7 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" compliance: - - cis: "8.1.16" + - cis: ["8.1.16"] condition: all rules: - 'd:/etc/audit' @@ -383,7 +383,7 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" compliance: - - cis: "8.1.17" + - cis: ["8.1.17"] condition: all rules: - 'd:/etc/audit' @@ -399,7 +399,7 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" compliance: - - cis: "8.1.18" + - cis: ["8.1.18"] condition: all rules: - 'd:/etc/audit' @@ -413,7 +413,7 @@ checks: rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." compliance: - - cis: "8.3.1" + - cis: ["8.3.1"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -424,7 +424,7 @@ checks: rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - - cis: "8.3.2" + - cis: ["8.3.2"] condition: all rules: - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*--check' diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 90d0a009b..719431514 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -34,8 +34,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs" compliance: - - cis: "1.1.1.1" - - cis_csc: "13" + - cis: ["1.1.1.1"] + - cis_csc: ["13"] condition: all rules: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' @@ -47,8 +47,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install freevxfs /bin/true. 2) Run the following command to unload the freevxfs module: # rmmod freevxfs" compliance: - - cis: "1.1.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.2"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -60,8 +60,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install jffs2 /bin/true. 2) Run the following command to unload the jffs2 module: # rmmod jffs2" compliance: - - cis: "1.1.1.3" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.3"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -73,8 +73,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfs /bin/true. 2) Run the following command to unload the hfs module: # rmmod hfs" compliance: - - cis: "1.1.1.4" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.4"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -86,8 +86,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfsplus /bin/true. 2) Run the following command to unload the hfsplus module: # rmmod hfsplus" compliance: - - cis: "1.1.1.5" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.5"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -99,8 +99,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install squashfs /bin/true. 2) Run the following command to unload the squashfs module: # rmmod squashfs" compliance: - - cis: "1.1.1.6" - - cis_csc: "13" + - cis: ["1.1.1.6"] + - cis_csc: ["13"] condition: all rules: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' @@ -112,8 +112,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install udf /bin/true. 2) Run the following command to unload the udf module: # rmmod udf" compliance: - - cis: "1.1.1.7" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.7"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -126,8 +126,8 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "1.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.1.2"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ @@ -141,8 +141,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - cis_csc: "13, 5.1" + - cis: ["1.1.3"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -153,8 +153,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - cis_csc: "13, 5.1" + - cis: ["1.1.4"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -165,8 +165,8 @@ checks: rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" compliance: - - cis: "1.1.7" - - cis_csc: "13, 5.1" + - cis: ["1.1.7"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' @@ -177,8 +177,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp" compliance: - - cis: "1.1.8" - - cis_csc: "13, 5.1" + - cis: ["1.1.8"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' @@ -189,8 +189,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp" compliance: - - cis: "1.1.9" - - cis_csc: "2, 2.6" + - cis: ["1.1.9"] + - cis_csc: ["2","2.6"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' @@ -201,8 +201,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "1.1.13" - - cis_csc: "13, 15.1, 5.1" + - cis: ["1.1.13"] + - cis_csc: ["13","15.1","5.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -213,8 +213,8 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.14" - - cis_csc: "13, 5.1" + - cis: ["1.1.14"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -225,8 +225,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.15" - - cis_csc: "13, 5.1" + - cis: ["1.1.15"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -237,8 +237,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm" compliance: - - cis: "1.1.16" - - cis_csc: "13, 5.1" + - cis: ["1.1.16"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -249,8 +249,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "1.1.21" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["1.1.21"] + - cis_csc: ["8.3","8.4","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -262,8 +262,8 @@ checks: rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" compliance: - - cis: "1.3.1" - - cis_csc: "3.5, 14.9" + - cis: ["1.3.1"] + - cis_csc: ["3.5","14.9"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -274,8 +274,8 @@ checks: rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - - cis: "1.3.2" - - cis_csc: "3.5, 14.9" + - cis: ["1.3.2"] + - cis_csc: ["3.5","14.9"] condition: all rules: - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*|\s*\t*/usr/bin/aide\s*\t* && r:\s*\t*--check' @@ -287,8 +287,8 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "1) Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is 2) Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" 3) Run the following to update the grub configuration: # update-grub" compliance: - - cis: "1.4.2" - - cis_csc: "5.1" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' @@ -300,8 +300,8 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "1.4.3" - - cis_csc: "5.1" + - cis: ["1.4.3"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/shadow -> r:^root:*:|^root:!:' @@ -313,8 +313,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0 and set the active kernel parameter." compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' @@ -327,8 +327,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.3, 8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.3","8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$' @@ -341,8 +341,8 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" compliance: - - cis: "1.7.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.7.1.2"] + - cis_csc: ["13","5.1"] condition: none rules: - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' @@ -354,8 +354,8 @@ checks: rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # apt-get remove xinetd" compliance: - - cis: "2.1.1" - - cis_csc: "9.1, 9.2" + - cis: ["2.1.1"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:dpkg -s xinetd -> r:install ok installed' @@ -366,8 +366,8 @@ checks: rationale: "If there are no inetd services required, it is recommended that the daemon be removed." remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd" compliance: - - cis: "2.1.2" - - cis_csc: "9.1, 9.2" + - cis: ["2.1.2"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' @@ -379,8 +379,8 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] references: - http://www.ntp.org/ condition: all @@ -397,8 +397,8 @@ checks: rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server " compliance: - - cis: "2.2.1.3" - - cis_csc: "6.1" + - cis: ["2.2.1.3"] + - cis_csc: ["6.1"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -409,8 +409,8 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -421,8 +421,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.1","9.2"] references: - https://www.cups.org condition: none @@ -437,8 +437,8 @@ checks: references: - https://www.isc.org/dhcp/ compliance: - - cis: "2.2.5" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.5"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' @@ -450,8 +450,8 @@ checks: rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Run the following command to disable slapd: # systemctl disable slapd" compliance: - - cis: "2.2.6" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.6"] + - cis_csc: ["9.1","9.2"] references: - https://www.openldap.org condition: none @@ -464,8 +464,8 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled nfs-server -> r:^enabled' @@ -477,8 +477,8 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable named: # systemctl disable bind9" compliance: - - cis: "2.2.8" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' @@ -489,8 +489,8 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "2.2.9" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -501,8 +501,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable apache2: # systemctl disable apache2" compliance: - - cis: "2.2.10" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.10"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' @@ -513,8 +513,8 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Run the following command to disable smbd: # systemctl disable smbd" compliance: - - cis: "2.2.12" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled smbd -> r:^enabled' @@ -525,8 +525,8 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "2.2.13" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -537,8 +537,8 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "2.2.14" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -549,8 +549,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsync: # systemctl disable rsync" compliance: - - cis: "2.2.16" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.16"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled rsync -> r:^enabled' @@ -561,8 +561,8 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get remove nis" compliance: - - cis: "2.3.1" - - cis_csc: "2, 2.6" + - cis: ["2.3.1"] + - cis_csc: ["2","2.6"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -573,8 +573,8 @@ checks: rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" compliance: - - cis: "2.3.2" - - cis_csc: "3.4, 4.5" + - cis: ["2.3.2"] + - cis_csc: ["3.4","4.5"] condition: none rules: - 'c:dpkg -s rsh-client -> r:install ok installed' @@ -586,8 +586,8 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to uninstall talk: apt-get remove talk" compliance: - - cis: "2.3.3" - - cis_csc: "2, 2.6" + - cis: ["2.3.3"] + - cis_csc: ["2","2.6"] condition: none rules: - 'c:dpkg -s talk -> r:install ok installed' @@ -598,8 +598,8 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - - cis: "2.3.4" - - cis_csc: "3.4, 4.5" + - cis: ["2.3.4"] + - cis_csc: ["3.4","4.5"] condition: none rules: - 'c:dpkg -s telnet -> r:install ok installed' @@ -611,8 +611,8 @@ checks: rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11, 5.1" + - cis: ["3.1.1"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -626,8 +626,8 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11, 5.1" + - cis: ["3.1.2"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -641,8 +641,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.1"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -660,8 +660,8 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.2" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.2"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -679,8 +679,8 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.3" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.3"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -694,8 +694,8 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.4" - - cis_csc: "6, 6.2, 6.3" + - cis: ["3.2.4"] + - cis_csc: ["6","6.2","6.3"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -709,8 +709,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.5" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.5"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -722,8 +722,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.6" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.6"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -735,8 +735,8 @@ checks: rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.7"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -750,8 +750,8 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.8"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -763,8 +763,8 @@ checks: rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.9" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.9"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -778,8 +778,8 @@ checks: rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." remediation: "Run the following command to create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow. Where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "3.3.2" - - cis_csc: "9.2, 9.4" + - cis: ["3.3.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'f:/etc/hosts.allow' @@ -790,8 +790,8 @@ checks: rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." remediation: "Run the following command to create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "3.3.3" - - cis_csc: "9.2, 9.4" + - cis: ["3.3.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -803,8 +803,8 @@ checks: rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true" compliance: - - cis: "3.4.1" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.1"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v dccp -> r:install /bin/true' @@ -816,8 +816,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true" compliance: - - cis: "3.4.2" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.2"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v sctp -> r:install /bin/true' @@ -829,8 +829,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true" compliance: - - cis: "3.4.3" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.3"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v rds -> r:install /bin/true' @@ -842,8 +842,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true" compliance: - - cis: "3.4.4" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.4"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v tipc -> r:install /bin/true' @@ -857,8 +857,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.1.1" - - cis_csc: "9.1, 9.4" + - cis: ["3.5.1.1"] + - cis_csc: ["9.1","9.4"] condition: all rules: - 'c:iptables -L -> r:^Chain INPUT && r:policy DROP' @@ -871,8 +871,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.2.1" - - cis_csc: "9.1, 9.4" + - cis: ["3.5.2.1"] + - cis_csc: ["9.1","9.4"] condition: all rules: - 'c:ip6tables -L -> r:^Chain INPUT && r:policy DROP' @@ -885,8 +885,8 @@ checks: rationale: "iptables is required for firewall management and configuration." remediation: "Run the following command to install iptables: # apt-get install iptables" compliance: - - cis: "3.5.3" - - cis_csc: "9.2, 9.4" + - cis: ["3.5.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -898,8 +898,8 @@ checks: rationale: "If the rsyslog service is not activated the system will not have a syslog service running." remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" compliance: - - cis: "4.2.1.1" - - cis_csc: "6.2, 6.3" + - cis: ["4.2.1.1"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' @@ -910,8 +910,8 @@ checks: rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.4" - - cis_csc: "6.6, 6.8" + - cis: ["4.2.1.4"] + - cis_csc: ["6.6","6.8"] references: - rsyslog.conf(5) man page condition: all @@ -924,8 +924,8 @@ checks: rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.5" - - cis_csc: "9.1, 9.2" + - cis: ["4.2.1.5"] + - cis_csc: ["9.1","9.2"] references: - rsyslog.conf(8) man page condition: all @@ -940,8 +940,8 @@ checks: rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." remediation: "Run the following command to enable cron: systemctl enable cron" compliance: - - cis: "5.1.1" - - cis_csc: "6, 5.1" + - cis: ["5.1.1"] + - cis_csc: ["6","5.1"] condition: all rules: - 'c:systemctl is-enabled cron -> r:^enabled$' @@ -952,8 +952,8 @@ checks: rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "5.1.8" - - cis_csc: "16" + - cis: ["5.1.8"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/cron.allow' @@ -969,8 +969,8 @@ checks: rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config" compliance: - - cis: "5.2.1" - - cis_csc: "5.1" + - cis: ["5.2.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' @@ -981,8 +981,8 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.4" - - cis_csc: "3.4, 4.5" + - cis: ["5.2.4"] + - cis_csc: ["3.4","4.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -995,8 +995,8 @@ checks: references: - https://www.ssh.com/ssh/sshd_config/ compliance: - - cis: "5.2.5" - - cis_csc: "16, 6.2, 6.3" + - cis: ["5.2.5"] + - cis_csc: ["16","6.2","6.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' @@ -1007,8 +1007,8 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - - cis: "5.2.6" - - cis_csc: "16, 9.2" + - cis: ["5.2.6"] + - cis_csc: ["16","9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' @@ -1019,8 +1019,8 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.7" - - cis_csc: "16, 16.13" + - cis: ["5.2.7"] + - cis_csc: ["16","16.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -1031,8 +1031,8 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.8" - - cis_csc: "9, 9.2" + - cis: ["5.2.8"] + - cis_csc: ["9","9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -1043,8 +1043,8 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.9" - - cis_csc: "9, 16.3" + - cis: ["5.2.9"] + - cis_csc: ["9","16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -1055,8 +1055,8 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.10" - - cis_csc: "5.8, 4.3" + - cis: ["5.2.10"] + - cis_csc: ["5.8","4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -1069,8 +1069,8 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.11" - - cis_csc: "16, 16.3" + - cis: ["5.2.11"] + - cis_csc: ["16","16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -1081,8 +1081,8 @@ checks: rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "5.2.12" - - cis_csc: "16, 5.1" + - cis: ["5.2.12"] + - cis_csc: ["16","5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1093,8 +1093,8 @@ checks: rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "5.2.16" - - cis_csc: "16.4, 16.11" + - cis: ["5.2.16"] + - cis_csc: ["16.4","16.11"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' @@ -1106,8 +1106,8 @@ checks: rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "5.2.18" - - cis_csc: "5.1, 5.8, 4.3" + - cis: ["5.2.18"] + - cis_csc: ["5.1","5.8","4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' @@ -1118,8 +1118,8 @@ checks: rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "5.2.19" - - cis_csc: "5.1" + - cis: ["5.2.19"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|Banner\s\t*/etc/issue' @@ -1132,8 +1132,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol." compliance: - - cis: "5.3.1" - - cis_csc: "5.7, 16.12, 4.4" + - cis: ["5.3.1"] + - cis_csc: ["5.7","16.12","4.4"] condition: all rules: - 'c:dpkg -s libpam-cracklib -> install ok installed' @@ -1150,8 +1150,8 @@ checks: rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the \"audit\" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." compliance: - - cis: "5.3.2" - - cis_csc: "16.7" + - cis: ["5.3.2"] + - cis_csc: ["16.7"] condition: all rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' @@ -1162,8 +1162,8 @@ checks: rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here." compliance: - - cis: "5.3.3" - - cis_csc: "16" + - cis: ["5.3.3"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' @@ -1176,8 +1176,8 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' @@ -1188,8 +1188,8 @@ checks: rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.2" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.2"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' @@ -1200,8 +1200,8 @@ checks: rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.3" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.3"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare <= 7' @@ -1212,8 +1212,8 @@ checks: rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." compliance: - - cis: "5.4.1.4" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.4"] + - cis_csc: ["4.4","16"] condition: all rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' @@ -1224,8 +1224,8 @@ checks: rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root" compliance: - - cis: "5.4.3" - - cis_csc: "5, 5.1" + - cis: ["5.4.3"] + - cis_csc: ["5","5.1"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1236,8 +1236,8 @@ checks: rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root, Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default." compliance: - - cis: "5.6" - - cis_csc: "5.1" + - cis: ["5.6"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so' @@ -1251,8 +1251,8 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16, 4.4" + - cis: ["6.2.1"] + - cis_csc: ["16","4.4"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1263,8 +1263,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/passwd if they exist." compliance: - - cis: "6.2.2" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.2"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1275,8 +1275,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/shadow if they exist." compliance: - - cis: "6.2.3" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.3"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1287,8 +1287,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/group if they exist." compliance: - - cis: "6.2.4" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.4"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' @@ -1299,8 +1299,8 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' @@ -1311,8 +1311,8 @@ checks: rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "6.2.20" - - cis_csc: "5.1" + - cis: ["6.2.20"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index cda0d786e..ceea4ce66 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -34,8 +34,8 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.5" - - cis_csc: "13, 5.1" + - cis: ["1.1.5"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -48,8 +48,8 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" - - cis_csc: "13, 5.1" + - cis: ["1.1.6"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -62,8 +62,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.10" - - cis_csc: "6.3, 6.4" + - cis: ["1.1.10"] + - cis_csc: ["6.3","6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -76,8 +76,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.11" - - cis_csc: "6.3, 6.4" + - cis: ["1.1.11"] + - cis_csc: ["6.3","6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -90,8 +90,8 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.12" - - cis_csc: "13, 5.1" + - cis: ["1.1.12"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -104,8 +104,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "1.1.21" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["1.1.21"] + - cis_csc: ["8.3","8.4","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -117,8 +117,8 @@ checks: rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis: "1.6.3" - - cis_csc: "14.4, 14.6" + - cis: ["1.6.3"] + - cis_csc: ["14.4","14.6"] condition: any rules: - 'c:dpkg -s selinux -> r:install ok installed' @@ -132,8 +132,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.1","9.2"] references: - 'https://www.cups.org' condition: none @@ -148,8 +148,8 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." compliance: - - cis: "4.1.1.1" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -162,8 +162,8 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "4.1.1.2" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -178,8 +178,8 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" compliance: - - cis: "4.1.1.3" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.3"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -192,8 +192,8 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Run the following command to enable auditd: # systemctl enable auditd" compliance: - - cis: "4.1.2" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.2"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled auditd -> r:^enabled' @@ -204,8 +204,8 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "4.1.3" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.3"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' @@ -216,8 +216,8 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" compliance: - - cis: "4.1.4" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.4"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -234,8 +234,8 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.5" - - cis_csc: "5.4, 4.8" + - cis: ["4.1.5"] + - cis_csc: ["5.4","4.8"] condition: all rules: - 'd:/etc/audit' @@ -252,8 +252,8 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.6" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.6"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'f:/etc/audit' @@ -271,8 +271,8 @@ checks: rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.7"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -286,8 +286,8 @@ checks: rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.7"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -301,8 +301,8 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.8" - - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" + - cis: ["4.1.8"] + - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] condition: all&& r: rules: - 'd:/etc/audit' @@ -317,8 +317,8 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.9" - - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" + - cis: ["4.1.9"] + - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] condition: all rules: - 'd:/etc/audit' @@ -333,8 +333,8 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.10" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.10"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -352,8 +352,8 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.11" - - cis_csc: "14.6, 14.9" + - cis: ["4.1.11"] + - cis_csc: ["14.6","14.9"] condition: all rules: - 'd:/etc/audit' @@ -369,8 +369,8 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.13" - - cis_csc: "13, 5.1" + - cis: ["4.1.13"] + - cis_csc: ["13","5.1"] condition: all rules: - 'd:/etc/audit' @@ -384,8 +384,8 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.14" - - cis_csc: "13" + - cis: ["4.1.14"] + - cis_csc: ["13"] condition: all rules: - 'd:/etc/audit' @@ -399,8 +399,8 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.15" - - cis_csc: "5.4, 4.8" + - cis: ["4.1.15"] + - cis_csc: ["5.4","4.8"] condition: all rules: - 'd:/etc/audit' @@ -414,8 +414,8 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.16" - - cis_csc: "5.1, 5.5, 4.9" + - cis: ["4.1.16"] + - cis_csc: ["5.1","5.5","4.9"] condition: all rules: - 'd:/etc/audit' @@ -428,8 +428,8 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.17" - - cis_csc: "3, 5.1" + - cis: ["4.1.17"] + - cis_csc: ["3","5.1"] condition: all rules: - 'd:/etc/audit' @@ -445,8 +445,8 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." compliance: - - cis: "4.1.18" - - cis_csc: "3, 6, 6.2, 6.3" + - cis: ["4.1.18"] + - cis_csc: ["3","6","6.2","6.3"] condition: all rules: - 'd:/etc/audit' diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml index cfe4d99c9..36a02ba05 100644 --- a/sca/debian/cis_debian_linux_rcl.yml +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -36,8 +36,8 @@ checks: rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis_csc: "5.1" - - cis: "1.1.2" + - cis_csc: ["5.1"] + - cis: ["1.1.2"] references: - https://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ @@ -51,9 +51,9 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." compliance: - - cis_csc: "5.1" - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis_csc: ["5.1"] + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -64,8 +64,8 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis_csc: "5.1" - - cis: "1.1.6" + - cis_csc: ["5.1"] + - cis: ["1.1.6"] references: - https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -78,8 +78,8 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis_csc: "5.1" - - cis: "1.1.7" + - cis_csc: ["5.1"] + - cis: ["1.1.7"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -90,9 +90,9 @@ checks: rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" compliance: - - cis_csc: "5.1" - - cis: "1.1.8" - - pci_dss: "2.2.4" + - cis_csc: ["5.1"] + - cis: ["1.1.8"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' @@ -103,9 +103,9 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis_csc: "5.1" - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis_csc: ["5.1"] + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -116,8 +116,8 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." compliance: - - cis_csc: "5.1" - - cis: "1.1.14" + - cis_csc: ["5.1"] + - cis: ["1.1.14"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -128,8 +128,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." compliance: - - cis_csc: "5.1" - - cis: "1.1.15" + - cis_csc: ["5.1"] + - cis: ["1.1.15"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -140,8 +140,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." compliance: - - cis_csc: "5.1" - - cis: "1.1.16" + - cis_csc: ["5.1"] + - cis: ["1.1.16"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -153,9 +153,9 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" compliance: - - cis_csc: "5.1" - - cis: "1.7.2" - - pci_dss: "2.2.2" + - cis_csc: ["5.1"] + - cis: ["1.7.2"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' @@ -169,9 +169,9 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" compliance: - - cis_csc: "5.1" - - cis: "2.14" - - pci_dss: "2.2.4" + - cis_csc: ["5.1"] + - cis: ["2.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/run/shm\s && r:nodev' @@ -182,8 +182,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." compliance: - - cis_csc: "5.1" - - cis: "2.15" + - cis_csc: ["5.1"] + - cis: ["2.15"] condition: all rules: - 'c:mount -> r:\s/run/shm\s && r:nosuid' @@ -194,8 +194,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." compliance: - - cis_csc: "5.1" - - cis: "2.16" + - cis_csc: ["5.1"] + - cis: ["2.16"] condition: all rules: - 'c:mount -> r:\s/run/shm\s && r:noexec' @@ -207,9 +207,9 @@ checks: rationale: "If there are no inetd services required, it is recommended that the daemon be removed." remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" compliance: - - cis_csc: "9.2" - - cis: "2.1.2" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.1.2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:dpkg -s inetutils-inetd -> r:install ok installed' @@ -222,9 +222,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis_csc: "9.2" - - cis: "2.2.9" - - pci_dss: "2.2.3" + - cis_csc: ["9.2"] + - cis: ["2.2.9"] + - pci_dss: ["2.2.3"] condition: any rules: - 'c:systemctl is-enabled vsftpd -> r:disabled' @@ -235,9 +235,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.11"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:dpkg -s exim4 -> install ok installed' @@ -248,9 +248,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Run the following command to disable smbd: # systemctl disable smbd" compliance: - - cis_csc: "9.2" - - cis: "2.2.12" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.12"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled smb -> r:^enabled' @@ -261,9 +261,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" compliance: - - cis_csc: "9.2" - - cis: "2.2.7" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.7"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nfs-server -> r:^enabled' @@ -275,9 +275,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable nis: # systemctl disable nis" compliance: - - cis_csc: "9.2" - - cis: "2.2.17" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.17"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nis -> r:^enabled' @@ -288,9 +288,9 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable apache2: # systemctl disable apache2" compliance: - - cis_csc: "9.2" - - cis: "2.2.10" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.10"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' @@ -301,9 +301,9 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable named: # systemctl disable bind9" compliance: - - cis_csc: "9.2" - - cis: "2.2.8" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.8"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' @@ -314,9 +314,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis_csc: "9.2" - - cis: "2.2.13" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.13"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -328,9 +328,9 @@ checks: rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.2" - - pci_dss: "2.2.2" + - cis_csc: ["2.6","4.5"] + - cis: ["2.3.2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:dpkg -s rsh-client -> install ok installed' @@ -342,9 +342,9 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.4" - - pci_dss: "2.2.3" + - cis_csc: ["2.6","4.5"] + - cis: ["2.3.4"] + - pci_dss: ["2.2.3"] condition: none rules: - 'c:dpkg -s telnet -> install ok installed' @@ -356,8 +356,8 @@ checks: rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" compliance: - - cis_csc: "5.1" - - cis: "3.1.1" + - cis_csc: ["5.1"] + - cis: ["3.1.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' @@ -369,8 +369,8 @@ checks: rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" compliance: - - cis_csc: "5.1" - - cis: "3.1.1" + - cis_csc: ["5.1"] + - cis: ["3.1.1"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' @@ -383,8 +383,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" compliance: - - cis_csc: "5.1" - - cis: "3.2.1" + - cis_csc: ["5.1"] + - cis: ["3.2.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -402,8 +402,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" compliance: - - cis_csc: "5.1" - - cis: "3.2.5" + - cis_csc: ["5.1"] + - cis: ["3.2.5"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -416,11 +416,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis_csc: "14.4" - - cis: "5.2.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis_csc: ["14.4"] + - cis: ["5.2.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -431,11 +431,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis_csc: "9.2" - - cis: "5.2.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis_csc: ["9.2"] + - cis: ["5.2.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+yes' @@ -446,11 +446,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis_csc: "16.3" - - cis: "5.2.9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis_csc: ["16.3"] + - cis: ["5.2.9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+no' @@ -461,11 +461,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis_csc: "4.3" - - cis: "5.2.10" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis_csc: ["4.3"] + - cis: ["5.2.10"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' @@ -476,11 +476,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis_csc: "16.3" - - cis: "5.2.11" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis_csc: ["16.3"] + - cis: ["5.2.11"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' @@ -492,11 +492,11 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " compliance: - - cis_csc: "4.4" - - cis: "6.2.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis_csc: ["4.4"] + - cis: ["6.2.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -507,11 +507,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis_csc: "5.1" - - cis: "6.2.5" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis_csc: ["5.1"] + - cis: ["6.2.5"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml index 15b601fe5..d89930110 100644 --- a/sca/generic/system_audit_pw.yml +++ b/sca/generic/system_audit_pw.yml @@ -40,8 +40,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -55,8 +55,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any @@ -69,8 +69,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any @@ -83,8 +83,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any @@ -97,8 +97,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any @@ -111,8 +111,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: any @@ -125,8 +125,8 @@ checks: rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" compliance: - - cis: "5.3.4" - - cis_csc: "16.14" + - cis: ["5.3.4"] + - cis_csc: ["16.14"] condition: any rules: - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' @@ -150,8 +150,8 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] references: - https://www.thegeekdiary.com/understanding-etclogin-defs-file condition: any diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index ee36e376c..e57c4cb96 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -32,7 +32,7 @@ checks: rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." remediation: "Change the Port option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' @@ -43,7 +43,7 @@ checks: rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." remediation: "Change the Protocol option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' @@ -63,7 +63,7 @@ checks: rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." remediation: "Change the PubkeyAuthentication option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' @@ -74,7 +74,7 @@ checks: rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." remediation: "Change the PasswordAuthentication option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' @@ -85,7 +85,7 @@ checks: rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' @@ -96,7 +96,7 @@ checks: rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." remediation: "Change the IgnoreRhosts option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' @@ -107,7 +107,7 @@ checks: rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." remediation: "Change the LoginGraceTime option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 30' @@ -118,7 +118,7 @@ checks: rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." remediation: "Change the MaxAuthTries option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' @@ -129,9 +129,9 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml index aa57f201f..cb26f02a6 100644 --- a/sca/generic/web_vulnerabilities.yml +++ b/sca/generic/web_vulnerabilities.yml @@ -55,8 +55,8 @@ checks: - id: 1004 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.yop$' @@ -64,8 +64,8 @@ checks: - id: 1005 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^id$' @@ -73,8 +73,8 @@ checks: - id: 1006 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.ssh$' @@ -82,8 +82,8 @@ checks: - id: 1007 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^...$' @@ -91,8 +91,8 @@ checks: - id: 1008 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.shell$' @@ -101,8 +101,8 @@ checks: - id: 1009 title: "Web vulnerability - Outdated WordPress installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' @@ -110,8 +110,8 @@ checks: - id: 1010 title: "Web vulnerability - Outdated Joomla installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' @@ -119,8 +119,8 @@ checks: - id: 1011 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' @@ -129,8 +129,8 @@ checks: - id: 1012 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' @@ -138,8 +138,8 @@ checks: - id: 1013 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' @@ -147,8 +147,8 @@ checks: - id: 1014 title: "Web vulnerability - .htaccess file compromised" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none @@ -158,8 +158,8 @@ checks: - id: 1015 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux_rcl.yml index 89d2a03e8..3cc74ef6c 100644 --- a/sca/rhel/5/cis_rhel5_linux_rcl.yml +++ b/sca/rhel/5/cis_rhel5_linux_rcl.yml @@ -41,7 +41,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /tmp . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.1" + - cis: ["1.1.1"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14161-4 @@ -56,8 +56,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.2" - - pci_dss: "2.2.4" + - cis: ["1.1.2"] + - pci_dss: ["2.2.4"] references: - CCE-14412-1 condition: all @@ -71,8 +71,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp ." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)." compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] references: - CCE-14940-1 condition: all @@ -86,8 +86,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] references: - CCE-14412-1 condition: all @@ -101,7 +101,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.5" + - cis: ["1.1.5"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14777-7 @@ -116,7 +116,7 @@ checks: rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - CCE-14584-7 condition: all @@ -130,7 +130,7 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14011-1 @@ -145,7 +145,7 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log/audit . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.8" + - cis: ["1.1.8"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14171-3 @@ -160,7 +160,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.9" + - cis: ["1.1.9"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14559-9 @@ -175,8 +175,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /home" compliance: - - cis: "1.1.10" - - pci_dss: "2.2.4" + - cis: ["1.1.10"] + - pci_dss: ["2.2.4"] references: - CCE-4249-9 condition: all @@ -190,8 +190,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /dev/shm). # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] references: - CCE-15007-8 condition: all @@ -205,8 +205,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] references: - CCE-14306-5 condition: all @@ -220,8 +220,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] references: - CCE-14927-8 condition: all @@ -238,9 +238,9 @@ checks: rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly." remediation: "Disable the yum-updatesd daemon by running the following command: # chkconfig yum-updatesd off" compliance: - - cis: "1.2.5" - - pci_dss: "6.2" - - nist_800_53: "SI.2" + - cis: ["1.2.5"] + - pci_dss: ["6.2"] + - nist_800_53: ["SI.2"] references: - CCE-4218-4 condition: none @@ -257,8 +257,8 @@ checks: rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten." remediation: "Remove all instances of selinux=0 and enforcing=0 from /etc/grub.conf." compliance: - - cis: "1.4.1" - - pci_dss: "2.2.4" + - cis: ["1.4.1"] + - pci_dss: ["2.2.4"] references: - CCE-3977-6 condition: none @@ -272,8 +272,8 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.4.2" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - pci_dss: ["2.2.4"] references: - CCE-3999-0 condition: all @@ -287,8 +287,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.4.3" - - pci_dss: "2.2.4" + - cis: ["1.4.3"] + - pci_dss: ["2.2.4"] references: - CCE-3624-4 condition: all @@ -302,8 +302,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "rpm -qa setroubleshoot" compliance: - - cis: "1.4.4" - - pci_dss: "2.2.4" + - cis: ["1.4.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:setroubleshoot && r::on' @@ -315,8 +315,8 @@ checks: rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system." remediation: "# chkconfig mctrans off" compliance: - - cis: "1.4.5" - - pci_dss: "2.2.4" + - cis: ["1.4.5"] + - pci_dss: ["2.2.4"] references: - CCE-3668-1 condition: none @@ -333,8 +333,8 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Set a bootloader password" compliance: - - cis: "1.5.3" - - pci_dss: "2.2.4" + - cis: ["1.5.3"] + - pci_dss: ["2.2.4"] references: - CCE-3818-2 condition: all @@ -348,8 +348,8 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Add the following to /etc/inittab : ~:S:wait:/sbin/sulogin" compliance: - - cis: "1.5.4" - - pci_dss: "2.2.4" + - cis: ["1.5.4"] + - pci_dss: ["2.2.4"] references: - CCE-4241-6 condition: none @@ -363,8 +363,8 @@ checks: rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Set the PROMPT parameter in /etc/sysconfig/init to no ." compliance: - - cis: "1.5.5" - - pci_dss: "2.2.4" + - cis: ["1.5.5"] + - pci_dss: ["2.2.4"] references: - CCE-4245-7 condition: all @@ -381,8 +381,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - - cis: "1.6.1" - - pci_dss: "2.2.4" + - cis: ["1.6.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -396,8 +396,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" compliance: - - cis: "1.6.3" - - pci_dss: "2.2.4" + - cis: ["1.6.3"] + - pci_dss: ["2.2.4"] references: - CCE-4146-7 condition: all @@ -412,8 +412,8 @@ checks: rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1" compliance: - - cis: "1.6.2" - - pci_dss: "2.2.4" + - cis: ["1.6.2"] + - pci_dss: ["2.2.4"] references: - CCE-4168-1 condition: all @@ -429,7 +429,7 @@ checks: rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)." remediation: "Edit /etc/sysconfig/prelink and set PRELINKING=no" compliance: - - cis: "1.6.5" + - cis: ["1.6.5"] condition: all rules: - 'f:/etc/sysconfig/prelink -> r:^PRELINKING=no$' @@ -447,9 +447,9 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions." remediation: "# yum erase telnet-server" compliance: - - cis: "2.1.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3390-2 - CCE-4330-7 @@ -464,9 +464,9 @@ checks: rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "# yum erase rsh-server" compliance: - - cis: "2.1.3" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.3"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-4308-3 condition: none @@ -479,9 +479,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "# yum erase ypbind" compliance: - - cis: "2.1.5" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.5"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) @@ -496,9 +496,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." remediation: "# yum erase ypserv" compliance: - - cis: "2.1.6" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) @@ -513,9 +513,9 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "# yum erase tftp-server" compliance: - - cis: "2.1.8" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-4273-9 (disable) - CCE-3916-4 (uninstall) @@ -530,9 +530,9 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "# yum erase talk-server" compliance: - - cis: "2.1.10" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.10"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa talk-server -> r:\.' @@ -547,7 +547,7 @@ checks: rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." remediation: "Add the following line to the /etc/sysconfig/init file. umask 027" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/sysconfig/init -> umask 027' @@ -559,8 +559,8 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Edit /etc/inittab set default runlevel as follows: s/:5:/:3:/ Uninstall the X Windows System: # yum groupremove 'X Window System'" compliance: - - cis: "3.3" - - pci_dss: "2.2.2" + - cis: ["3.3"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/inittab -> r:^\s*id:3:initdefault' @@ -573,8 +573,8 @@ checks: rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf." compliance: - - cis: "3.1.1" - - pci_dss: "2.2.2" + - cis: ["3.1.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:avahi-daemon && r::on' @@ -586,8 +586,8 @@ checks: rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "# chkconfig nfslock off; #chkconfig rpcgssd off; #chkconfig rpcidmapd off; # chkconfig portmap off;" compliance: - - cis: "3.8" - - pci_dss: "2.2.2" + - cis: ["3.8"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on' @@ -599,9 +599,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "# yum erase vsftpd" compliance: - - cis: "3.10" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["3.10"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa vsftpd -> r:\.' @@ -613,8 +613,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "# yum erase httpd" compliance: - - cis: "3.11" - - pci_dss: "2.2.2" + - cis: ["3.11"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa httpd -> r:\.' @@ -626,8 +626,8 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "# yum erase dovecot" compliance: - - cis: "3.12" - - pci_dss: "2.2.2" + - cis: ["3.12"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa dovecot -> r:\.' @@ -639,8 +639,8 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "# yum erase samba" compliance: - - cis: "3.13" - - pci_dss: "2.2.2" + - cis: ["3.13"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa samba -> r:\.' @@ -652,8 +652,8 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "# yum erase squid" compliance: - - cis: "3.14" - - pci_dss: "2.2.2" + - cis: ["3.14"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa squid -> r:\.' @@ -665,8 +665,8 @@ checks: rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "# yum erase net-snmp" compliance: - - cis: "3.15" - - pci_dss: "2.2.2" + - cis: ["3.15"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa net-snmp -> r:\.' @@ -684,8 +684,8 @@ checks: rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf and modify active kernel parameters to match:" compliance: - - cis: "4.1.1" - - pci_dss: "2.2.4" + - cis: ["4.1.1"] + - pci_dss: ["2.2.4"] references: - CCE-3561-8 condition: all @@ -700,8 +700,8 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf" compliance: - - cis: "4.1.2" - - pci_dss: "2.2.4" + - cis: ["4.1.2"] + - pci_dss: ["2.2.4"] references: - CCE-4151-7 - CCE-4155-8 @@ -722,8 +722,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.1" - - pci_dss: "2.2.4" + - cis: ["4.2.1"] + - pci_dss: ["2.2.4"] references: - CCE-4236-6 - CCE-4091-5 @@ -741,8 +741,8 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.2" - - pci_dss: "2.2.4" + - cis: ["4.2.2"] + - pci_dss: ["2.2.4"] references: - CCE-4217-6 - CCE-4186-3 @@ -760,8 +760,8 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.3" - - pci_dss: "2.2.4" + - cis: ["4.2.3"] + - pci_dss: ["2.2.4"] references: - CCE-3472-8 - CCE-3339-9 @@ -779,8 +779,8 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.4" - - pci_dss: "2.2.4" + - cis: ["4.2.4"] + - pci_dss: ["2.2.4"] references: - CCE-4320-8 condition: all @@ -797,8 +797,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.5" - - pci_dss: "2.2.4" + - cis: ["4.2.5"] + - pci_dss: ["2.2.4"] references: - CCE-3644-2 condition: all @@ -813,8 +813,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.6" - - pci_dss: "2.2.4" + - cis: ["4.2.6"] + - pci_dss: ["2.2.4"] references: - CCE-4133-5 condition: all @@ -829,8 +829,8 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.7" - - pci_dss: "2.2.4" + - cis: ["4.2.7"] + - pci_dss: ["2.2.4"] references: - CCE-4080-8 - CCE-3840-6 @@ -848,8 +848,8 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding." remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match." compliance: - - cis: "4.2.8" - - pci_dss: "2.2.4" + - cis: ["4.2.8"] + - pci_dss: ["2.2.4"] references: - CCE-4265-5 condition: all @@ -870,10 +870,10 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "6.2.1" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.1"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4245-7 - https://www.ssh.com/ssh/ @@ -888,11 +888,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -904,9 +904,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -918,10 +918,10 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "6.2.6" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.6"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4250-7 condition: all @@ -935,10 +935,10 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "6.2.7" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.7"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4251-5 condition: all @@ -952,10 +952,10 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "6.2.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4252-3 condition: all @@ -969,10 +969,10 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "6.2.9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4256-4 condition: all @@ -992,10 +992,10 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "9.2.5" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["9.2.5"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] references: - CCE-4009-7 condition: none diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 7da6d99e2..9c1613ca0 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -41,7 +41,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -55,8 +55,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -68,8 +68,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp ." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -81,9 +81,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -95,7 +95,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -109,7 +109,7 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -121,8 +121,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -136,8 +136,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -151,7 +151,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -165,8 +165,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -178,8 +178,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -191,8 +191,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -204,9 +204,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -221,9 +221,9 @@ checks: rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." remediation: "Edit /boot/grub/grub.conf and remove all instances of selinux=0 and enforcing=0 on all kernel lines." compliance: - - cis: "1.6.1.1" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.1"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' @@ -235,9 +235,9 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.2"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' @@ -249,8 +249,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" + - cis: ["1.6.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' @@ -262,8 +262,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot" compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:rpm -qa setroubleshoot -> r:\.' @@ -275,8 +275,8 @@ checks: rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" + - cis: ["1.6.1.5"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:rpm -qa mcstrans -> r:\.' @@ -291,9 +291,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security." remediation: "Create an encrypted password with grub-md5-crypt, copy and paste the into the global section of /boot/grub/grub.conf." compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' @@ -305,9 +305,9 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin ': SINGLE=/sbin/sulogin" compliance: - - cis: "1.4.3" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.3"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' @@ -319,9 +319,9 @@ checks: rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no" compliance: - - cis: "1.4.4" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.4"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/sysconfig/init -> r:^PROMPT=no$' @@ -336,8 +336,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) )." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0; fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -351,8 +351,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -371,10 +371,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet-server && r::on' @@ -386,10 +386,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Disable rsh, rlogin, and rexec." compliance: - - cis: "2.1.6" - - cis_csc: "3.4" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rsh|rlogin|rsh && r::on' @@ -402,10 +402,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to uninstall ypbind : # yum remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -417,10 +417,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to disable ypserv: # chkconfig ypserv off" compliance: - - cis: "2.2.16" - - cis_csc: "9.4" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.4"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:ypserv && r::on' @@ -432,10 +432,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp && r::on' @@ -447,10 +447,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk && r::on' @@ -466,9 +466,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -480,9 +480,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -494,9 +494,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # chkconfig nfs off # chkconfig rpcbind off" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -508,9 +508,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off" compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -522,8 +522,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # chkconfig httpd off" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:httpd && r::on' @@ -535,9 +535,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:dovecot && r::on' @@ -549,9 +549,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # chkconfig smb off" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -563,9 +563,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -577,9 +577,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off" compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -597,9 +597,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and run # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -612,9 +612,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -632,9 +632,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -649,9 +649,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -666,9 +666,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -683,9 +683,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -700,9 +700,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -715,8 +715,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1" compliance: - - cis: "3.2.6" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -729,8 +729,8 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" compliance: - - cis: "3.2.7" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -745,9 +745,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -766,11 +766,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' @@ -782,11 +782,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -798,9 +798,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -812,11 +812,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' @@ -828,11 +828,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5].2.7" + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' @@ -844,11 +844,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' @@ -860,11 +860,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' @@ -882,11 +882,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index de71d7879..8dabb2eff 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -41,7 +41,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition for /tmp if not using tmpfs. Enable systemd /tmp mounting" compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -55,8 +55,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -68,8 +68,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -81,9 +81,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -95,7 +95,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -109,7 +109,7 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -121,8 +121,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -136,8 +136,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -151,7 +151,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -165,8 +165,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -178,8 +178,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -191,8 +191,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -204,9 +204,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -221,9 +221,9 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.2"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sestatus -> r:^SELinux status:\s+enabled$' @@ -238,8 +238,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" + - cis: ["1.6.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sestatus -> r:^Loaded policy name:\s+targeted$' @@ -252,8 +252,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "Run the following command to uninstall s etroubleshoot: # yum remove setroubleshoot" compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' @@ -265,8 +265,8 @@ checks: rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" + - cis: ["1.6.1.5"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' @@ -281,9 +281,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword" compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub2/grub.cfg -> r:^GRUB2_PASSWORD=\.+' @@ -298,8 +298,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and set the active kernel parameter" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -313,8 +313,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -333,10 +333,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ypserv -> r:^enabled' @@ -348,10 +348,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " compliance: - - cis: "2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.17"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled rsh.socket -> r:^enabled' @@ -365,10 +365,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # systemctl disable ntalk" compliance: - - cis: "2.2.18" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.18"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ntalk -> r:^enabled' @@ -380,10 +380,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" compliance: - - cis: "2.2.19" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.19"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled telnet.socket -> r:^enabled' @@ -395,10 +395,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" compliance: - - cis: "2.2.20" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.20"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled tftp.socket -> r:^enabled' @@ -410,10 +410,10 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsync: # systemctl disable rsyncd" compliance: - - cis: "2.2.21" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.21"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled rsyncd -> r:^enabled' @@ -425,10 +425,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind: # yum remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:rpm -q ypbind -> r:^package ypbind is not installed$' @@ -440,10 +440,10 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled xinetd -> r:^enabled' @@ -455,10 +455,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*chargen-dgram:\s*\t*on' @@ -471,8 +471,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime-dgram and daytime-stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" compliance: - - cis: "2.1.2" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*daytime-dgram:\s*\t*on' @@ -485,10 +485,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard-dgram and discard-stream: # chkconfig discard-dgram off; # chkconfig discard-stream off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*discard-dgram:\s*\t*on' @@ -501,10 +501,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo-dgram and echo-stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*echo-dgram:\s*\t*on' @@ -517,10 +517,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time-dgram and time-stream: # chkconfig time-dgram off; # chkconfig time-stream off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*time-dgram:\s*\t*on' @@ -533,9 +533,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' @@ -547,9 +547,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -561,9 +561,9 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] references: - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp condition: none @@ -577,9 +577,9 @@ checks: rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Run the following command to disable slapd: # systemctl disable dhcpd" compliance: - - cis: "2.2.6" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.6"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] references: - More detailed documentation on OpenLDAP is available at https://www.openldap.org condition: none @@ -593,9 +593,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': - OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' @@ -611,9 +611,9 @@ checks: rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "1) Add or edit restrict lines in /etc/chrony.conf to match the following: - 1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include: - OPTIONS='-u chronyd'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -626,9 +626,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # systemctl disable nfs; # systemctl disable nfs-server; # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:^enabled' @@ -642,9 +642,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -656,8 +656,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # systemctl disable httpd" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled httpd -> r:^enabled' @@ -669,9 +669,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:^enabled' @@ -683,9 +683,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # systemctl disable smb" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled smb -> r:^enabled' @@ -697,9 +697,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -711,9 +711,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -731,9 +731,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and set the active kernel parameters." compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -746,9 +746,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -766,9 +766,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters." compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -783,9 +783,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -800,9 +800,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -817,9 +817,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -834,9 +834,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -849,9 +849,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 and set the active kernel parameters." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -864,9 +864,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1 and set the active kernel parameters." compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -881,9 +881,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -902,11 +902,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' @@ -918,11 +918,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -934,9 +934,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -948,11 +948,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' @@ -964,11 +964,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' @@ -980,11 +980,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' @@ -996,11 +996,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' @@ -1018,11 +1018,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index fc38ddf3a..855948a93 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -38,7 +38,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -51,8 +51,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -63,8 +63,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -76,9 +76,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -90,7 +90,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -103,8 +103,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -118,8 +118,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -133,7 +133,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -146,8 +146,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -159,8 +159,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -172,8 +172,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -185,9 +185,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -202,9 +202,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub-md5-crypt : # grub-md5-crypt. The result is an . Copy and paste the into the global section of /boot/grub/menu.lst: password --md5 Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub/menu.lst -> r:^password --md5' @@ -219,8 +219,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0." compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -234,8 +234,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -254,8 +254,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' @@ -266,8 +266,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime - and daytime-udp: # chkconfig daytime-off # chkconfig daytime-udp off" compliance: - - cis: "2.1.2" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:daytime:|daytime-udp: && r::on' @@ -279,8 +279,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' @@ -291,8 +291,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' @@ -303,8 +303,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" compliance: - - cis: "2.1.5" - - cis_csc: "9.1" + - cis: ["2.1.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:time:|time-udp: && r::on' @@ -315,10 +315,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' @@ -329,10 +329,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk: && r::on' @@ -343,10 +343,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet: && r::on' @@ -357,10 +357,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp: && r::on' @@ -371,8 +371,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd : # chkconfig rsyncd off" compliance: - - cis: "2.1.10, 2.2.17" - - pci_dss: "2.2.2" + - cis: ["2.1.10","2.2.17"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -386,9 +386,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: any rules: - 'f:/etc/ntp.conf -> r:restrict -4 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' @@ -403,9 +403,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -417,9 +417,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -430,8 +430,8 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # chkconfig dhcpd off" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:dhcpd && r::on' @@ -443,9 +443,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind : # chkconfig nfs off # chkconfig rpcbind off" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -456,9 +456,9 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # chkconfig named off" compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:named && r::on' @@ -469,9 +469,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # chkconfig vsftpd off Notes: Additional FTP servers also exist and should be audited." compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -483,8 +483,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface. Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." remediation: "Run the following command to disable apache2 : # chkconfig apache2 off" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:apache2 && r::on' @@ -495,9 +495,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cyrus : # chkconfig cyrus off Notes: Several IMAP/POP3 servers exist and can use other service names. dovecot is an example service that provides an IMAP/POP3 server. These and other services should also be audited." compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list cyrus -> r:cyrus && r::on' @@ -509,9 +509,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # chkconfig smb off" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -522,9 +522,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -535,9 +535,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: node rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -548,10 +548,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." remediation: "Run the following command to disable ypserv : # chkconfig ypserv off" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:ypserv && r::on' @@ -563,10 +563,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -584,9 +584,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' @@ -599,9 +599,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' @@ -619,9 +619,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -636,9 +636,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -653,9 +653,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -669,9 +669,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -686,9 +686,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -701,9 +701,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -716,9 +716,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -733,9 +733,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -754,11 +754,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:^\s*\t*Protocol\s*\t*2' @@ -770,11 +770,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' @@ -786,9 +786,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' @@ -800,11 +800,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' @@ -816,11 +816,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' @@ -832,11 +832,11 @@ checks: rationale: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' @@ -848,11 +848,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' @@ -870,11 +870,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -885,11 +885,11 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.1"] + - cis_csc: ["16"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index d6416900d..8462961f4 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -36,7 +36,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab or the systemd tmp.mount service as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -49,8 +49,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -61,8 +61,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nousid' @@ -74,9 +74,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -88,7 +88,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -101,8 +101,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -116,8 +116,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -131,7 +131,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -145,8 +145,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -158,8 +158,8 @@ checks: rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" + - cis: ["1.1.18"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/media\s && r:nodev' @@ -171,8 +171,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" + - cis: ["1.1.19"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/media\s && r:nosuid' @@ -184,9 +184,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" + - cis: ["1.1.20"] + - cis_csc: ["8"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/media\s && r:noexec' @@ -198,8 +198,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -211,8 +211,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -224,9 +224,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -241,8 +241,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:\s0$' @@ -256,8 +256,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:sysctl kernel.randomize_va_space -> r:\s2$|\t2$' @@ -276,8 +276,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' @@ -288,8 +288,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime and daytime-udp: # chkconfig daytime off # chkconfig daytime-udp off" compliance: - - cis: "2.1.2" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:daytime:|daytime-udp && r::on' @@ -300,8 +300,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' @@ -312,8 +312,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' @@ -324,8 +324,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" compliance: - - cis: "2.1.5" - - cis_csc: "9.1" + - cis: ["2.1.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:time:|time-udp && r::on' @@ -336,10 +336,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' @@ -350,10 +350,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk: && r::on' @@ -364,10 +364,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet: && r::on' @@ -378,10 +378,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable atftpd" compliance: - - cis: "2.1.9, 2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9","2.2.17"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp: && r::on' @@ -392,8 +392,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" compliance: - - cis: "2.1.10, 2.2.18" - - pci_dss: "2.2.2" + - cis: ["2.1.10","2.2.18"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -404,8 +404,8 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd : # systemctl disable xinetd" compliance: - - cis: "2.1.11" - - cis_csc: "9.1" + - cis: ["2.1.11"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled xinetd -> r:enabled' @@ -419,9 +419,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' @@ -436,9 +436,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -450,9 +450,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:enabled' @@ -463,8 +463,8 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled dhcpd -> r:enabled' @@ -476,9 +476,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:enabled' @@ -490,9 +490,9 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # systemctl disable named" compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled named -> r:enabled' @@ -503,9 +503,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd Notes: Additional FTP servers also exist and should be audited." compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:enabled' @@ -517,8 +517,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable apache2 : # systemctl disable apache2 Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:enabled' @@ -529,9 +529,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot : # systemctl disable dovecot Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited." compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:enabled' @@ -543,9 +543,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # systemctl disable smb" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled smb -> r:enabled' @@ -556,9 +556,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # systemctl disable squid Notes: Several HTTP proxy servers exist. These and other services should be checked." compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:enabled' @@ -569,9 +569,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:enabled' @@ -582,10 +582,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv : # systemctl disable ypserv" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ypserv -> r:enabled' @@ -597,10 +597,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -618,9 +618,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' @@ -633,9 +633,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -653,9 +653,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -670,9 +670,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -687,9 +687,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -703,9 +703,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -720,9 +720,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -735,9 +735,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -750,9 +750,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -767,9 +767,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' @@ -788,11 +788,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:Protocol\s*\t*2$' @@ -804,11 +804,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*INFO' @@ -820,9 +820,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -834,11 +834,11 @@ checks: rationale: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:IgnoreRhosts\s*\t*yes' @@ -850,11 +850,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:HostbasedAuthentication\s*\t*no' @@ -866,11 +866,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no' @@ -882,11 +882,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: none rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitEmptyPasswords\s*\t*no' @@ -904,11 +904,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -919,11 +919,11 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.1"] + - cis_csc: ["16"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11_rcl.yml index 4428214b7..b01bb5f84 100644 --- a/sca/sunos/cis_solaris11_rcl.yml +++ b/sca/sunos/cis_solaris11_rcl.yml @@ -33,7 +33,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" compliance: - - cis: "2.1" + - cis: ["2.1"] condition: none rules: - 'p:gdm' @@ -45,7 +45,7 @@ checks: rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems." remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" compliance: - - cis: "2.2" + - cis: ["2.2"] condition: none rules: - 'c:netstat -an -> r:.25\s*\t* && !r:127.0.0.1.25|::1' @@ -56,7 +56,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" compliance: - - cis: "2.3" + - cis: ["2.3"] condition: none rules: - 'p:keyserv' @@ -67,7 +67,7 @@ checks: rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain" compliance: - - cis: "2.4" + - cis: ["2.4"] condition: none rules: - 'p:ypserv' @@ -83,7 +83,7 @@ checks: rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client # svcadm disable svc:/network/nis/domain" compliance: - - cis: "2.5" + - cis: ["2.5"] condition: none rules: - 'p:ypserv' @@ -99,7 +99,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" compliance: - - cis: "2.6" + - cis: ["2.6"] condition: none rules: - 'p:ktkt_warnd' @@ -110,7 +110,7 @@ checks: rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" compliance: - - cis: "2.7" + - cis: ["2.7"] condition: none rules: - 'p:gssd' @@ -121,7 +121,7 @@ checks: rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports." remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver" compliance: - - cis: "2.8" + - cis: ["2.8"] condition: none rules: - 'p:smserverd' @@ -132,7 +132,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" compliance: - - cis: "2.9" + - cis: ["2.9"] condition: none rules: - 'p:automountd' @@ -143,7 +143,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/http:apache22" compliance: - - cis: "2.10" + - cis: ["2.10"] references: - http://httpd.apache.org/docs/2.0/misc/security_tips.html condition: none @@ -157,7 +157,7 @@ checks: rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'p:rpcbind' @@ -168,7 +168,7 @@ checks: rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts." remediation: "To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo \"ALL: /, , ...\" > /etc/hosts.allow where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true # svcadm refresh rpc/bind The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information." compliance: - - cis: "2.12" + - cis: ["2.12"] references: - ipfilter(5) man page condition: all @@ -183,7 +183,7 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" compliance: - - cis: "2.13" + - cis: ["2.13"] condition: all rules: - 'p:telnet' @@ -195,7 +195,7 @@ checks: rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data." remediation: "To implement the recommendation, run the commands: # chmod 700 /var/cores # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'f:/etc/coreadm.conf' @@ -215,7 +215,7 @@ checks: rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed." remediation: "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file: # if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then cat <>/etc/system set noexec_user_stack=1 set noexec_user_stack_log=1 END_CFG fi" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/system' @@ -228,7 +228,7 @@ checks: rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this." remediation: "Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file: # cd /etc/default # awk '/TCP_STRONG_ISS=/ { $1 = \"TCP_STRONG_ISS=2\" }; { print }' inetinit > inetinit.CIS # mv inetinit.CIS inetinit To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp" compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' @@ -240,7 +240,7 @@ checks: rationale: "To simplify administration, a CIS specific audit class should be created." remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark' @@ -251,7 +251,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service- specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_ACCEPT AUE_CONNECT AUE_SOCKACCEPT AUE_SOCKCONNECT AUE_inetd_connect" compliance: - - cis: "4.2" + - cis: ["4.2"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACCEPT:\.+cis\.*' @@ -266,7 +266,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHMOD AUE_CHOWN AUE_FCHOWN AUE_FCHMOD AUE_LCHOWN AUE_ACLSET AUE_FACLSET" compliance: - - cis: "4.3" + - cis: ["4.3"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHMOD:\.+cis\.*' @@ -283,7 +283,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHROOT AUE_SETREUID AUE_SETREGID AUE_FCHROOT AUE_PFEXEC AUE_SETUID AUE_NICE AUE_SETGID AUE_PRIOCNTLSYS AUE_SETEGID AUE_SETEUID AUE_SETPPRIV AUE_SETSID AUE_SETPGID" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHROOT:\.+cis\.*' @@ -307,7 +307,7 @@ checks: rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls." remediation: "To enforce this setting, use the command: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis # auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n . w q END_CRON # chown root:root /var/audit # chmod 750 /var/audit" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: all rules: - 'c:auditconfig -getcond -> audit condition = auditing' @@ -325,7 +325,7 @@ checks: rationale: "The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world." remediation: "Perform the following to implement the recommended state: # svccfg -s svc:/system/environment:init setprop umask/umask = astring: \"022\"" compliance: - - cis: "5.1" + - cis: ["5.1"] condition: all rules: - 'c:svcprop -p umask/umask svc:/system/environment:init -> 022' @@ -337,7 +337,7 @@ checks: rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/ENABLE_NOBODY_KEYS=/ { $1 = \"ENABLE_NOBODY_KEYS=NO\" } { print }' keyserv > keyserv.CIS # mv keyserv.CIS keyserv" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'f:/etc/default/keyserv' @@ -349,7 +349,7 @@ checks: rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs." remediation: "Perform the following to implement the recommended state: # awk '/^X11Forwarding / { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: none rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' @@ -360,7 +360,7 @@ checks: rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks." remediation: "Perform the following to implement the recommended state: # awk '/^MaxAuthTries/ { $2 = \"3\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.4" + - cis: ["6.4"] condition: all rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' @@ -371,7 +371,7 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with SSH." remediation: "Perform the following to implement the recommended state: # awk '/^IgnoreRhosts/ { $2 = \"yes\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed." compliance: - - cis: "6.5" + - cis: ["6.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' @@ -382,7 +382,7 @@ checks: rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user." remediation: "Perform the following to implement the recommended state: # awk '/^PermitRootLogin/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.6" + - cis: ["6.6"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' @@ -393,7 +393,7 @@ checks: rationale: "Permitting login without a password is inherently risky." remediation: "Perform the following to implement the recommended state: # awk '/^PermitEmptyPasswords/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.7" + - cis: ["6.7"] condition: none rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' @@ -404,7 +404,7 @@ checks: rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default." remediation: "Perform the following to implement the recommended state: # cd /etc # cp pam.conf pam.conf.pre-CIS # sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - - cis: "6.8" + - cis: ["6.8"] condition: all rules: - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' @@ -416,7 +416,7 @@ checks: rationale: "FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default." remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." compliance: - - cis: "6.9" + - cis: ["6.9"] condition: none rules: - 'f:/etc/ftpd/ftpusers -> r:^root' @@ -446,7 +446,7 @@ checks: rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/SLEEPTIME=/ { $1 = \"SLEEPTIME=4\" } { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "6.10" + - cis: ["6.10"] condition: all rules: - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' @@ -457,7 +457,7 @@ checks: rationale: "As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)." remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - - cis: "6.11" + - cis: ["6.11"] condition: none rules: - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' @@ -468,7 +468,7 @@ checks: rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults # cp XScreenSaver XScreenSaver.orig # awk '/^\\*timeout:/ { $2 = \"0:10:00\" } /^\\*lockTimeout:/ { $2 = \"0:00:00\" } /^\\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS # mv xScreenSaver.CIS xScreenSaver" compliance: - - cis: "6.12" + - cis: ["6.12"] condition: all rules: - 'f:/usr/share/X11/app-defaults/XScreensaver' @@ -482,7 +482,7 @@ checks: rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d # mv cron.deny cron.deny.cis # mv at.deny at.deny.cis # echo root > cron.allow # cp /dev/null at.allow # chown root:root cron.allow at.allow # chmod 400 cron.allow at.allow" compliance: - - cis: "6.13" + - cis: ["6.13"] condition: all rules: - 'not f:/etc/cron.d/cron.deny' @@ -498,7 +498,7 @@ checks: rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "6.14" + - cis: ["6.14"] condition: none rules: - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' @@ -509,7 +509,7 @@ checks: rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS # mv login.CIS login # cd /etc/security # awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS # mv policy.conf.CIS policy.conf # svcadm restart svc:/system/name-service/cache Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle" compliance: - - cis: "6.15" + - cis: ["6.15"] condition: all rules: - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' @@ -521,7 +521,7 @@ checks: rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password." remediation: "Perform the following to implement the recommended state: # /boot/grub/bin/grub grub> md5crypt Password: [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)] The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user: # chmod 600 /rpool/boot/grub/menu.lst Next, add the following line to the menu.lst file above the entries added by bootadm: password --md5 [enter md5 password string generated above] Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect): title Solaris failsafe lock" compliance: - - cis: "6.17" + - cis: ["6.17"] condition: all rules: - 'f:/rpool/boot/grub/menu.lst' @@ -534,7 +534,7 @@ checks: rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)." remediation: "Perform the following to implement the recommended state: # logins -ox | awk -F: '($1 == \"root\" || $8 == \"LK\" || $8 == \"NL\") { next } ; { $cmd = \"passwd\" } ; ($11 91) { $cmd = $cmd \" -x 91\" } ($10 < 7) { $cmd = $cmd \" -n 7\" } ($12 < 28) { $cmd = $cmd \" -w 28\" } ($cmd != \"passwd\") { print $cmd \" \" $1 }' > /etc/CISupd_accounts # /sbin/sh /etc/CISupd_accounts # rm -f /etc/CISupd_accounts # cd /etc/default # grep -v WEEKS passwd > passwd.CIS # cat <> passwd.CIS MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 EODefaults # mv passwd.CIS passwd" compliance: - - cis: "7.1" + - cis: ["7.1"] condition: all rules: - 'f:/etc/default/passwd -> n:^maxweeks\(\d+) compare <= 13' @@ -547,7 +547,7 @@ checks: rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=8\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=10\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS # mv passwd.CIS passwd" compliance: - - cis: "7.2" + - cis: ["7.2"] condition: all rules: - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' @@ -569,7 +569,7 @@ checks: rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "7.3" + - cis: ["7.3"] condition: none rules: - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' @@ -580,7 +580,7 @@ checks: rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask." remediation: "Perform the following to implement the recommended state: # cd /etc # if [ \"`grep '^Umask' proftpd.conf`\" ]; then awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo \"Umask 027\" >> proftpd.conf fi" compliance: - - cis: "7.4" + - cis: ["7.4"] condition: none rules: - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' @@ -591,7 +591,7 @@ checks: rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality." remediation: "Perform the following to implement the recommended state: # cd /etc # for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done" compliance: - - cis: "7.5" + - cis: ["7.5"] condition: none rules: - 'f:/etc/.login -> !r:^mesg\s*n' @@ -604,7 +604,7 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only." remediation: "Perform the following to implement the recommended state: # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/motd # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/issue # chown root:root /etc/issue # chmod 644 /etc/issue" compliance: - - cis: "8.1" + - cis: ["8.1"] condition: all rules: - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' @@ -615,7 +615,7 @@ checks: description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "8.2" + - cis: ["8.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' @@ -626,7 +626,7 @@ checks: rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=\"Security Message\" --filename=/etc/issue" compliance: - - cis: "8.3" + - cis: ["8.3"] condition: all rules: - 'f:/etc/gdm/Init/Default' @@ -638,7 +638,7 @@ checks: rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording." remediation: "Perform the following to implement the recommended state: # echo \"DisplayConnect /etc/issue\" >> /etc/proftpd.conf # svcadm restart ftp" compliance: - - cis: "8.4" + - cis: ["8.4"] condition: all rules: - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' @@ -649,7 +649,7 @@ checks: rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS # mv telnetd.CIS telnetd" compliance: - - cis: "8.5" + - cis: ["8.5"] condition: all rules: - 'f:/etc/default/telnetd -> r:BANNER=$' @@ -661,7 +661,7 @@ checks: rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled." remediation: "To lock a single account, use the command: # passwd -d [username] # passwd -l [username] To configure a single account to be non-login, use the command: # passwd -d [username] # passwd -N [username]" compliance: - - cis: "9.3" + - cis: ["9.3"] condition: none rules: - 'f:/etc/shadow -> r:daemon && !r::NL:|:NP:' @@ -699,7 +699,7 @@ checks: rationale: "All accounts must have passwords, be configured as \"Non-login,\" or be locked." remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-logini." compliance: - - cis: "9.4" + - cis: ["9.4"] condition: none rules: - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' @@ -710,7 +710,7 @@ checks: rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC." remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately." compliance: - - cis: "9.5" + - cis: ["9.5"] condition: none rules: - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' @@ -721,7 +721,7 @@ checks: rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program." remediation: "Correct or justify any items discovered in the Audit step." compliance: - - cis: "9.6" + - cis: ["9.6"] condition: none rules: - 'f:/etc/profile -> r:.' @@ -746,7 +746,7 @@ checks: rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." remediation: "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy." compliance: - - cis: "9.10" + - cis: ["9.10"] condition: none rules: - 'd:/home -> ^.rhosts$' @@ -757,7 +757,7 @@ checks: rationale: "All users must be assigned a home directory in passwd(4)." remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy." compliance: - - cis: "9.12" + - cis: ["9.12"] condition: none rules: - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' @@ -768,7 +768,7 @@ checks: rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form." remediation: "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - - cis: "9.20" + - cis: ["9.20"] condition: none rules: - 'd:/home -> ^.netrc$' @@ -779,7 +779,7 @@ checks: rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions." remediation: "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - - cis: "9.21" + - cis: ["9.21"] condition: none rules: - 'd:/home -> ^.forward$' diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016_rcl.yml index 81b215e13..809cd2a93 100644 --- a/sca/windows/acsc_office2016_rcl.yml +++ b/sca/windows/acsc_office2016_rcl.yml @@ -343,7 +343,7 @@ checks: rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Office 2016 Converters\\Block Opening of Pre-Release Versions of File Formats New to PowerPoint 2016 Through the Compatibility Pack for Office 2013 and PowerPoint 2016 Converter" compliance: - - cis: "2.22.1" + - cis: ["2.22.1"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' @@ -660,7 +660,7 @@ checks: rationale: "By default, the Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Disable Opt-in Wizard on First Run" compliance: - - cis: "2.24.1.1" + - cis: ["2.24.1.1"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' @@ -672,7 +672,7 @@ checks: rationale: "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Enable Customer Experience Improvement Program" compliance: - - cis: "2.24.1.2" + - cis: ["2.24.1.2"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' @@ -684,7 +684,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Allow including screenshot with Office Feedback" compliance: - - cis: "2.24.1.3" + - cis: ["2.24.1.3"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' @@ -696,7 +696,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send Office Feedback" compliance: - - cis: "2.24.1.4" + - cis: ["2.24.1.4"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' @@ -708,7 +708,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send personal information" compliance: - - cis: "2.24.1.5" + - cis: ["2.24.1.5"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' @@ -720,7 +720,7 @@ checks: rationale: "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" compliance: - - cis: "2.24.1.6" + - cis: ["2.24.1.6"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata' diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1_rcl.yml index e3a41848d..ddb478690 100644 --- a/sca/windows/cis_win10_enterprise_L1_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L1_rcl.yml @@ -33,8 +33,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -47,8 +47,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -61,8 +61,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2, 6.3" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -75,8 +75,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -89,8 +89,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -102,8 +102,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -116,8 +116,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -130,8 +130,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -144,8 +144,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -158,8 +158,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -172,8 +172,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.1" - - cis_csc: "8" + - cis: ["2.3.7.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -186,8 +186,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.4" - - cis_csc: "16.5" + - cis: ["2.3.7.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -201,8 +201,8 @@ checks: rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.8" - - cis_csc: "16" + - cis: ["2.3.7.8"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -215,8 +215,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -229,8 +229,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -243,8 +243,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -257,8 +257,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -271,8 +271,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -285,8 +285,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -299,8 +299,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -313,8 +313,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -327,8 +327,8 @@ checks: rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" compliance: - - cis: "2.3.9.5" - - cis_csc: "14" + - cis: ["2.3.9.5"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -341,8 +341,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" compliance: - - cis: "2.3.10.2" - - cis_csc: "16" + - cis: ["2.3.10.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -355,8 +355,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" compliance: - - cis: "2.3.10.3" - - cis_csc: "16" + - cis: ["2.3.10.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -369,8 +369,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -383,8 +383,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -397,8 +397,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 14.2" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -411,8 +411,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -425,8 +425,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -439,8 +439,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -453,8 +453,8 @@ checks: rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM" compliance: - - cis: "2.3.10.10" - - cis_csc: "5.1, 9.1, 9.2" + - cis: ["2.3.10.10"] + - cis_csc: ["5.1","9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -467,8 +467,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -481,8 +481,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.12" - - cis_csc: "14, 16" + - cis: ["2.3.10.12"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -495,8 +495,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -509,8 +509,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -523,8 +523,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -537,8 +537,8 @@ checks: rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -551,8 +551,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -565,8 +565,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' @@ -578,8 +578,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -592,8 +592,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -606,8 +606,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -620,8 +620,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -634,7 +634,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -647,8 +647,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4, 14.6" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -661,8 +661,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -675,8 +675,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -689,8 +689,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -703,8 +703,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -717,8 +717,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -731,8 +731,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -745,8 +745,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -759,8 +759,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -773,7 +773,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -787,8 +787,8 @@ checks: rationale: "This is a legacy service - its sole purpose is to maintain a list of computers and their network shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it generates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \"master browser\". This noisy traffic could also aid malicious attackers in discovering online machines, because the service also allows anyone to \"browse\" for shared resources without any authentication. This service used to be running by default in older Windows versions (e.g. Windows XP), but today it only remains for backward compatibility for very old software that requires it." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Computer Browser" compliance: - - cis: "5.3" - - cis_csc: "9.1, 9.2" + - cis: ["5.3"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' @@ -800,8 +800,8 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service" compliance: - - cis: "5.6" - - cis_csc: "9.1, 9.2" + - cis: ["5.6"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' @@ -813,8 +813,8 @@ checks: rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" compliance: - - cis: "5.7" - - cis_csc: "9.1, 9.2" + - cis: ["5.7"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon' @@ -827,8 +827,8 @@ checks: rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)" compliance: - - cis: "5.8" - - cis_csc: "9.1, 9.2" + - cis: ["5.8"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess' @@ -841,8 +841,8 @@ checks: rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" compliance: - - cis: "5.10" - - cis_csc: "9.1, 9.2" + - cis: ["5.10"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' @@ -854,8 +854,8 @@ checks: rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service" compliance: - - cis: "5.11" - - cis_csc: "9.1, 9.2" + - cis: ["5.11"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' @@ -867,8 +867,8 @@ checks: rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator" compliance: - - cis: "5.24" - - cis_csc: "9.1, 9.2" + - cis: ["5.24"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator' @@ -881,8 +881,8 @@ checks: rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" compliance: - - cis: "5.26" - - cis_csc: "9.1, 9.2" + - cis: ["5.26"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess' @@ -895,8 +895,8 @@ checks: rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services" compliance: - - cis: "5.28" - - cis_csc: "9.1, 9.2" + - cis: ["5.28"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' @@ -908,8 +908,8 @@ checks: rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery" compliance: - - cis: "5.30" - - cis_csc: "9.1, 9.2" + - cis: ["5.30"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV' @@ -922,8 +922,8 @@ checks: rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host" compliance: - - cis: "5.31" - - cis_csc: "9.1, 9.2" + - cis: ["5.31"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost' @@ -936,8 +936,8 @@ checks: rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service" compliance: - - cis: "5.32" - - cis_csc: "9.1, 9.2" + - cis: ["5.32"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' @@ -949,8 +949,8 @@ checks: rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service" compliance: - - cis: "5.35" - - cis_csc: "9.1, 9.2" + - cis: ["5.35"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' @@ -962,8 +962,8 @@ checks: rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service" compliance: - - cis: "5.36" - - cis_csc: "9.1, 9.2" + - cis: ["5.36"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc' @@ -976,8 +976,8 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service" compliance: - - cis: "5.40" - - cis_csc: "9.1, 9.2" + - cis: ["5.40"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' @@ -989,8 +989,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service" compliance: - - cis: "5.41" - - cis_csc: "9.1, 9.2" + - cis: ["5.41"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc' @@ -1003,8 +1003,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Game Monitoring" compliance: - - cis: "5.42" - - cis_csc: "9.1, 9.2" + - cis: ["5.42"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm' @@ -1017,8 +1017,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager" compliance: - - cis: "5.43" - - cis_csc: "9.1, 9.2" + - cis: ["5.43"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager' @@ -1031,8 +1031,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save" compliance: - - cis: "5.44" - - cis_csc: "9.1, 9.2" + - cis: ["5.44"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave' @@ -1045,8 +1045,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" compliance: - - cis: "5.45" - - cis_csc: "9.1, 9.2" + - cis: ["5.45"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce' @@ -1060,8 +1060,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1074,8 +1074,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1088,8 +1088,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1102,7 +1102,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1115,8 +1115,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.5"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1129,8 +1129,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3, 6.4" + - cis: ["9.1.6"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1143,8 +1143,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1157,8 +1157,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.8"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1171,8 +1171,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1185,8 +1185,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1199,8 +1199,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1213,7 +1213,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1226,8 +1226,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.5"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1240,8 +1240,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3, 6.4" + - cis: ["9.2.6"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1254,8 +1254,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1268,8 +1268,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.8"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1282,8 +1282,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service" remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1296,8 +1296,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1310,8 +1310,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1324,7 +1324,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1337,8 +1337,8 @@ checks: rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1351,8 +1351,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1365,8 +1365,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1379,8 +1379,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3, 6.4" + - cis: ["9.3.8"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1393,8 +1393,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.9"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1407,8 +1407,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.10"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1422,7 +1422,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera" compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1435,7 +1435,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1448,8 +1448,8 @@ checks: rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow input personalization" compliance: - - cis: "18.1.2.2" - - cis_csc: "13" + - cis: ["18.1.2.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' @@ -1462,8 +1462,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" compliance: - - cis: "18.2.1" - - cis_csc: "16.9" + - cis: ["18.2.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' @@ -1476,8 +1476,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy" compliance: - - cis: "18.2.2" - - cis_csc: "16.2, 16.10" + - cis: ["18.2.2"] + - cis_csc: ["16.2","16.10"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1490,8 +1490,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management" compliance: - - cis: "18.2.3" - - cis_csc: "16.9" + - cis: ["18.2.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1504,8 +1504,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.4" - - cis_csc: "5.7" + - cis: ["18.2.4"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1518,8 +1518,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.5" - - cis_csc: "5.7" + - cis: ["18.2.5"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1532,8 +1532,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.6" - - cis_csc: "16.5" + - cis: ["18.2.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1546,8 +1546,8 @@ checks: rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons" compliance: - - cis: "18.3.1" - - cis_csc: "5.8, 4.3" + - cis: ["18.3.1"] + - cis_csc: ["5.8","4.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1560,8 +1560,8 @@ checks: rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver" compliance: - - cis: "18.3.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.3.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' @@ -1574,8 +1574,8 @@ checks: rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server" compliance: - - cis: "18.3.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.3.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' @@ -1588,8 +1588,8 @@ checks: rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP)" compliance: - - cis: "18.3.4" - - cis_csc: "8.4, 8.3" + - cis: ["18.3.4"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' @@ -1602,8 +1602,8 @@ checks: rationale: "This opt-in feature is free and could prevent malicious software from being installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications" compliance: - - cis: "18.3.5" - - cis_csc: "8.4, 8.3" + - cis: ["18.3.5"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine' @@ -1616,8 +1616,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997)" compliance: - - cis: "18.3.6" - - cis_csc: "16.14" + - cis: ["18.3.6"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' @@ -1630,8 +1630,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1644,8 +1644,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' @@ -1658,8 +1658,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1672,8 +1672,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1686,8 +1686,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' @@ -1700,8 +1700,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" compliance: - - cis: "18.4.9" - - cis_csc: "8" + - cis: ["18.4.9"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' @@ -1714,8 +1714,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" compliance: - - cis: "18.4.10" - - cis_csc: "16.5" + - cis: ["18.4.10"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1728,8 +1728,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" compliance: - - cis: "18.4.13" - - cis_csc: "6.3, 6.4" + - cis: ["18.4.13"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' @@ -1742,8 +1742,8 @@ checks: rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeTyp e" compliance: - - cis: "18.5.4.1" - - cis_csc: "9" + - cis: ["18.5.4.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters' @@ -1756,8 +1756,8 @@ checks: rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution" compliance: - - cis: "18.5.4.2" - - cis_csc: "9" + - cis: ["18.5.4.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' @@ -1770,8 +1770,8 @@ checks: rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons" compliance: - - cis: "18.5.8.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.8.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' @@ -1784,8 +1784,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network" compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1798,8 +1798,8 @@ checks: rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network" compliance: - - cis: "18.5.11.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.11.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1812,8 +1812,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location" compliance: - - cis: "18.5.11.4" - - cis_csc: "5.1" + - cis: ["18.5.11.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1826,8 +1826,8 @@ checks: rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths" compliance: - - cis: "18.5.14.1" - - cis_csc: "3" + - cis: ["18.5.14.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' @@ -1842,8 +1842,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain" compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1856,8 +1856,8 @@ checks: rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" compliance: - - cis: "18.5.21.2" - - cis_csc: "12" + - cis: ["18.5.21.2"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1870,8 +1870,8 @@ checks: rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" compliance: - - cis: "18.5.23.2.1" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.23.2.1"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' @@ -1884,8 +1884,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1898,8 +1898,8 @@ checks: rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials" compliance: - - cis: "18.8.4.2" - - cis_csc: "16" + - cis: ["18.8.4.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' @@ -1912,8 +1912,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy" compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1926,8 +1926,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1940,8 +1940,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1954,8 +1954,8 @@ checks: rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device" compliance: - - cis: "18.8.21.4" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.21.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1968,8 +1968,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy" compliance: - - cis: "18.8.21.5" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.5"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1982,8 +1982,8 @@ checks: rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "2" + - cis: ["18.8.22.1.2"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1996,8 +1996,8 @@ checks: rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP" compliance: - - cis: "18.8.22.1.7" - - cis_csc: "13.1" + - cis: ["18.8.22.1.7"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -2010,8 +2010,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in" compliance: - - cis: "18.8.27.1" - - cis_csc: "16.5" + - cis: ["18.8.27.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2024,8 +2024,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI" compliance: - - cis: "18.8.27.2" - - cis_csc: "5" + - cis: ["18.8.27.2"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2038,8 +2038,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers" compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2052,8 +2052,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers" compliance: - - cis: "18.8.27.4" - - cis_csc: "16.9" + - cis: ["18.8.27.4"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2066,8 +2066,8 @@ checks: rationale: "App notifications might display sensitive business or personal data" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen" compliance: - - cis: "18.8.27.5" - - cis_csc: "16.5" + - cis: ["18.8.27.5"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2080,8 +2080,8 @@ checks: rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in" compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2094,8 +2094,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in" compliance: - - cis: "18.8.27.7" - - cis_csc: "16.5" + - cis: ["18.8.27.7"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2108,8 +2108,8 @@ checks: rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery)" compliance: - - cis: "18.8.33.6.1" - - cis_csc: "9" + - cis: ["18.8.33.6.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' @@ -2122,8 +2122,8 @@ checks: rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in)" compliance: - - cis: "18.8.33.6.2" - - cis_csc: "9" + - cis: ["18.8.33.6.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' @@ -2136,8 +2136,8 @@ checks: rationale: "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA)." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on battery)" compliance: - - cis: "18.8.33.6.5" - - cis_csc: "13.2, 13.6" + - cis: ["18.8.33.6.5"] + - cis_csc: ["13.2","13.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2150,8 +2150,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in)" compliance: - - cis: "18.8.33.6.6" - - cis_csc: "16.5" + - cis: ["18.8.33.6.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2164,8 +2164,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance" compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2178,8 +2178,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance" compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2192,8 +2192,8 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.36.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2206,8 +2206,8 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis: "18.8.36.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.36.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2220,8 +2220,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional" compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2234,8 +2234,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices" compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2248,8 +2248,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun" compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2262,8 +2262,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay" compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' @@ -2275,8 +2275,8 @@ checks: rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing" compliance: - - cis: "18.9.10.1.1" - - cis_csc: "16" + - cis: ["18.9.10.1.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' @@ -2289,8 +2289,8 @@ checks: rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences" compliance: - - cis: "18.9.13.1" - - cis_csc: "13" + - cis: ["18.9.13.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' @@ -2303,8 +2303,8 @@ checks: rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing" compliance: - - cis: "18.9.14.1" - - cis_csc: "15.8, 15.9" + - cis: ["18.9.14.1"] + - cis_csc: ["15.8","15.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' @@ -2317,8 +2317,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button" compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -2331,8 +2331,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation" compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -2345,8 +2345,8 @@ checks: rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry" compliance: - - cis: "18.9.16.1" - - cis_csc: "13" + - cis: ["18.9.16.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -2359,8 +2359,8 @@ checks: rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications" compliance: - - cis: "18.9.16.3" - - cis_csc: "13" + - cis: ["18.9.16.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -2373,8 +2373,8 @@ checks: rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds" compliance: - - cis: "18.9.16.4" - - cis_csc: "3" + - cis: ["18.9.16.4"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' @@ -2387,8 +2387,8 @@ checks: rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode" compliance: - - cis: "18.9.17.1" - - cis_csc: "4.5, 3.4, 3.5" + - cis: ["18.9.17.1"] + - cis_csc: ["4.5","3.4","3.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' @@ -2401,8 +2401,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2415,8 +2415,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2429,8 +2429,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2443,8 +2443,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2457,8 +2457,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2471,8 +2471,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2485,8 +2485,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2499,8 +2499,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2513,8 +2513,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer" compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2527,8 +2527,8 @@ checks: rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption" compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2541,8 +2541,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode" compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2555,8 +2555,8 @@ checks: rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup" compliance: - - cis: "18.9.35.1" - - cis_csc: "14.1, 14.2" + - cis: ["18.9.35.1"] + - cis_csc: ["14.1","14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' @@ -2569,8 +2569,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication" compliance: - - cis: "18.9.44.1" - - cis_csc: "16" + - cis: ["18.9.44.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount' @@ -2583,8 +2583,8 @@ checks: rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block only 3rd-party cookies (or, if applicable for your environment, Enabled: Block all cookies): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure cookies" compliance: - - cis: "18.9.45.4" - - cis_csc: "13" + - cis: ["18.9.45.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -2597,8 +2597,8 @@ checks: rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Password Manager" compliance: - - cis: "18.9.45.5" - - cis_csc: "16" + - cis: ["18.9.45.5"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -2611,8 +2611,8 @@ checks: rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content \"opt-in\", so the user has to choose to click on each specific piece of Flash content before it will run." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Adobe Flash Click-to-Run setting" compliance: - - cis: "18.9.45.8" - - cis_csc: "7.2" + - cis: ["18.9.45.8"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security' @@ -2625,8 +2625,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -2639,8 +2639,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved" compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2653,8 +2653,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection" compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2667,8 +2667,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection" compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2681,8 +2681,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication" compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2695,8 +2695,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level" compliance: - - cis: "18.9.58.3.9.5" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.5"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2709,8 +2709,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit" compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2723,8 +2723,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session" compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2737,8 +2737,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures" compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2751,8 +2751,8 @@ checks: rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana" compliance: - - cis: "18.9.60.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2765,8 +2765,8 @@ checks: rationale: "Access to any computer resource should not be allowed when the device is locked." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana above lock screen" compliance: - - cis: "18.9.60.4" - - cis_csc: "16.5" + - cis: ["18.9.60.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2779,8 +2779,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files" compliance: - - cis: "18.9.60.5" - - cis_csc: "13.1" + - cis: ["18.9.60.5"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2793,8 +2793,8 @@ checks: rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out" remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location" compliance: - - cis: "18.9.60.6" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.6"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2807,8 +2807,8 @@ checks: rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates" compliance: - - cis: "18.9.68.3" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + - cis: ["18.9.68.3"] + - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2821,8 +2821,8 @@ checks: rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows" compliance: - - cis: "18.9.68.4" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + - cis: ["18.9.68.4"] + - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2835,8 +2835,8 @@ checks: rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS" compliance: - - cis: "18.9.76.3.1" - - cis_csc: "8" + - cis: ["18.9.76.3.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -2849,8 +2849,8 @@ checks: rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring" compliance: - - cis: "18.9.76.7.1" - - cis_csc: "8.1, 8.6" + - cis: ["18.9.76.7.1"] + - cis_csc: ["8.1","8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' @@ -2863,8 +2863,8 @@ checks: rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable drives" compliance: - - cis: "18.9.76.10.1" - - cis_csc: "13" + - cis: ["18.9.76.10.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2877,8 +2877,8 @@ checks: rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail scanning" compliance: - - cis: "18.9.76.10.2" - - cis_csc: "13" + - cis: ["18.9.76.10.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2891,8 +2891,8 @@ checks: rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules" compliance: - - cis: "18.9.76.13.1.1" - - cis_csc: "8.4" + - cis: ["18.9.76.13.1.1"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' @@ -2905,8 +2905,8 @@ checks: rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" compliance: - - cis: "18.9.76.13.1.2" - - cis_csc: "8.4" + - cis: ["18.9.76.13.1.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' @@ -2939,8 +2939,8 @@ checks: rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites" compliance: - - cis: "18.9.76.13.3.1" - - cis_csc: "7" + - cis: ["18.9.76.13.3.1"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' @@ -2953,8 +2953,8 @@ checks: rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus" compliance: - - cis: "18.9.76.14" - - cis_csc: "8.1, 8.6" + - cis: ["18.9.76.14"] + - cis_csc: ["8.1","8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' @@ -2967,8 +2967,8 @@ checks: rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Security Center\\App and browser protection\\Prevent users from modifying settings" compliance: - - cis: "18.9.79.2.1" - - cis_csc: "8.4" + - cis: ["18.9.79.2.1"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' @@ -2981,8 +2981,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen" compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2997,8 +2997,8 @@ checks: rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Configure Windows Defender SmartScreen" compliance: - - cis: "18.9.80.2.1" - - cis_csc: "2" + - cis: ["18.9.80.2.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3011,8 +3011,8 @@ checks: rationale: "SmartScreen will warn an employee if a file is potentially malicious. Enabling this setting prevents these warnings from being bypassed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: In the Windows 10 Release 1703 Administrative Templates the setting was in the following location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files In the Windows 10 Release 1709 Administrative Templates the setting was removed from the new location above and left in the old location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files" compliance: - - cis: "18.9.80.2.2" - - cis_csc: "7" + - cis: ["18.9.80.2.2"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3025,8 +3025,8 @@ checks: rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for sites" compliance: - - cis: "18.9.80.2.3" - - cis_csc: "7" + - cis: ["18.9.80.2.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3039,8 +3039,8 @@ checks: rationale: "If this setting is allowed users could record and broadcast session info to external sites which is a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Game Recording and Broadcasting\\Enables or disables Windows Game Recording and Broadcasting" compliance: - - cis: "18.9.82.1" - - cis_csc: "13" + - cis: ["18.9.82.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR' @@ -3053,8 +3053,8 @@ checks: rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace" compliance: - - cis: "18.9.84.2" - - cis_csc: "16.5" + - cis: ["18.9.84.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' @@ -3067,8 +3067,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs" compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3081,8 +3081,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges" compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3095,8 +3095,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart" compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -3109,8 +3109,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging" compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -3123,8 +3123,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription" compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -3137,8 +3137,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication" compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13, 16.5" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13","16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3151,8 +3151,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic" compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3165,8 +3165,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication" compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3179,8 +3179,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication" compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3193,8 +3193,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" compliance: - - cis: "18.9.97.2.3" - - cis_csc: "3.4" + - cis: ["18.9.97.2.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3207,8 +3207,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic" compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3221,8 +3221,8 @@ checks: rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable preview builds: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Manage preview builds" compliance: - - cis: "18.9.101.1.1" - - cis_csc: "3" + - cis: ["18.9.101.1.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3237,8 +3237,8 @@ checks: rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received" compliance: - - cis: "18.9.101.1.2" - - cis_csc: "3" + - cis: ["18.9.101.1.2"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3255,8 +3255,8 @@ checks: rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received" compliance: - - cis: "18.9.101.1.3" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.1.3"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3271,8 +3271,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates" compliance: - - cis: "18.9.101.2" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3285,8 +3285,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day" compliance: - - cis: "18.9.101.3" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3299,8 +3299,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations" compliance: - - cis: "18.9.101.4" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2_rcl.yml index 480c9e920..44419721e 100644 --- a/sca/windows/cis_win10_enterprise_L2_rcl.yml +++ b/sca/windows/cis_win10_enterprise_L2_rcl.yml @@ -33,8 +33,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -47,8 +47,8 @@ checks: rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -61,8 +61,8 @@ checks: rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer" compliance: - - cis: "2.3.14.1" - - cis_csc: "16.14" + - cis: ["2.3.14.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' @@ -76,8 +76,8 @@ checks: rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" compliance: - - cis: "5.2" - - cis_csc: "9.1, 9.2" + - cis: ["5.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' @@ -90,8 +90,8 @@ checks: rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" compliance: - - cis: "5.4" - - cis_csc: "9.1, 9.2" + - cis: ["5.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker' @@ -104,8 +104,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" compliance: - - cis: "5.5" - - cis_csc: "9.1, 9.2" + - cis: ["5.5"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc' @@ -118,8 +118,8 @@ checks: rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" compliance: - - cis: "5.9" - - cis_csc: "9.1, 9.2" + - cis: ["5.9"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc' @@ -132,8 +132,8 @@ checks: rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" compliance: - - cis: "5.12" - - cis_csc: "9.1, 9.2" + - cis: ["5.12"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI' @@ -146,8 +146,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" compliance: - - cis: "5.15" - - cis_csc: "9.1, 9.2" + - cis: ["5.15"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc' @@ -160,8 +160,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" compliance: - - cis: "5.16" - - cis_csc: "9.1, 9.2" + - cis: ["5.16"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc' @@ -174,8 +174,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" compliance: - - cis: "5.17" - - cis_csc: "9.1, 9.2" + - cis: ["5.17"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc' @@ -188,8 +188,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" compliance: - - cis: "5.18" - - cis_csc: "9.1, 9.2" + - cis: ["5.18"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg' @@ -202,8 +202,8 @@ checks: rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" compliance: - - cis: "5.19" - - cis_csc: "9.1, 9.2" + - cis: ["5.19"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport' @@ -216,8 +216,8 @@ checks: rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" compliance: - - cis: "5.20" - - cis_csc: "9.1, 9.2" + - cis: ["5.20"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto' @@ -230,8 +230,8 @@ checks: rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" compliance: - - cis: "5.21" - - cis_csc: "9.1, 9.2" + - cis: ["5.21"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv' @@ -244,8 +244,8 @@ checks: rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" compliance: - - cis: "5.22" - - cis_csc: "9.1, 9.2" + - cis: ["5.22"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService' @@ -258,8 +258,8 @@ checks: rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" compliance: - - cis: "5.23" - - cis_csc: "9.1, 9.2" + - cis: ["5.23"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService' @@ -272,8 +272,8 @@ checks: rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" compliance: - - cis: "5.25" - - cis_csc: "9.1, 9.2" + - cis: ["5.25"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry' @@ -286,8 +286,8 @@ checks: rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" compliance: - - cis: "5.27" - - cis_csc: "9.1, 9.2" + - cis: ["5.27"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer' @@ -300,8 +300,8 @@ checks: rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" compliance: - - cis: "5.29" - - cis_csc: "9.1, 9.2" + - cis: ["5.29"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' @@ -314,8 +314,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" compliance: - - cis: "5.33" - - cis_csc: "9.1, 9.2" + - cis: ["5.33"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc' @@ -328,8 +328,8 @@ checks: rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" compliance: - - cis: "5.34" - - cis_csc: "9.1, 9.2" + - cis: ["5.34"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc' @@ -342,8 +342,8 @@ checks: rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" compliance: - - cis: "5.37" - - cis_csc: "9.1, 9.2" + - cis: ["5.37"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService' @@ -356,8 +356,8 @@ checks: rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" compliance: - - cis: "5.38" - - cis_csc: "9.1, 9.2" + - cis: ["5.38"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall' @@ -370,8 +370,8 @@ checks: rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" compliance: - - cis: "5.39" - - cis_csc: "9.1, 9.2" + - cis: ["5.39"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM' @@ -385,8 +385,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.1.3" - - cis_csc: "9.1" + - cis: ["18.1.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -400,8 +400,8 @@ checks: rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -416,8 +416,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -432,8 +432,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "9" + - cis: ["18.4.8"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -448,8 +448,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.11" - - cis_csc: "9" + - cis: ["18.4.11"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -464,8 +464,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "9" + - cis: ["18.4.12"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -481,8 +481,8 @@ checks: rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.5.5.1" - - cis_csc: "3, 13" + - cis: ["18.5.5.1"] + - cis_csc: ["3","13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -495,8 +495,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -515,8 +515,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -535,8 +535,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -549,8 +549,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -563,8 +563,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -585,8 +585,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -600,8 +600,8 @@ checks: rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" + - cis: ["18.8.22.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -614,8 +614,8 @@ checks: rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "7" + - cis: ["18.8.22.1.2"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -628,8 +628,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -642,8 +642,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -656,8 +656,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.5" - - cis_csc: "13" + - cis: ["18.8.22.1.5"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -670,7 +670,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.8" + - cis: ["18.8.22.1.8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -683,8 +683,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" + - cis: ["18.8.22.1.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -697,8 +697,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -711,8 +711,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -725,8 +725,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -739,8 +739,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -753,8 +753,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.14" - - cis_csc: "13" + - cis: ["18.8.22.1.14"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -770,8 +770,8 @@ checks: rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.8.25.1" - - cis_csc: "1.6" + - cis: ["18.8.25.1"] + - cis_csc: ["1.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' @@ -786,8 +786,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -800,8 +800,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -814,8 +814,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -828,8 +828,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -842,8 +842,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -856,8 +856,8 @@ checks: rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.49.1.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -871,8 +871,8 @@ checks: rationale: "Users of a system could accidentally share sensitive data with other users on the same system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.4.1" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.4.1"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' @@ -885,8 +885,8 @@ checks: rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.12.1" - - cis_csc: "13" + - cis: ["18.9.12.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' @@ -899,8 +899,8 @@ checks: rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.16.2" - - cis_csc: "13" + - cis: ["18.9.16.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -913,8 +913,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -927,8 +927,8 @@ checks: rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.43.1" - - cis_csc: "9.1, 9.2, 13" + - cis: ["18.9.43.1"] + - cis_csc: ["9.1","9.2","13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' @@ -941,8 +941,8 @@ checks: rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.1" - - cis_csc: "13" + - cis: ["18.9.45.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' @@ -955,8 +955,8 @@ checks: rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Adobe Flash Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.2" - - cis_csc: "7.2" + - cis: ["18.9.45.2"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons' @@ -969,8 +969,8 @@ checks: rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow InPrivate Browsing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off InPrivate browsing, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.3" - - cis_csc: "7" + - cis: ["18.9.45.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -983,8 +983,8 @@ checks: rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Pop-up Blocker Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off Pop-up Blocker, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.6" - - cis_csc: "7" + - cis: ["18.9.45.6"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -997,8 +997,8 @@ checks: rationale: "Having search suggestions sent out to be processed is considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1507 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1507 Administrative Templates, this setting was named Stops address bar from showing search suggestions. In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was renamed to Turn off address bar search suggestions, but it was finally renamed to Configure search suggestions in Address bar starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.7" - - cis_csc: "13" + - cis: ["18.9.45.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' @@ -1011,8 +1011,8 @@ checks: rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.9" - - cis_csc: "3" + - cis: ["18.9.45.9"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -1025,8 +1025,8 @@ checks: rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Don't allow WebRTC to share the LocalHost IP address, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.10" - - cis_csc: "7.2" + - cis: ["18.9.45.10"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -1039,8 +1039,8 @@ checks: rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.57.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.57.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' @@ -1053,7 +1053,7 @@ checks: rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1066,8 +1066,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1080,8 +1080,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1094,8 +1094,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1108,8 +1108,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] references: - https://workbench.cisecurity.org/benchmarks/766 condition: all @@ -1124,8 +1124,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1138,8 +1138,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.60.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -1152,7 +1152,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -1165,8 +1165,8 @@ checks: rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." compliance: - - cis: "18.9.68.5" - - cis_csc: "2" + - cis: ["18.9.68.5"] + - cis_csc: ["2"] references: - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy @@ -1182,7 +1182,7 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.3.2" + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -1195,8 +1195,8 @@ checks: rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.9.1" - - cis_csc: "13" + - cis: ["18.9.76.9.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -1209,8 +1209,8 @@ checks: rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.84.1" - - cis_csc: "13" + - cis: ["18.9.84.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' @@ -1223,8 +1223,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -1237,8 +1237,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -1251,8 +1251,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1_rcl.yml index a5824a6c5..54cae54b9 100644 --- a/sca/windows/cis_win2012r2_domainL1_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL1_rcl.yml @@ -35,8 +35,8 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2" - - cis_csc: "16.5" + - cis: ["1.1.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -51,8 +51,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -65,8 +65,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -79,8 +79,8 @@ checks: rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -93,8 +93,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -107,8 +107,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -121,8 +121,8 @@ checks: rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks" compliance: - - cis: "2.3.5.1" - - cis_csc: "5.1" + - cis: ["2.3.5.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -135,8 +135,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements" compliance: - - cis: "2.3.5.2" - - cis_csc: "3" + - cis: ["2.3.5.2"] + - cis_csc: ["3"] references: - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ condition: all @@ -151,8 +151,8 @@ checks: rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes" compliance: - - cis: "2.3.5.3" - - cis_csc: "16" + - cis: ["2.3.5.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -165,8 +165,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -179,8 +179,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -193,8 +193,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -207,8 +207,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -221,8 +221,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -235,8 +235,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis: "2.3.7.1" - - cis_csc: "13" + - cis: ["2.3.7.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -249,8 +249,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" - - cis_csc: "8" + - cis: ["2.3.7.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -263,8 +263,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" + - cis: ["2.3.7.3"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -278,8 +278,8 @@ checks: rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -292,8 +292,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -306,8 +306,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -320,8 +320,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -334,8 +334,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -348,8 +348,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -363,8 +363,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -377,8 +377,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -391,8 +391,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -406,8 +406,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -420,8 +420,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -434,8 +434,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -448,8 +448,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -462,8 +462,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -476,8 +476,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -490,8 +490,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" + - cis: ["2.3.10.10"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -504,8 +504,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -518,8 +518,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -532,8 +532,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -546,8 +546,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -560,8 +560,8 @@ checks: rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -574,8 +574,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -588,8 +588,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -602,8 +602,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -616,8 +616,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -630,8 +630,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -644,8 +644,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 condition: all @@ -660,8 +660,8 @@ checks: rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" + - cis: ["2.3.13.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -674,7 +674,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -687,8 +687,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -701,8 +701,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -715,8 +715,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -729,8 +729,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -743,8 +743,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -757,8 +757,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -771,8 +771,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -785,8 +785,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -799,8 +799,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -813,7 +813,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -827,8 +827,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2" + - cis: ["9.1.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -841,8 +841,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2" + - cis: ["9.1.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -855,8 +855,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2" + - cis: ["9.1.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -869,7 +869,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -882,8 +882,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2" + - cis: ["9.1.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -896,8 +896,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3" + - cis: ["9.1.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -910,8 +910,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2" + - cis: ["9.1.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -924,8 +924,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2" + - cis: ["9.1.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -939,8 +939,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2" + - cis: ["9.2.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -953,8 +953,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2" + - cis: ["9.2.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -967,8 +967,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2" + - cis: ["9.2.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -981,7 +981,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -994,8 +994,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2" + - cis: ["9.2.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1008,8 +1008,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3" + - cis: ["9.2.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1022,8 +1022,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2" + - cis: ["9.2.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1036,8 +1036,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2" + - cis: ["9.2.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1051,8 +1051,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2" + - cis: ["9.3.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1065,8 +1065,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2" + - cis: ["9.3.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1079,8 +1079,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2" + - cis: ["9.3.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1093,7 +1093,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1107,8 +1107,8 @@ checks: rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1121,8 +1121,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1135,8 +1135,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2" + - cis: ["9.3.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1149,8 +1149,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3" + - cis: ["9.3.8"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1163,8 +1163,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2" + - cis: ["9.3.9"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1177,8 +1177,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2" + - cis: ["9.3.10"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1192,7 +1192,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1205,7 +1205,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1219,8 +1219,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.5" - - cis_csc: "16.14" + - cis: ["18.3.5"] + - cis_csc: ["16.14"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a @@ -1238,8 +1238,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -1255,8 +1255,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1271,8 +1271,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1287,8 +1287,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1303,8 +1303,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1319,8 +1319,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "8" + - cis: ["18.4.8"] + - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1335,8 +1335,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.9" - - cis_csc: "16.5" + - cis: ["18.4.9"] + - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1351,8 +1351,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "6.3" + - cis: ["18.4.12"] + - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1368,8 +1368,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1382,8 +1382,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" + - cis: ["18.5.11.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1396,8 +1396,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1411,8 +1411,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1425,8 +1425,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1439,8 +1439,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1453,8 +1453,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1467,8 +1467,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" + - cis: ["18.8.21.4"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1482,8 +1482,8 @@ checks: rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" + - cis: ["18.8.22.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1496,8 +1496,8 @@ checks: rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.5" - - cis_csc: "7" + - cis: ["18.8.22.1.5"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1510,8 +1510,8 @@ checks: rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.6" - - cis_csc: "13.1" + - cis: ["18.8.22.1.6"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1524,8 +1524,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.27.1" - - cis_csc: "5" + - cis: ["18.8.27.1"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1538,8 +1538,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" + - cis: ["18.8.27.2"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1552,8 +1552,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1566,8 +1566,8 @@ checks: rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" + - cis: ["18.8.27.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1580,8 +1580,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1594,8 +1594,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.33.6.1" - - cis_csc: "16.5" + - cis: ["18.8.33.6.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1608,8 +1608,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.33.6.2" - - cis_csc: "16.5" + - cis: ["18.8.33.6.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1622,8 +1622,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1636,8 +1636,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1651,8 +1651,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1665,8 +1665,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1679,8 +1679,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1693,8 +1693,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1707,8 +1707,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1721,8 +1721,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1735,8 +1735,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1749,8 +1749,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1763,8 +1763,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1777,8 +1777,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1791,8 +1791,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1805,8 +1805,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1819,8 +1819,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1833,8 +1833,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1847,8 +1847,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1861,8 +1861,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1875,8 +1875,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1889,8 +1889,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1903,8 +1903,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1917,8 +1917,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1931,8 +1931,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1945,8 +1945,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1959,8 +1959,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1973,8 +1973,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1987,8 +1987,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2001,8 +2001,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2015,8 +2015,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" + - cis: ["18.9.60.2"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2029,8 +2029,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2043,8 +2043,8 @@ checks: rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" + - cis: ["18.9.81.2.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2057,8 +2057,8 @@ checks: rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.81.3" - - cis_csc: "13" + - cis: ["18.9.81.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2071,8 +2071,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2085,8 +2085,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2099,8 +2099,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2113,8 +2113,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -2127,8 +2127,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -2141,8 +2141,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2155,8 +2155,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2169,8 +2169,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2183,8 +2183,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2197,8 +2197,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" + - cis: ["18.9.97.2.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2211,8 +2211,8 @@ checks: rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2225,8 +2225,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2239,8 +2239,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2253,8 +2253,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2_rcl.yml index efe34aa3b..edb211c9f 100644 --- a/sca/windows/cis_win2012r2_domainL2_rcl.yml +++ b/sca/windows/cis_win2012r2_domainL2_rcl.yml @@ -34,8 +34,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -49,8 +49,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -65,8 +65,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -81,8 +81,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.10" - - cis_csc: "9" + - cis: ["18.4.10"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -97,8 +97,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.11" - - cis_csc: "9" + - cis: ["18.4.11"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -114,8 +114,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -134,8 +134,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -154,8 +154,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -168,8 +168,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -182,8 +182,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -204,8 +204,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -218,8 +218,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.2" - - cis_csc: "13" + - cis: ["18.8.22.1.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -232,8 +232,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -246,8 +246,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -260,7 +260,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.7" + - cis: ["18.8.22.1.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -273,8 +273,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.8" - - cis_csc: "13" + - cis: ["18.8.22.1.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -287,8 +287,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" + - cis: ["18.8.22.1.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -301,8 +301,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -315,8 +315,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -329,8 +329,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -343,8 +343,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -357,8 +357,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -371,8 +371,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -385,8 +385,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -399,8 +399,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -413,8 +413,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -428,8 +428,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -442,7 +442,7 @@ checks: rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -455,8 +455,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -469,8 +469,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -483,8 +483,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -497,8 +497,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] references: - https://workbench.cisecurity.org/benchmarks/766 condition: all @@ -513,8 +513,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -527,8 +527,8 @@ checks: rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.60.3" - - cis_csc: "13" + - cis: ["18.9.60.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -541,7 +541,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -554,7 +554,7 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.3.2" + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -567,8 +567,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -581,8 +581,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -595,8 +595,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1_rcl.yml index a35b0ff62..f9122bdfe 100644 --- a/sca/windows/cis_win2012r2_memberL1_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL1_rcl.yml @@ -36,8 +36,8 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2" - - cis_csc: "16.5" + - cis: ["1.1.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -52,8 +52,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -66,8 +66,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -80,8 +80,8 @@ checks: rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -95,8 +95,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" default_value: "Disabled." compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -109,8 +109,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' @@ -122,8 +122,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -136,8 +136,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -150,8 +150,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -164,8 +164,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -178,8 +178,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -192,8 +192,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -206,8 +206,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis: "2.3.7.1" - - cis_csc: "13" + - cis: ["2.3.7.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -220,8 +220,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" - - cis_csc: "8" + - cis: ["2.3.7.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -234,8 +234,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" + - cis: ["2.3.7.3"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' @@ -248,8 +248,8 @@ checks: rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' @@ -262,8 +262,8 @@ checks: rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer." remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation" compliance: - - cis: "2.3.7.8" - - cis_csc: "16.9" + - cis: ["2.3.7.8"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -276,8 +276,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -290,8 +290,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -304,8 +304,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -318,8 +318,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -332,8 +332,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -347,8 +347,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -361,8 +361,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -375,8 +375,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -389,8 +389,8 @@ checks: rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" compliance: - - cis: "2.3.9.5" - - cis_csc: "14" + - cis: ["2.3.9.5"] + - cis_csc: ["14"] references: - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n condition: all @@ -405,8 +405,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" compliance: - - cis: "2.3.10.2" - - cis_csc: "16" + - cis: ["2.3.10.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -419,8 +419,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" compliance: - - cis: "2.3.10.3" - - cis_csc: "16" + - cis: ["2.3.10.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -433,8 +433,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -447,8 +447,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -461,8 +461,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -475,8 +475,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -489,8 +489,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -503,8 +503,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" + - cis: ["2.3.10.10"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -517,8 +517,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -531,8 +531,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -545,8 +545,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -559,8 +559,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -573,8 +573,8 @@ checks: rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -587,8 +587,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -601,8 +601,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -615,8 +615,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -628,8 +628,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -642,8 +642,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -656,8 +656,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 condition: all @@ -672,8 +672,8 @@ checks: rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" + - cis: ["2.3.13.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -686,7 +686,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -699,8 +699,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -713,8 +713,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -727,8 +727,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -741,8 +741,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -755,8 +755,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -769,8 +769,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -783,8 +783,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -797,8 +797,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -811,8 +811,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -825,7 +825,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -839,8 +839,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2" + - cis: ["9.1.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -853,8 +853,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2" + - cis: ["9.1.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -867,8 +867,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2" + - cis: ["9.1.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -881,7 +881,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -894,8 +894,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2" + - cis: ["9.1.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -908,8 +908,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3" + - cis: ["9.1.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -922,8 +922,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2" + - cis: ["9.1.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -936,8 +936,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2" + - cis: ["9.1.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -951,8 +951,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2" + - cis: ["9.2.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -965,8 +965,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2" + - cis: ["9.2.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -979,8 +979,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2" + - cis: ["9.2.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -993,7 +993,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1006,8 +1006,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2" + - cis: ["9.2.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1020,8 +1020,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3" + - cis: ["9.2.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1034,8 +1034,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2" + - cis: ["9.2.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1048,8 +1048,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2" + - cis: ["9.2.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1063,8 +1063,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2" + - cis: ["9.3.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1077,8 +1077,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2" + - cis: ["9.3.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1091,8 +1091,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2" + - cis: ["9.3.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1105,7 +1105,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1118,8 +1118,8 @@ checks: rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1132,8 +1132,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1146,8 +1146,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2" + - cis: ["9.3.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1160,8 +1160,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3" + - cis: ["9.3.8"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1174,8 +1174,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2" + - cis: ["9.3.9"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1188,8 +1188,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2" + - cis: ["9.3.10"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1203,7 +1203,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1216,7 +1216,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1230,8 +1230,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" compliance: - - cis: "18.2.1" - - cis_csc: "16.9" + - cis: ["18.2.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' @@ -1243,8 +1243,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.2" - - cis_csc: "16.2" + - cis: ["18.2.2"] + - cis_csc: ["16.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1257,8 +1257,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.3" - - cis_csc: "16.9" + - cis: ["18.2.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1271,8 +1271,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.4" - - cis_csc: "5.7" + - cis: ["18.2.4"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1285,8 +1285,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.5" - - cis_csc: "5.7" + - cis: ["18.2.5"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1299,8 +1299,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.6" - - cis_csc: "16.5" + - cis: ["18.2.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1314,8 +1314,8 @@ checks: rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.1" - - cis_csc: "5.8" + - cis: ["18.3.1"] + - cis_csc: ["5.8"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows @@ -1332,8 +1332,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.5" - - cis_csc: "16.14" + - cis: ["18.3.5"] + - cis_csc: ["16.14"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a @@ -1351,8 +1351,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -1368,8 +1368,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1384,8 +1384,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1400,8 +1400,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1416,8 +1416,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1432,8 +1432,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "8" + - cis: ["18.4.8"] + - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1448,8 +1448,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.9" - - cis_csc: "16.5" + - cis: ["18.4.9"] + - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1464,8 +1464,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "6.3" + - cis: ["18.4.12"] + - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1481,8 +1481,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1495,8 +1495,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" + - cis: ["18.5.11.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1509,8 +1509,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1524,8 +1524,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1538,8 +1538,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1552,8 +1552,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1566,8 +1566,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1580,8 +1580,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" + - cis: ["18.8.21.4"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1594,8 +1594,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.27.1" - - cis_csc: "5" + - cis: ["18.8.27.1"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1608,8 +1608,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" + - cis: ["18.8.27.2"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1622,8 +1622,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1636,8 +1636,8 @@ checks: rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" + - cis: ["18.8.27.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1650,8 +1650,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1664,8 +1664,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1678,8 +1678,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1692,8 +1692,8 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1" + - cis: ["18.8.36.1"] + - cis_csc: ["9.1"] references: - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr condition: all @@ -1709,8 +1709,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1723,8 +1723,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1737,8 +1737,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1751,8 +1751,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1765,8 +1765,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1779,8 +1779,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1793,8 +1793,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1807,8 +1807,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1821,8 +1821,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1835,8 +1835,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1849,8 +1849,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1863,8 +1863,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1877,8 +1877,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1891,8 +1891,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1905,8 +1905,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1919,8 +1919,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1933,8 +1933,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1947,8 +1947,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1961,8 +1961,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." compliance: - - cis: "18.9.52.2" - - cis_csc: "13" + - cis: ["18.9.52.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive' @@ -1975,8 +1975,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1989,8 +1989,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2003,8 +2003,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2017,8 +2017,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2031,8 +2031,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2045,8 +2045,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2059,8 +2059,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2073,8 +2073,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2087,8 +2087,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" + - cis: ["18.9.60.2"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2101,8 +2101,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2115,8 +2115,8 @@ checks: rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" + - cis: ["18.9.81.2.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2129,8 +2129,8 @@ checks: rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.81.3" - - cis_csc: "13" + - cis: ["18.9.81.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2143,8 +2143,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2157,8 +2157,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2171,8 +2171,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2185,8 +2185,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -2199,8 +2199,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -2213,8 +2213,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2227,8 +2227,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2241,8 +2241,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2255,8 +2255,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2269,8 +2269,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" + - cis: ["18.9.97.2.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2283,8 +2283,8 @@ checks: rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2297,8 +2297,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2311,8 +2311,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2325,8 +2325,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index 1c448538c..f70cd8fb9 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -32,8 +32,8 @@ checks: rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" compliance: - - cis: "2.3.7.6" - - cis_csc: "16" + - cis: ["2.3.7.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -47,8 +47,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -62,8 +62,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -76,8 +76,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -90,8 +90,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remedtiation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted" compliance: - - cis: "18.4.10" - - cis_csc: "5" + - cis: ["18.4.10"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -104,8 +104,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted" compliance: - - cis: "18.4.11" - - cis_csc: "5" + - cis: ["18.4.11"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -119,8 +119,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver" compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -139,8 +139,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver" compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -160,8 +160,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services" compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -174,8 +174,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents" compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -189,8 +189,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now" compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -211,8 +211,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards" compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -226,8 +226,8 @@ checks: rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" compliance: - - cis: "18.5.21.2" - - cis_csc: "12" + - cis: ["18.5.21.2"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -241,8 +241,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "13" + - cis: ["18.8.22.1.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -255,8 +255,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting" compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -269,8 +269,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com" compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -283,7 +283,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com" compliance: - - cis: "18.8.22.1.7" + - cis: ["18.8.22.1.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -296,8 +296,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates" compliance: - - cis: "18.8.22.1.8" - - cis_csc: "13" + - cis: ["18.8.22.1.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -311,7 +311,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task" compliance: - cis: 18.8.22.1.9" - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -324,8 +324,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders" compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -338,8 +338,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program" compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -352,8 +352,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program" compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -366,8 +366,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting" compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -384,8 +384,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in" compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -399,8 +399,8 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis: "18.8.36.2" - - cis_csc: "9.1" + - cis: ["18.8.36.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -414,8 +414,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -429,8 +429,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack" compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -444,8 +444,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID" compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -459,8 +459,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client" compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -473,8 +473,8 @@ checks: rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server" compliance: - - cis: "18.8.49.1.2" - - cis_csc: "9.1" + - cis: ["18.8.49.1.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -488,7 +488,7 @@ checks: rationale: "This setting affects the Windows Location Provider feature (e.g. GPS or other location tracking)." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Windows Location Provider\\Turn off Windows Location Provider" compliance: - - cis: "18.9.39.1.1" + - cis: ["18.9.39.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -501,8 +501,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking)." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location" compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -516,7 +516,7 @@ checks: rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session" compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -530,8 +530,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection" compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -544,8 +544,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection" compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -558,8 +558,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection" compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -573,8 +573,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions" compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -587,8 +587,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions" compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -602,8 +602,8 @@ checks: rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search" compliance: - - cis: "18.9.60.3" - - cis_csc: "13" + - cis: ["18.9.60.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -617,7 +617,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation" compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -631,8 +631,8 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS" compliance: - - cis: "18.9.76.3.2" - - cis_csc: "8" + - cis: ["18.9.76.3.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -646,8 +646,8 @@ checks: rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events" compliance: - - cis: "18.9.76.9.1" - - cis_csc: "13" + - cis: ["18.9.76.9.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -661,8 +661,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts" compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -676,8 +676,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -691,8 +691,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access" compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml index 1d175a546..c36628c92 100644 --- a/sca/windows/win_audit_rcl.yml +++ b/sca/windows/win_audit_rcl.yml @@ -25,9 +25,9 @@ checks: - id: 2500 title: "Ensure Registry tools set is enabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: all rules: - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -38,9 +38,9 @@ checks: title: "Ensure DCOM is enabled" description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] references: - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows condition: all @@ -52,9 +52,9 @@ checks: - id: 2502 title: "LM authentication not allowed (disable weak passwords)" compliance: - - pci_dss: "10.6.1, 11.4" - - hipaa: "164.312.b" - - nist_800_53: "AU.6, IA.10" + - pci_dss: ["10.6.1","11.4"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6","IA.10"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' @@ -66,9 +66,9 @@ checks: - id: 2503 title: "Ensure Firewall/Anti Virus notifications are enabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' @@ -85,9 +85,9 @@ checks: - id: 2504 title: "Ensure Microsoft Firewall is enabled" compliance: - - pci_dss: "10.6.1, 1.4" - - hipaa: "164.312.b, 164.312.a.1" - - nist_800_53: "AU.6, SC.7" + - pci_dss: ["10.6.1","1.4"] + - hipaa: ["164.312.b","164.312.a.1"] + - nist_800_53: ["AU.6","SC.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' @@ -97,8 +97,8 @@ checks: - id: 2505 title: "Ensure Null sessions are not allowed" compliance: - - pci_dss: "11.4" - - nist_800_53: "IA.10" + - pci_dss: ["11.4"] + - nist_800_53: ["IA.10"] condition: all rules: - 'r:HKLM\System\CurrentControlSet\Control\Lsa' @@ -108,9 +108,9 @@ checks: - id: 2506 title: "Ensure Turn off Windows Error reporting is enabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] references: - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html condition: all @@ -125,9 +125,9 @@ checks: - id: 2507 title: "Ensure Automatic Logon is disabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: any rules: - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' @@ -137,9 +137,9 @@ checks: - id: 2508 title: "Ensure Winpcap packet filter driver is not present" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: none rules: - 'f:%WINDIR%\System32\drivers\npf.sys' From 5f72c2910e9be7da97f796154663ca8d7ac30636 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Fri, 28 Jun 2019 06:11:04 -0700 Subject: [PATCH 152/247] Updated Debian 7 L1 --- sca/debian/cis_debian7_L1.yml | 75 ++++++++++------------------------- 1 file changed, 21 insertions(+), 54 deletions(-) diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 05bb456a5..6709dd1bf 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -861,19 +861,17 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' -# ToDo - - id: 10571 title: "Set Password Creation Requirement Parameters Using pam_cracklib" - description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.  retry=3 - Allow 3 tries before sending back a failure.  minlen=14 - password must be 14 characters or more  dcredit=-1 - provide at least one digit  ucredit=-1 - provide at least one uppercase character  ocredit=-1 - provide at least one special character  lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." + description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. # retry=3 - Allow 3 tries before sending back a failure. # minlen=14 - password must be 14 characters or more # dcredit=-1 - provide at least one digit # ucredit=-1 - provide at least one uppercase character # ocredit=-1 - provide at least one special character # lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Install the libpam-cracklib package: # apt-get install libpam-cracklib Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" + remediation: "1) Install the libpam-cracklib package: # apt-get install libpam-cracklib 2) Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" compliance: - cis: "9.2.1" condition: all rules: - 'c:dpkg -s libpam-cracklib -> install ok installed' - - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so\s*\t*retry=\d\s*\t*minlen=\d\d+\s*\t*dcredit=-\d+\s*\t*ucredit=-\d+\s*\t*ocredit=-\d+\s*\t*lcredit=-\d+' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so && r:retry=\d && n:minlen=(\d+) compare >= 14 && r:dcredit=-\d+ && r:ucredit=-\d+ && r:ocredit=-\d+ && r:lcredit=-\d+' - id: 10572 title: "Set Lockout for Failed Password Attempts" @@ -884,7 +882,7 @@ checks: - cis: "9.2.2" condition: all rules: - - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d\s*\t*unlock_time=\d\d\d+' + - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny=\d && r:unlock_time=\d\d\d+' - id: 10573 title: "Limit Password Reuse" @@ -895,7 +893,7 @@ checks: - cis: "9.2.3" condition: all rules: - - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*[success=1 default=ignore]\s*\t*pam_unix.so\s*\t*obscure\s*\t*sha512\s*\t*remember=\d' + - 'f:/etc/pam.d/common-password -> !r:^# && r:password && r:pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' - id: 10574 title: "Set SSH Protocol to 2" @@ -906,7 +904,7 @@ checks: - cis: "9.3.1" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*Protocol\s*\t*2' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - id: 10575 title: "Set LogLevel to INFO" @@ -966,7 +964,7 @@ checks: - id: 10580 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." - rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - cis: "9.3.8" @@ -977,7 +975,7 @@ checks: - id: 10581 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - cis: "9.3.9" @@ -1017,7 +1015,7 @@ checks: - cis: "9.3.13" condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|^AllowGroups\s+\w+|^DenyUsers\s+\w+|^DenyGroups\s+\w+' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - id: 10585 title: "Set SSH Banner" @@ -1034,15 +1032,16 @@ checks: title: "Restrict Access to the su Command" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." - remediation: "Add the following line to the /etc/pam.d/su file. auth required pam_wheel.so use_uid Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." + remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid 2) Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." compliance: - cis: "9.5" condition: all rules: - - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so\s*\t*use_uid' - - 'f:/etc/group -> !r:^# && r:wheel' + - 'f:/etc/pam.d/su -> !r:^# && r:auth && r:required && r:pam_wheel.so && r:use_uid' + - 'f:/etc/group -> !r:^# && r:wheel:' # 10 User Accounts and Environment + - id: 10587 title: "Set Password Expiration Days" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." @@ -1063,7 +1062,7 @@ checks: - cis: "10.1.2" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - id: 10589 title: "Set Password Expiring Warning Days" @@ -1074,7 +1073,7 @@ checks: - cis: "10.1.3" condition: all rules: - - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - id: 10590 title: "Set Default Group for root Account" @@ -1096,8 +1095,8 @@ checks: - cis: "10.4" condition: all rules: - - 'c:grep -R ^umask 077 /etc/profile.d/' - - 'f:/etc/bash.bashrc -> !r:^# && r:umask 077' + - 'c:grep -Rh ^umask[[:space:]][[:space:]]*077 /etc/profile.d/ -> !r:^# && r:umask\s*\t*077' + - 'f:/etc/bash.bashrc -> !r:^# && r:umask\s*\t*077' - id: 10592 title: "Lock Inactive User Accounts" @@ -1141,6 +1140,7 @@ checks: - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue.net' # 13 Review User and Group Settings + - id: 10595 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." @@ -1193,45 +1193,12 @@ checks: - cis: "13.5" condition: none rules: - - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - - id: 10600 - title: "Check for Presence of User .rhosts Files" - description: "While no .rhosts files are shipped by default, users can easily create them." - rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." - remediation: "If any users have .rhosts files determine why they have them." - compliance: - - cis: "13.10" - condition: none - rules: - - 'd:/home -> r:^.rhosts$' - - - id: 10601 - title: "Check for Presence of User .netrc Files" - description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." - rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." - compliance: - - cis: "13.18" - condition: none - rules: - - 'd:/home -> r:^.netrc$' - - - id: 10602 - title: "Check for Presence of User .forward Files" - description: "The .forward file specifies an email address to forward the user's mail to." - rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." - compliance: - - cis: "13.19" - condition: none - rules: - - 'd:/home -> r:^.forward$' + - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - id: 10603 title: "Ensure shadow group is empty" - description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." - rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." + description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." + rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - cis: "13.20" From 306b3a807fc098a462c634a733a15594693bedf6 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 28 Jun 2019 15:22:32 +0200 Subject: [PATCH 153/247] Fix Debian 8 check IDs, add L2 check for SSH X11 forwarding and fix expiration warning days --- sca/debian/cis_debian8_L1.yml | 150 +++++++++++++++++----------------- sca/debian/cis_debian8_L2.yml | 12 +++ 2 files changed, 87 insertions(+), 75 deletions(-) diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 90d0a009b..421216a0d 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -391,7 +391,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 11027 + - id: 11028 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." @@ -403,7 +403,7 @@ checks: rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' - - id: 11028 + - id: 11029 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." @@ -415,7 +415,7 @@ checks: rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' - - id: 11029 + - id: 11030 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -429,7 +429,7 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' - - id: 11030 + - id: 11031 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -444,7 +444,7 @@ checks: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' - - id: 11031 + - id: 11032 title: "Ensure LDAP server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -458,7 +458,7 @@ checks: rules: - 'c:systemctl is-enabled slapd -> r:^enabled' - - id: 11032 + - id: 11033 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -471,7 +471,7 @@ checks: - 'c:systemctl is-enabled nfs-server -> r:^enabled' - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - id: 11033 + - id: 11034 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -483,7 +483,7 @@ checks: rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' - - id: 11034 + - id: 11035 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -495,7 +495,7 @@ checks: rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' - - id: 11035 + - id: 11036 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -507,7 +507,7 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' - - id: 11036 + - id: 11037 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -519,7 +519,7 @@ checks: rules: - 'c:systemctl is-enabled smbd -> r:^enabled' - - id: 11037 + - id: 11038 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -531,7 +531,7 @@ checks: rules: - 'c:systemctl is-enabled squid -> r:^enabled' - - id: 11038 + - id: 11039 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -543,7 +543,7 @@ checks: rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' - - id: 11039 + - id: 11040 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -555,7 +555,7 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 11040 + - id: 11041 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -567,7 +567,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 11041 + - id: 11042 title: "Ensure rsh client is not installed" description: "The rshpackage contains the client commands for the rsh services." rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." @@ -580,7 +580,7 @@ checks: - 'c:dpkg -s rsh-client -> r:install ok installed' - 'c:dpkg -s rsh-redone-client -> r:install ok installed' - - id: 11042 + - id: 11043 title: "Ensure talk client is not installed" description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -592,7 +592,7 @@ checks: rules: - 'c:dpkg -s talk -> r:install ok installed' - - id: 11043 + - id: 11044 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -605,7 +605,7 @@ checks: - 'c:dpkg -s telnet -> r:install ok installed' # 3 Network Configuration - - id: 11044 + - id: 11045 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -620,7 +620,7 @@ checks: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' - - id: 11045 + - id: 11046 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -635,7 +635,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - id: 11046 + - id: 11047 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -654,7 +654,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - id: 11047 + - id: 11048 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -673,7 +673,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' - - id: 11048 + - id: 11049 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -688,7 +688,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - id: 11049 + - id: 11050 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -703,7 +703,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - id: 11050 + - id: 11051 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -716,7 +716,7 @@ checks: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - id: 11051 + - id: 11052 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -729,7 +729,7 @@ checks: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - id: 11052 + - id: 11053 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -744,7 +744,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - id: 11053 + - id: 11054 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -757,7 +757,7 @@ checks: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' - - id: 11054 + - id: 11055 title: "Ensure IPv6 router advertisements are not accepted" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -772,7 +772,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' - - id: 11055 + - id: 11056 title: "Ensure /etc/hosts.allow is configured" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." @@ -784,7 +784,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 11056 + - id: 11057 title: "Ensure /etc/hosts.deny is configured" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -797,7 +797,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 11057 + - id: 11058 title: "Ensure DCCP is disabled" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -810,7 +810,7 @@ checks: - 'not c:modprobe -n -v dccp -> r:install /bin/true' - 'c:lsmod -> r:dccp' - - id: 11058 + - id: 11059 title: "Ensure SCTP is disabled" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -823,7 +823,7 @@ checks: - 'not c:modprobe -n -v sctp -> r:install /bin/true' - 'c:lsmod -> r:sctp' - - id: 11059 + - id: 11060 title: "Ensure RDS is disabled" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -836,7 +836,7 @@ checks: - 'not c:modprobe -n -v rds -> r:install /bin/true' - 'c:lsmod -> r:rds' - - id: 11060 + - id: 11061 title: "Ensure TIPC is disabled" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -851,7 +851,7 @@ checks: # 3.5 Firewall configuration - - id: 11061 + - id: 11062 title: "Ensure default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -865,8 +865,8 @@ checks: - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 11062 - title: " Ensure IPv6 default deny firewall policy" + - id: 11063 + title: "Ensure IPv6 default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." @@ -879,7 +879,7 @@ checks: - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 11063 + - id: 11064 title: "Ensure iptables is installed" description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." rationale: "iptables is required for firewall management and configuration." @@ -892,7 +892,7 @@ checks: - 'c:dpkg -s iptables -> r:install ok installed' # 4 Logging and Auditing - - id: 11064 + - id: 11065 title: "Ensure rsyslog Service is enabled" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -904,7 +904,7 @@ checks: rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' - - id: 11065 + - id: 11066 title: "Ensure rsyslog is configured to send logs to a remote log host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." @@ -918,7 +918,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 11066 + - id: 11067 title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -934,7 +934,7 @@ checks: - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' # 5 Access, Authentication and Authorization - - id: 11067 + - id: 11068 title: "Ensure cron daemon is enabled" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." @@ -946,7 +946,7 @@ checks: rules: - 'c:systemctl is-enabled cron -> r:^enabled$' - - id: 11068 + - id: 11069 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -963,7 +963,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 11069 + - id: 11070 title: "Ensure permissions on /etc/ssh/sshd_config are configured" description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." @@ -975,7 +975,7 @@ checks: rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' - - id: 11070 + - id: 11071 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -987,13 +987,13 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 11071 + - id: 11072 title: "Ensure SSH LogLevel is appropriate" description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel VERBOSE or LogLevel INFO" references: - - https://www.ssh.com/ssh/sshd_config/ + - https://www.ssh.com/ssh/sshd_config/ compliance: - cis: "5.2.5" - cis_csc: "16, 6.2, 6.3" @@ -1001,7 +1001,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' - - id: 11072 + - id: 11073 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -1013,7 +1013,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - - id: 11073 + - id: 11074 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -1025,7 +1025,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 11074 + - id: 11075 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -1037,7 +1037,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 11075 + - id: 11076 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -1049,7 +1049,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 11076 + - id: 11077 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -1063,7 +1063,7 @@ checks: # 5.2 SSH Server Configuration - - id: 11077 + - id: 11078 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -1075,7 +1075,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 11078 + - id: 11079 title: "Ensure SSH PermitUserEnvironment is disabled" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -1087,7 +1087,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 11079 + - id: 11080 title: "Ensure SSH Idle Timeout Interval is configured" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1100,7 +1100,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' - - id: 11080 + - id: 11081 title: "Ensure SSH access is limited" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1112,7 +1112,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 11081 + - id: 11082 title: "Ensure SSH warning banner is configured" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." @@ -1126,7 +1126,7 @@ checks: # 5.3 Configure PAM - - id: 11082 + - id: 11083 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -1144,7 +1144,7 @@ checks: - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' - - id: 11083 + - id: 11084 title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -1156,7 +1156,7 @@ checks: rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' - - id: 11084 + - id: 11085 title: "Ensure password reuse is limited" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -1170,7 +1170,7 @@ checks: # 5.4 User Accounts and Environment - - id: 11085 + - id: 11086 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1182,7 +1182,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' - - id: 11086 + - id: 11087 title: "Ensure minimum days between password changes is 7 or more" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1192,9 +1192,9 @@ checks: - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - - id: 11087 + - id: 11088 title: "Ensure password expiration warning days is 7 or more" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1204,9 +1204,9 @@ checks: - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - - id: 11088 + - id: 11089 title: "Ensure inactive password lock is 30 days or less" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1218,7 +1218,7 @@ checks: rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' - - id: 11089 + - id: 11090 title: "Ensure default group for the root account is GID 0" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1230,7 +1230,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 11090 + - id: 11091 title: "Ensure access to the su command is restricted" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1245,7 +1245,7 @@ checks: # 6.2 User and Group Settings - - id: 11091 + - id: 11092 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1257,7 +1257,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 11092 + - id: 11093 title: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1269,7 +1269,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 11093 + - id: 11094 title: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1281,8 +1281,8 @@ checks: rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 11094 - title: "Verify no legacy \"+\" entries exist in /etc/group" + - id: 11095 + title: "Ensure no legacy \"+\" entries exist in /etc/group" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/group if they exist." @@ -1293,7 +1293,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 11095 + - id: 11096 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -1305,7 +1305,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - - id: 11096 + - id: 11097 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index cda0d786e..2ad28688c 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -452,3 +452,15 @@ checks: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^\s*\t*-e 2$' + + - id: 10528 + title: "Ensure SSH X11 forwarding is disabled" + description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." + rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." + remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" + compliance: + - cis: "5.2.6" + - cis_csc: "16, 9.2" + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' \ No newline at end of file From c2a3ab0ae2514a37abc07e10036dc2cc11fa37ab Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 28 Jun 2019 15:31:29 +0200 Subject: [PATCH 154/247] Fix some expiration days rules and replaced some remediation fields --- sca/debian/cis_debian9_L1.yml | 30 +++++++++++++++--------------- sca/debian/cis_debian9_L2.yml | 24 +++++++++++------------- 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index ca5b4fbe0..e101d0948 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -173,7 +173,7 @@ checks: title: "Ensure nodev option set on /home partition" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - cis: "1.1.14" - cis_csc: "5.1" @@ -209,7 +209,7 @@ checks: title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm" + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" compliance: - cis: "1.1.17" - cis_csc: "2.6, 8" @@ -221,7 +221,7 @@ checks: title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." - remediation: "Disable autofs: # update-rc.d autofs disable" + remediation: "Run the following command to disable autofs: # systemctl disable autofs" compliance: - cis: "1.1.21" - cis_csc: "8.4, 8.5" @@ -246,7 +246,7 @@ checks: title: "Ensure filesystem integrity is regularly checked" description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem." rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." - remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." + remediation: "Run the following command to install AIDE: # apt-get install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" compliance: - cis: "1.3.2" - cis_csc: "14.9" @@ -259,7 +259,7 @@ checks: title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." - remediation: "1) Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is 2) Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" 3) Run the following to update the grub configuration: # update-grub" + remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2 Create a custom /etc/grub.d configuration file: If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following command to update the grub2 configuration: # update-grub" compliance: - cis: "1.4.2" - cis_csc: "5.1" @@ -285,7 +285,7 @@ checks: title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." - remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0 and set the active kernel parameter." + remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - cis: "1.5.1" - cis_csc: "13" @@ -299,7 +299,7 @@ checks: title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." - remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - cis: "1.5.3" - cis_csc: "8.3" @@ -313,7 +313,7 @@ checks: title: "Ensure local login warning banner is configured properly" description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version" rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." - remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" + remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" compliance: - cis: "1.7.1.2" - cis_csc: "5.1" @@ -326,7 +326,7 @@ checks: title: "Ensure xinetd is not installed" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." - remediation: "Run the following command to disable xinetd: # apt-get remove xinetd" + remediation: "Run the following commands to remove xinetd: # apt-get remove xinetd # apt-get purge xinetd" compliance: - cis: "2.1.1" - cis_csc: "9.2" @@ -338,7 +338,7 @@ checks: title: "Ensure openbsd-inetd is not installed" description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no inetd services required, it is recommended that the daemon be removed." - remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd" + remediation: "Run the following command to uninstall openbsd-inetd: apt-get remove openbsd-inetd" compliance: - cis: "2.1.2" - cis_csc: "9.2" @@ -351,7 +351,7 @@ checks: title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." - remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." + remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp" compliance: - cis: "2.2.1.2" - cis_csc: "6.1" @@ -1166,7 +1166,7 @@ checks: - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - id: 16086 title: "Ensure password expiration warning days is 7 or more" @@ -1178,7 +1178,7 @@ checks: - cis_csc: "4.4, 16" condition: all rules: - - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare <= 7' + - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - id: 16087 title: "Ensure inactive password lock is 30 days or less" @@ -1208,7 +1208,7 @@ checks: title: "Ensure access to the su command is restricted" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." - remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root, Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default." + remediation: "Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root," compliance: - cis: "5.6" - cis_csc: "5.1" @@ -1256,7 +1256,7 @@ checks: - 'f:/etc/shadow -> !r:^# && r:^+:' - id: 16093 - title: "Verify no legacy \"+\" entries exist in /etc/group" + title: "Ensure no legacy \"+\" entries exist in /etc/group" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/group if they exist." diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index 3a41f7124..a8a2a2772 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -1,5 +1,3 @@ -Ensure SSH X11 forwarding is disabled - # Security Configuration assessment # Level 2 CIS Checks for Debian Linux 9 # Copyright (C) 2015-2019, Wazuh Inc. @@ -34,7 +32,7 @@ checks: title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - cis: "1.1.6" - cis_csc: "5.1" @@ -60,7 +58,7 @@ checks: title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - cis: "1.1.11" - cis_csc: "6.4" @@ -74,7 +72,7 @@ checks: title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - cis: "1.1.12" - cis_csc: "6.4" @@ -88,7 +86,7 @@ checks: title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - cis: "1.1.13" - cis_csc: "5.1" @@ -102,7 +100,7 @@ checks: title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." - remediation: "Disable autofs: # update-rc.d autofs disable" + remediation: "Run the following command to disable autofs: # systemctl disable autofs" compliance: - cis: "1.1.22" - cis_csc: "8.3, 8.5" @@ -202,7 +200,7 @@ checks: title: "Ensure auditing for processes that start prior to auditd is enabled" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." - remediation: "1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." + remediation: "Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - cis: "4.1.3" - cis_csc: "6.2, 6.3" @@ -303,7 +301,7 @@ checks: compliance: - cis: "4.1.8" - cis_csc: "4.9, 16.11, 16.13" - condition: all&& r: + condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' @@ -367,7 +365,7 @@ checks: title: "Ensure successful file system mounts are collected" description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user." rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." - remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." + remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: "4.1.13" - cis_csc: "13" @@ -382,7 +380,7 @@ checks: title: "Ensure file deletion events by users are collected" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." - remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." + remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: "4.1.14" - cis_csc: "6.2, 13" @@ -426,7 +424,7 @@ checks: title: "Ensure kernel module loading and unloading is collected" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." - remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." + remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: "4.1.17" - cis_csc: "5.1" @@ -457,7 +455,7 @@ checks: title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." - remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" + remediation: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." compliance: - cis: "5.2.6" - cis_csc: "9.2" From f73ff6cc5d5a3819fc79f00c2f96d78dc518484f Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Fri, 28 Jun 2019 06:54:08 -0700 Subject: [PATCH 155/247] Adjust Debian 7 L1 IDs --- sca/debian/cis_debian7_L1.yml | 68 +++++++++++++++++------------------ 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 6709dd1bf..4232e9a63 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -804,7 +804,7 @@ checks: rules: - 'c:find /etc/rc* -name *rsyslog* -> r:S\.' - - id: 10566 + - id: 10565 title: "Configure rsyslog to Send Logs to a Remote Log Host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" @@ -817,7 +817,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 10567 + - id: 10566 title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -833,7 +833,7 @@ checks: # 9 System Access, Authentication and Authorization - - id: 10569 + - id: 10567 title: "Enable cron Daemon" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." @@ -845,7 +845,7 @@ checks: - 'c:find /etc/rc* -name *cron* -> r:S\.' - 'c:find /etc/rc* -name *anacron* -> r:S\.' - - id: 10570 + - id: 10568 title: "Restrict at/cron to Authorized Users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -861,7 +861,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 10571 + - id: 10569 title: "Set Password Creation Requirement Parameters Using pam_cracklib" description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. # retry=3 - Allow 3 tries before sending back a failure. # minlen=14 - password must be 14 characters or more # dcredit=-1 - provide at least one digit # ucredit=-1 - provide at least one uppercase character # ocredit=-1 - provide at least one special character # lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -873,7 +873,7 @@ checks: - 'c:dpkg -s libpam-cracklib -> install ok installed' - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so && r:retry=\d && n:minlen=(\d+) compare >= 14 && r:dcredit=-\d+ && r:ucredit=-\d+ && r:ocredit=-\d+ && r:lcredit=-\d+' - - id: 10572 + - id: 10570 title: "Set Lockout for Failed Password Attempts" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -884,7 +884,7 @@ checks: rules: - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny=\d && r:unlock_time=\d\d\d+' - - id: 10573 + - id: 10571 title: "Limit Password Reuse" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -895,7 +895,7 @@ checks: rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password && r:pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' - - id: 10574 + - id: 10572 title: "Set SSH Protocol to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -906,7 +906,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 10575 + - id: 10573 title: "Set LogLevel to INFO" description: "The INFO parameter specifices that record login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -917,7 +917,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' - - id: 10576 + - id: 10574 title: "Disable SSH X11 Forwarding" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -928,7 +928,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' - - id: 10577 + - id: 10575 title: "Set SSH MaxAuthTries to 4 or Less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." @@ -939,7 +939,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 10578 + - id: 10576 title: "Set SSH IgnoreRhosts to Yes" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -950,7 +950,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 10579 + - id: 10577 title: "Set SSH HostbasedAuthentication to No" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -961,7 +961,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 10580 + - id: 10578 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -972,7 +972,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' - - id: 10581 + - id: 10579 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." @@ -983,7 +983,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 10582 + - id: 10580 title: "Do Not Allow Users to Set Environment Options" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -994,7 +994,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 10583 + - id: 10581 title: "Set Idle Timeout Interval for User Login" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1006,7 +1006,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' - 'f:/etc/ssh/sshd_config -> !r:^# && r:ClientAliveCountMax\s+0' - - id: 10584 + - id: 10582 title: "Limit Access via SSH" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1017,7 +1017,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 10585 + - id: 10583 title: "Set SSH Banner" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." @@ -1028,7 +1028,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' - - id: 10586 + - id: 10584 title: "Restrict Access to the su Command" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1042,7 +1042,7 @@ checks: # 10 User Accounts and Environment - - id: 10587 + - id: 10585 title: "Set Password Expiration Days" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1053,7 +1053,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' - - id: 10588 + - id: 10586 title: "Set Password Change Minimum Number of Days" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1064,7 +1064,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - - id: 10589 + - id: 10587 title: "Set Password Expiring Warning Days" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1075,7 +1075,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - - id: 10590 + - id: 10588 title: "Set Default Group for root Account" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1086,7 +1086,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 10591 + - id: 10589 title: "Set Default umask for Users" description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." @@ -1098,7 +1098,7 @@ checks: - 'c:grep -Rh ^umask[[:space:]][[:space:]]*077 /etc/profile.d/ -> !r:^# && r:umask\s*\t*077' - 'f:/etc/bash.bashrc -> !r:^# && r:umask\s*\t*077' - - id: 10592 + - id: 10590 title: "Lock Inactive User Accounts" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1110,7 +1110,7 @@ checks: - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' # 11 Warning Banners - - id: 10593 + - id: 10591 title: "Set Warning Banner for Standard Login Services" description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." @@ -1126,7 +1126,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/issue -> 0-0-644' - 'c:stat -c%u-%g-%a /etc/issue.net -> 0-0-644' - - id: 10594 + - id: 10592 title: "Remove OS Information from Login Warning Banners" description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." @@ -1141,7 +1141,7 @@ checks: # 13 Review User and Group Settings - - id: 10595 + - id: 10593 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1152,7 +1152,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 10596 + - id: 10594 title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1163,7 +1163,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 10597 + - id: 10595 title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1173,7 +1173,7 @@ checks: condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 10598 + - id: 10596 title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1184,7 +1184,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 10599 + - id: 10597 title: "Verify No UID 0 Accounts Exist Other Than root" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." @@ -1195,7 +1195,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - - id: 10603 + - id: 10598 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." From c01b4a336deac1f32b3aba472b8b80960716db30 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 1 Jul 2019 10:39:25 +0200 Subject: [PATCH 156/247] Fix incorrect variable --- sca/debian/cis_debian8_L1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 421216a0d..052f57687 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -616,7 +616,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' - - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ipv4_forward\s*=\s*0$' - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' From 89ab4d882fb63f6f6322665e87aac252ad3bbffd Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 1 Jul 2019 10:55:20 +0200 Subject: [PATCH 157/247] Fix password requirements rule --- sca/debian/cis_debian8_L1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 052f57687..d9ca19231 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -1136,7 +1136,7 @@ checks: - cis_csc: "5.7, 16.12, 4.4" condition: all rules: - - 'c:dpkg -s libpam-cracklib -> install ok installed' + - 'c:dpkg -s libpam-pwquality -> r:install ok installed' - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d' - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14' - 'f:/etc/security/pwquality.conf -> !r:^# && r:dcredit' From 5e32c616188a43a10ed799be93a4fc11b864fa5c Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 1 Jul 2019 13:35:16 +0200 Subject: [PATCH 158/247] Fix rules about aide and warning banner --- sca/debian/cis_debian8_L1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index d9ca19231..efc1323e1 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -278,7 +278,7 @@ checks: - cis_csc: "3.5, 14.9" condition: all rules: - - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*|\s*\t*/usr/bin/aide\s*\t* && r:\s*\t*--check' + - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+' # 1.4 Secure Boot Settings - id: 11020 @@ -345,7 +345,7 @@ checks: - cis_csc: "13, 5.1" condition: none rules: - - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' + - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' # 2 Services - id: 11025 From 4cd8e40c0e7360b50d4af483cd545667ebf12bfd Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 1 Jul 2019 13:38:50 +0200 Subject: [PATCH 159/247] Fix local warning banner rules --- sca/debian/cis_debian7_L1.yml | 6 +++--- sca/debian/cis_debian9_L1.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 4232e9a63..d154a67e1 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -1135,9 +1135,9 @@ checks: - cis: "11.2" condition: none rules: - - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' - - 'c:grep (\\v|\\r|\\m|\\s) /etc/motd' - - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue.net' + - 'f:/etc/issue -> r:\v|\r|\m|\s' + - 'f:/etc/motd -> r:\v|\r|\m|\s' + - 'f:/etc/issue.net -> r:\v|\r|\m|\s' # 13 Review User and Group Settings diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index e101d0948..6117db536 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -319,7 +319,7 @@ checks: - cis_csc: "5.1" condition: none rules: - - 'c:grep (\\v|\\r|\\m|\\s) /etc/issue' + - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' # 2 Services - id: 16023 From e3325cf17d1e4a642b54b60009b4d2a4f7b5dc72 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 1 Jul 2019 14:58:13 +0200 Subject: [PATCH 160/247] Fix rules --- sca/sles/11/cis_sles11_linux_rcl.yml | 4 +- sca/sles/12/cis_sles12_linux_rcl.yml | 65 ++++++---------------------- 2 files changed, 15 insertions(+), 54 deletions(-) diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux_rcl.yml index fc38ddf3a..278ee9518 100644 --- a/sca/sles/11/cis_sles11_linux_rcl.yml +++ b/sca/sles/11/cis_sles11_linux_rcl.yml @@ -266,7 +266,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime - and daytime-udp: # chkconfig daytime-off # chkconfig daytime-udp off" compliance: - - cis: "2.1.2" + - cis: "2.1.2,3.1" - cis_csc: "9.1" condition: none rules: @@ -394,7 +394,7 @@ checks: - 'f:/etc/ntp.conf -> r:restrict -4 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' - 'f:/etc/ntp.conf -> r:restrict -6 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' - 'f:/etc/ntp.conf -> r:^server|^pool' - - 'f:/etc/sysconfig/ntpd -> r:NTPD_OPTIONS="-u ntp:ntp"' + - 'f:/etc/sysconfig/ntp -> r:NTPD_OPTIONS= && r:-u && r:ntp:ntp' # 2.2.2 Remove X Windows (Scored) - id: 7029 diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux_rcl.yml index d6416900d..8b25bae97 100644 --- a/sca/sles/12/cis_sles12_linux_rcl.yml +++ b/sca/sles/12/cis_sles12_linux_rcl.yml @@ -65,7 +65,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:mount -> r:\s/tmp\s && r:nousid' + - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - id: 7503 @@ -151,46 +151,6 @@ checks: rules: - 'c:mount -> r:\s/home\s && r:nodev' -# 1.1.18 nodev on removable media partitions (not scored) - - id: 7512 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.18" - - pci_dss: "2.2.4" - condition: all - rules: - - 'c:mount -> r:\s/media\s && r:nodev' - -# 1.1.19 nosuid on removable media partitions (not scored) - - id: 7513 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.19" - - pci_dss: "2.2.4" - condition: all - rules: - - 'c:mount -> r:\s/media\s && r:nosuid' - -# 1.1.20 noexec on removable media partitions (not scored) - - id: 7514 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: "1.1.20" - - cis_csc: "8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'c:mount -> r:\s/media\s && r:noexec' - # 1.1.15 /dev/shm: nodev - id: 7509 title: "Ensure nodev option set on /dev/shm partition" @@ -245,9 +205,9 @@ checks: - cis_csc: "13" condition: all rules: + - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - 'c:sysctl fs.suid_dumpable -> r:\s0$' - - 'c:ulimit -Hc -> 0' - - 'c:grep -Rh ^\*\s\+hard\s\+core\s\+ /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - id: 7517 @@ -260,8 +220,9 @@ checks: - cis_csc: "8.4" condition: all rules: + - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' - 'c:sysctl kernel.randomize_va_space -> r:\s2$|\t2$' - - 'c:grep -Rh ^\s*kernel\.randomize_va_space\s\+ /etc/sysctl.conf /etc/sysctl.d -> r:\s2$|\t2$' + ############################################### # 2 OS Services @@ -424,10 +385,10 @@ checks: - pci_dss: "2.2.2" condition: all rules: - - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' - - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' + - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery' + - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery' - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' - - 'f:/etc/sysconfig/ntpd -> r:"NTPD_OPTIONS="-u ntp:ntp"' + - 'f:/etc/sysconfig/ntp -> r:NTPD_OPTIONS= && r:-u && r:ntp:ntp' # 2.2.2 Remove X Windows (Scored) - id: 7530 @@ -624,7 +585,7 @@ checks: condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' - - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - id: 7545 @@ -757,7 +718,7 @@ checks: rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:sysctl net.ipv4.conf.default.rp_filter -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s$*1$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) @@ -772,9 +733,9 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.tcp_syncookies\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.tcp_syncookies\s*=\s*1$' - + - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' + - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' + ############################################### # 5 System Access, Authentication and Authorization ############################################### From 3027855e1cf1531ed4b79aa15a3d318eac337997 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 1 Jul 2019 15:30:43 +0200 Subject: [PATCH 161/247] Fix some rules for Debian 8 and 9 L2 --- sca/debian/cis_debian8_L2.yml | 10 +++++----- sca/debian/cis_debian9_L2.yml | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 2ad28688c..87e1be37f 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -121,7 +121,7 @@ checks: - cis_csc: "14.4, 14.6" condition: any rules: - - 'c:dpkg -s selinux -> r:install ok installed' + - 'c:dpkg -s selinux-basics -> r:install ok installed' - 'c:dpkg -s apparmor -> r:install ok installed' # 2 Services @@ -224,7 +224,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S adjtimex && r:-S settimeofday && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change' @@ -256,14 +256,14 @@ checks: - cis_csc: "3.6, 5.5" condition: all rules: - - 'f:/etc/audit' + - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale' - id: 10516 title: "Ensure events that modify the system's Mandatory Access Controls are collected (SELinux)" @@ -303,7 +303,7 @@ checks: compliance: - cis: "4.1.8" - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" - condition: all&& r: + condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index a8a2a2772..f5687bee2 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -119,7 +119,7 @@ checks: - cis_csc: "14.6" condition: any rules: - - 'c:dpkg -s selinux -> r:install ok installed' + - 'c:dpkg -s selinux-basics -> r:install ok installed' - 'c:dpkg -s apparmor -> r:install ok installed' # 2 Services @@ -222,7 +222,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S clock_settime && r:-k time-change' - - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S adjtimex && r:-S settimeofday && r:-S stime && r:-k time-change' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S adjtimex && r:-S settimeofday && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change' @@ -254,14 +254,14 @@ checks: - cis_csc: "5.5" condition: all rules: - - 'f:/etc/audit' + - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b32 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-a && r:exit,always|always,exit && r:-F arch=b64 && r:-S sethostname && r:-S setdomainname && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/issue.net && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale' - - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/network && r:-p wa && r:-k system-locale' + - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale' - id: 16516 title: "Ensure events that modify the system's Mandatory Access Controls are collected (SELinux)" From 75da5db0b1569863c78631cad4df43ecd0719b67 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Mon, 1 Jul 2019 18:26:53 +0200 Subject: [PATCH 162/247] Add support for Amazon Linux 2 --- sca/rhel/7/cis_rhel7_linux_rcl.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux_rcl.yml index de71d7879..13b87856d 100644 --- a/sca/rhel/7/cis_rhel7_linux_rcl.yml +++ b/sca/rhel/7/cis_rhel7_linux_rcl.yml @@ -19,7 +19,7 @@ policy: - https://www.cisecurity.org/cis-benchmarks/ requirements: - title: "Check RHEL7 version" + title: "Check RHEL7 family platform" description: "Requirements for running the policy against RHEL 7 family." condition: any rules: @@ -29,6 +29,7 @@ requirements: - 'f:/etc/redhat-release -> r:^Oracle && r:release 7' - 'f:/etc/redhat-release -> r:^Better && r:release 7' - 'f:/etc/redhat-release -> r:^OpenVZ && r:release 7' + - 'f:/etc/system-release -> r:^Amazon && r:release 2' variables: $sshd_file: /etc/ssh/sshd_config From 5a8a8da7ebf7eb4177decc00f12790f9d7bae575 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 2 Jul 2019 10:49:04 +0200 Subject: [PATCH 163/247] Remove _rcl from filenames --- sca/applications/{cis_apache2224_rcl.yml => cis_apache2224.yml} | 0 ...{cis_mysql5-6_community_rcl.yml => cis_mysql5-6_community.yml} | 0 ...is_mysql5-6_enterprise_rcl.yml => cis_mysql5-6_enterprise.yml} | 0 sca/debian/{cis_debian_linux_rcl.yml => cis_debian_linux.yml} | 0 sca/rhel/5/{cis_rhel5_linux_rcl.yml => cis_rhel5_linux.yml} | 0 sca/rhel/6/{cis_rhel6_linux_rcl.yml => cis_rhel6_linux.yml} | 0 sca/rhel/7/{cis_rhel7_linux_rcl.yml => cis_rhel7_linux.yml} | 0 sca/sles/11/{cis_sles11_linux_rcl.yml => cis_sles11_linux.yml} | 0 sca/sles/12/{cis_sles12_linux_rcl.yml => cis_sles12_linux.yml} | 0 sca/sunos/{cis_solaris11_rcl.yml => cis_solaris11.yml} | 0 sca/windows/{acsc_office2016_rcl.yml => acsc_office2016.yml} | 0 ...is_win10_enterprise_L1_rcl.yml => cis_win10_enterprise_L1.yml} | 0 ...is_win10_enterprise_L2_rcl.yml => cis_win10_enterprise_L2.yml} | 0 ...{cis_win2012r2_domainL1_rcl.yml => cis_win2012r2_domainL1.yml} | 0 ...{cis_win2012r2_domainL2_rcl.yml => cis_win2012r2_domainL2.yml} | 0 ...{cis_win2012r2_memberL1_rcl.yml => cis_win2012r2_memberL1.yml} | 0 ...{cis_win2012r2_memberL2_rcl.yml => cis_win2012r2_memberL2.yml} | 0 sca/windows/{win_audit_rcl.yml => win_audit.yml} | 0 18 files changed, 0 insertions(+), 0 deletions(-) rename sca/applications/{cis_apache2224_rcl.yml => cis_apache2224.yml} (100%) rename sca/applications/{cis_mysql5-6_community_rcl.yml => cis_mysql5-6_community.yml} (100%) rename sca/applications/{cis_mysql5-6_enterprise_rcl.yml => cis_mysql5-6_enterprise.yml} (100%) rename sca/debian/{cis_debian_linux_rcl.yml => cis_debian_linux.yml} (100%) rename sca/rhel/5/{cis_rhel5_linux_rcl.yml => cis_rhel5_linux.yml} (100%) rename sca/rhel/6/{cis_rhel6_linux_rcl.yml => cis_rhel6_linux.yml} (100%) rename sca/rhel/7/{cis_rhel7_linux_rcl.yml => cis_rhel7_linux.yml} (100%) rename sca/sles/11/{cis_sles11_linux_rcl.yml => cis_sles11_linux.yml} (100%) rename sca/sles/12/{cis_sles12_linux_rcl.yml => cis_sles12_linux.yml} (100%) rename sca/sunos/{cis_solaris11_rcl.yml => cis_solaris11.yml} (100%) rename sca/windows/{acsc_office2016_rcl.yml => acsc_office2016.yml} (100%) rename sca/windows/{cis_win10_enterprise_L1_rcl.yml => cis_win10_enterprise_L1.yml} (100%) rename sca/windows/{cis_win10_enterprise_L2_rcl.yml => cis_win10_enterprise_L2.yml} (100%) rename sca/windows/{cis_win2012r2_domainL1_rcl.yml => cis_win2012r2_domainL1.yml} (100%) rename sca/windows/{cis_win2012r2_domainL2_rcl.yml => cis_win2012r2_domainL2.yml} (100%) rename sca/windows/{cis_win2012r2_memberL1_rcl.yml => cis_win2012r2_memberL1.yml} (100%) rename sca/windows/{cis_win2012r2_memberL2_rcl.yml => cis_win2012r2_memberL2.yml} (100%) rename sca/windows/{win_audit_rcl.yml => win_audit.yml} (100%) diff --git a/sca/applications/cis_apache2224_rcl.yml b/sca/applications/cis_apache2224.yml similarity index 100% rename from sca/applications/cis_apache2224_rcl.yml rename to sca/applications/cis_apache2224.yml diff --git a/sca/applications/cis_mysql5-6_community_rcl.yml b/sca/applications/cis_mysql5-6_community.yml similarity index 100% rename from sca/applications/cis_mysql5-6_community_rcl.yml rename to sca/applications/cis_mysql5-6_community.yml diff --git a/sca/applications/cis_mysql5-6_enterprise_rcl.yml b/sca/applications/cis_mysql5-6_enterprise.yml similarity index 100% rename from sca/applications/cis_mysql5-6_enterprise_rcl.yml rename to sca/applications/cis_mysql5-6_enterprise.yml diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux.yml similarity index 100% rename from sca/debian/cis_debian_linux_rcl.yml rename to sca/debian/cis_debian_linux.yml diff --git a/sca/rhel/5/cis_rhel5_linux_rcl.yml b/sca/rhel/5/cis_rhel5_linux.yml similarity index 100% rename from sca/rhel/5/cis_rhel5_linux_rcl.yml rename to sca/rhel/5/cis_rhel5_linux.yml diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux.yml similarity index 100% rename from sca/rhel/6/cis_rhel6_linux_rcl.yml rename to sca/rhel/6/cis_rhel6_linux.yml diff --git a/sca/rhel/7/cis_rhel7_linux_rcl.yml b/sca/rhel/7/cis_rhel7_linux.yml similarity index 100% rename from sca/rhel/7/cis_rhel7_linux_rcl.yml rename to sca/rhel/7/cis_rhel7_linux.yml diff --git a/sca/sles/11/cis_sles11_linux_rcl.yml b/sca/sles/11/cis_sles11_linux.yml similarity index 100% rename from sca/sles/11/cis_sles11_linux_rcl.yml rename to sca/sles/11/cis_sles11_linux.yml diff --git a/sca/sles/12/cis_sles12_linux_rcl.yml b/sca/sles/12/cis_sles12_linux.yml similarity index 100% rename from sca/sles/12/cis_sles12_linux_rcl.yml rename to sca/sles/12/cis_sles12_linux.yml diff --git a/sca/sunos/cis_solaris11_rcl.yml b/sca/sunos/cis_solaris11.yml similarity index 100% rename from sca/sunos/cis_solaris11_rcl.yml rename to sca/sunos/cis_solaris11.yml diff --git a/sca/windows/acsc_office2016_rcl.yml b/sca/windows/acsc_office2016.yml similarity index 100% rename from sca/windows/acsc_office2016_rcl.yml rename to sca/windows/acsc_office2016.yml diff --git a/sca/windows/cis_win10_enterprise_L1_rcl.yml b/sca/windows/cis_win10_enterprise_L1.yml similarity index 100% rename from sca/windows/cis_win10_enterprise_L1_rcl.yml rename to sca/windows/cis_win10_enterprise_L1.yml diff --git a/sca/windows/cis_win10_enterprise_L2_rcl.yml b/sca/windows/cis_win10_enterprise_L2.yml similarity index 100% rename from sca/windows/cis_win10_enterprise_L2_rcl.yml rename to sca/windows/cis_win10_enterprise_L2.yml diff --git a/sca/windows/cis_win2012r2_domainL1_rcl.yml b/sca/windows/cis_win2012r2_domainL1.yml similarity index 100% rename from sca/windows/cis_win2012r2_domainL1_rcl.yml rename to sca/windows/cis_win2012r2_domainL1.yml diff --git a/sca/windows/cis_win2012r2_domainL2_rcl.yml b/sca/windows/cis_win2012r2_domainL2.yml similarity index 100% rename from sca/windows/cis_win2012r2_domainL2_rcl.yml rename to sca/windows/cis_win2012r2_domainL2.yml diff --git a/sca/windows/cis_win2012r2_memberL1_rcl.yml b/sca/windows/cis_win2012r2_memberL1.yml similarity index 100% rename from sca/windows/cis_win2012r2_memberL1_rcl.yml rename to sca/windows/cis_win2012r2_memberL1.yml diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2.yml similarity index 100% rename from sca/windows/cis_win2012r2_memberL2_rcl.yml rename to sca/windows/cis_win2012r2_memberL2.yml diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit.yml similarity index 100% rename from sca/windows/win_audit_rcl.yml rename to sca/windows/win_audit.yml From b6f83776adae42ca511d9f1735a3fcd87b0f55a2 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 2 Jul 2019 10:53:25 +0200 Subject: [PATCH 164/247] Correct case on titles --- sca/applications/cis_apache2224.yml | 2 +- sca/applications/cis_mysql5-6_community.yml | 2 +- sca/applications/cis_mysql5-6_enterprise.yml | 2 +- sca/darwin/15/cis_apple_macOS_10.11.yml | 2 +- sca/darwin/16/cis_apple_macOS_10.12.yml | 2 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 2 +- sca/darwin/web_vulnerabilities.yml | 2 +- sca/debian/cis_debian7_L1.yml | 2 +- sca/debian/cis_debian7_L2.yml | 2 +- sca/debian/cis_debian8_L1.yml | 2 +- sca/debian/cis_debian8_L2.yml | 2 +- sca/debian/cis_debian9_L1.yml | 2 +- sca/debian/cis_debian9_L2.yml | 2 +- sca/debian/cis_debian_linux.yml | 2 +- sca/generic/system_audit_pw.yml | 2 +- sca/generic/system_audit_ssh.yml | 2 +- sca/generic/web_vulnerabilities.yml | 2 +- sca/rhel/5/cis_rhel5_linux.yml | 2 +- sca/rhel/6/cis_rhel6_linux.yml | 2 +- sca/rhel/7/cis_rhel7_linux.yml | 2 +- sca/sles/11/cis_sles11_linux.yml | 2 +- sca/sles/12/cis_sles12_linux.yml | 2 +- sca/sunos/cis_solaris11.yml | 2 +- sca/windows/acsc_office2016.yml | 2 +- sca/windows/cis_win10_enterprise_L1.yml | 2 +- sca/windows/cis_win10_enterprise_L2.yml | 2 +- sca/windows/cis_win2012r2_domainL1.yml | 2 +- sca/windows/cis_win2012r2_domainL2.yml | 2 +- sca/windows/cis_win2012r2_memberL1.yml | 2 +- sca/windows/cis_win2012r2_memberL2.yml | 2 +- sca/windows/win_audit.yml | 2 +- 31 files changed, 31 insertions(+), 31 deletions(-) diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache2224.yml index b8d4c57a2..c6054d8e8 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache2224.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Apache # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index 483bfcb98..cae172d81 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Oracle MySQL Community Edition 5.6 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index d045e1d8b..2e73e139d 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Oracle MySQL Entreprise Edition 5.6 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index e5cd8b3ab..93ab41f4e 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for MacOS 10.11 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 4900134d0..dbd8f9e4a 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for MacOS 10.12 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 4b4cb7e4e..c98b175f8 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for MacOS 10.13 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml index 488455e07..8ee1825c7 100644 --- a/sca/darwin/web_vulnerabilities.yml +++ b/sca/darwin/web_vulnerabilities.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Checks for auditing Mac systems # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index d154a67e1..faff7db87 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Level 1 CIS Checks for Debian Linux 7 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index 887b14e21..40872af96 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Level 2 CIS Checks for Debian Linux 7 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index efc1323e1..39c6a4f8d 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Level 1 CIS Checks for Debian Linux 8 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 87e1be37f..6e2fd9789 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Level 2 CIS Checks for Debian Linux 8 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 6117db536..18ee27a8e 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Level 1 CIS Checks for Debian Linux 9 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index f5687bee2..9501b731b 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Level 2 CIS Checks for Debian Linux 9 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/debian/cis_debian_linux.yml b/sca/debian/cis_debian_linux.yml index cfe4d99c9..17d5a2713 100644 --- a/sca/debian/cis_debian_linux.yml +++ b/sca/debian/cis_debian_linux.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Debian/Ubuntu # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml index 15b601fe5..589383e99 100644 --- a/sca/generic/system_audit_pw.yml +++ b/sca/generic/system_audit_pw.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Checks for Password Security on Linux Systems # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml index ee36e376c..5024bbe57 100644 --- a/sca/generic/system_audit_ssh.yml +++ b/sca/generic/system_audit_ssh.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Checks for SSH hardening # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/generic/web_vulnerabilities.yml b/sca/generic/web_vulnerabilities.yml index aa57f201f..156801d8d 100644 --- a/sca/generic/web_vulnerabilities.yml +++ b/sca/generic/web_vulnerabilities.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Checks for auditing Linux systems # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index 89d2a03e8..45d3ebe6a 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for RHEL 5 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index 7da6d99e2..1779764a0 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for RHEL 6 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index 13b87856d..f4eab81df 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for RHEL 7 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 278ee9518..43ae4141b 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for SUSE SLES 11 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index 8b25bae97..4a585f649 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for SUSE SLES 12 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 4428214b7..a88dfac6b 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Oracle Solaris 11 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml index 81b215e13..468506db3 100644 --- a/sca/windows/acsc_office2016.yml +++ b/sca/windows/acsc_office2016.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Checks for Microsoft Office 2016 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index e3a41848d..53ec511fd 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Windows 10 Enterprise L1 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 480c9e920..b48df4fea 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Windows 10 Enterprise L2 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index a5824a6c5..0ba1eddac 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Windows 2012 R2 Domain Controller L1 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index efe34aa3b..70682e0a0 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Windows Server 2012 R2 Domain Controller L2 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index a35b0ff62..f62ac2f95 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Windows 2012 R2 Member Server L1 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index 1c448538c..5057ea7e7 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # CIS Checks for Windows 2012 R2 Member Server L2 # Copyright (C) 2015-2019, Wazuh Inc. # diff --git a/sca/windows/win_audit.yml b/sca/windows/win_audit.yml index 1d175a546..b0b6fe584 100644 --- a/sca/windows/win_audit.yml +++ b/sca/windows/win_audit.yml @@ -1,4 +1,4 @@ -# Security Configuration assessment +# Security Configuration Assessment # Checks for Windows audit # Copyright (C) 2015-2019, Wazuh Inc. # From e5d9efd7b5c0457a3ab24c2846d466dde6b16a94 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 2 Jul 2019 10:54:51 +0200 Subject: [PATCH 165/247] Remove _rcl from files --- sca/applications/cis_apache2224.yml | 2 +- sca/applications/cis_mysql5-6_enterprise.yml | 2 +- sca/debian/cis_debian_linux.yml | 2 +- sca/rhel/5/cis_rhel5_linux.yml | 2 +- sca/rhel/6/cis_rhel6_linux.yml | 2 +- sca/rhel/7/cis_rhel7_linux.yml | 2 +- sca/sles/11/cis_sles11_linux.yml | 2 +- sca/sles/12/cis_sles12_linux.yml | 2 +- sca/sunos/cis_solaris11.yml | 2 +- sca/windows/acsc_office2016.yml | 2 +- sca/windows/cis_win10_enterprise_L1.yml | 2 +- sca/windows/cis_win10_enterprise_L2.yml | 2 +- sca/windows/cis_win2012r2_domainL1.yml | 2 +- sca/windows/cis_win2012r2_domainL2.yml | 2 +- sca/windows/cis_win2012r2_memberL1.yml | 2 +- sca/windows/cis_win2012r2_memberL2.yml | 2 +- sca/windows/win_audit.yml | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache2224.yml index c6054d8e8..7f9107681 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache2224.yml @@ -13,7 +13,7 @@ policy: id: "cis_apache" - file: "cis_apache2224_rcl.yml" + file: "cis_apache2224.yml" name: "CIS Apache HTTP Server 2.2/2.4 Benchmark" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Apache Web Server versions 2.2 and 2.4 running on Linux." references: diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index 2e73e139d..e3bf9be80 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -12,7 +12,7 @@ policy: id: "cis_mysql_enterprise" - file: "cis_mysql5-6_enterprise_rcl.yml" + file: "cis_mysql5-6_enterprise.yml" name: "CIS benchmark for Oracle MySQL Enterprise 5.6" description: "This document, CIS Oracle MySQL Enterprise Edition 5.6 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for MySQL Enterprise Edition 5.6. The tests were carried out against MySQL Enterprise Edition 5.6 running on Ubuntu Linux 14.04, but applies to other linux distributions as well." references: diff --git a/sca/debian/cis_debian_linux.yml b/sca/debian/cis_debian_linux.yml index 17d5a2713..408409b2f 100644 --- a/sca/debian/cis_debian_linux.yml +++ b/sca/debian/cis_debian_linux.yml @@ -14,7 +14,7 @@ policy: id: "cis_debian" - file: "cis_debian_linux_rcl.yml" + file: "cis_debian_linux.yml" name: "CIS benchmark for Debian/Linux" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux systems running on x86 and x64 platforms. Many lists are included including filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned." references: diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index 45d3ebe6a..9745a648f 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -12,7 +12,7 @@ policy: id: "cis_rhel5" - file: "cis_rhel5_linux_rcl.yml" + file: "cis_rhel5_linux.yml" name: "CIS Benchmark for Red Hat Enterprise Linux 5" description: "This document, Security Configuration Benchmark for Red Hat Enterprise Linux 5 provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux (RHEL) versions 5.0 - 5.11 running on x86 platforms." references: diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index 1779764a0..93bc78557 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -12,7 +12,7 @@ policy: id: "cis_rhel6" - file: "cis_rhel6_linux_rcl.yml" + file: "cis_rhel6_linux.yml" name: "CIS Benchmark for Red Hat Enterprise Linux 6" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux 6 systems running on x86 and x64 platforms. This document was tested against Red Hat Enterprise Linux 6.9." references: diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index f4eab81df..82eebedaa 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -12,7 +12,7 @@ policy: id: "cis_rhel7" - file: "cis_rhel7_linux_rcl.yml" + file: "cis_rhel7_linux.yml" name: "CIS Benchmark for Red Hat Enterprise Linux 7" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Red Hat Enterprise Linux 7 systems running on x86 and x64 platforms. This document was tested against Red Hat Enterprise Linux 7.4." references: diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 43ae4141b..4359ad8e4 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -12,7 +12,7 @@ policy: id: "cis_sles11_linux" - file: "cis_sles11_linux_rcl.yml" + file: "cis_sles11_linux.yml" name: "CIS SUSE Linux Enterprise 11 Benchmark" description: "This document provides prescriptive guidance for establishing a secure configuration posture for SUSE Linux Enterprise 11 systems running on x86 and x64 platforms. This document was tested against SUSE Linux Enterprise Server 11 SP4." references: diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index 4a585f649..20156b0af 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -12,7 +12,7 @@ policy: id: "cis_sles12_linux" - file: "cis_sles12_linux_rcl.yml" + file: "cis_sles12_linux.yml" name: "CIS SUSE Linux Enterprise 12 Benchmark" description: "This document provides prescriptive guidance for establishing a secure configuration posture for SUSE Linux Enterprise 12 systems running on x86 and x64 platforms. This document was tested against SUSE Linux Enterprise Server 12 SP3." references: diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index a88dfac6b..89161716a 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -12,7 +12,7 @@ policy: id: "cis_solaris11" - file: "cis_solaris11_rcl.yml" + file: "cis_solaris11.yml" name: "CIS benchmark for Oracle Solaris 11" description: "This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates." references: diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml index 468506db3..a8fc522f6 100644 --- a/sca/windows/acsc_office2016.yml +++ b/sca/windows/acsc_office2016.yml @@ -13,7 +13,7 @@ policy: id: "acsc_office2016" - file: "acsc_office2016_rcl.yml" + file: "acsc_office2016.yml" name: "System audit for Office 2016 vulnerabilities" description: "Guidance for establishing a secure configuration for Office 2016 vulnerabilities." references: diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 53ec511fd..8584b3741 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -12,7 +12,7 @@ policy: id: "cis_win10_enterprise_L1" - file: "cis_win10_enterprise_L1_rcl.yml" + file: "cis_win10_enterprise_L1.yml" name: "CIS benchmark for Windows 10 Enterprise (Release 1803)" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows (L1)." references: diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index b48df4fea..64e91932f 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -12,7 +12,7 @@ policy: id: "cis_win10_enterprise_L2" - file: "cis_win10_enterprise_L2_rcl.yml" + file: "cis_win10_enterprise_L2.yml" name: "CIS benchmark for Windows 10 Enterprise (Release 1803)" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows (L2)." references: diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 0ba1eddac..f0f08703f 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -14,7 +14,7 @@ policy: id: "cis_win2012r2_domainL1" - file: "cis_win2012r2_domainL1_rcl.yml" + file: "cis_win2012r2_domainL1.yml" name: "CIS benchmark for Windows 2012 R2 Domain Controller L1" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2012 R2." references: diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 70682e0a0..6f4565287 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -14,7 +14,7 @@ policy: id: "cis_win2012r2_domainL2" - file: "cis_win2012r2_domainL2_rcl.yml" + file: "cis_win2012r2_domainL2.yml" name: "CIS benchmark for Windows 2012 R2 Domain Controller L2" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2012 R2." references: diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index f62ac2f95..0a510094d 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -14,7 +14,7 @@ policy: id: "cis_win2012r2_memberL1" - file: "cis_win2012r2_memberL1_rcl.yml" + file: "cis_win2012r2_memberL1.yml" name: "CIS benchmark for Windows 2012 R2 Member Server L1" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2012 R2." references: diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index 5057ea7e7..b1a7d4e94 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -11,7 +11,7 @@ policy: id: "cis_win2012r2_memberL2" - file: "cis_win2012r2_memberL2_rcl.yml" + file: "cis_win2012r2_memberL2.yml" name: "CIS benchmark for Windows 2012 R2 Member Server L2" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows Server 2012 R2." references: diff --git a/sca/windows/win_audit.yml b/sca/windows/win_audit.yml index b0b6fe584..c0d802f2d 100644 --- a/sca/windows/win_audit.yml +++ b/sca/windows/win_audit.yml @@ -10,7 +10,7 @@ policy: id: "win_audit" - file: "win_audit_rcl.yml" + file: "win_audit.yml" name: "Benchmark for Windows audit" description: "This document provides a way of ensuring the security of the Windows systems." From 85ff277c9419173e7933a35ed7e026d95124d570 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 2 Jul 2019 11:02:41 +0200 Subject: [PATCH 166/247] Remove darwin/web_vulnerabilities.yml --- sca/darwin/web_vulnerabilities.yml | 145 ----------------------------- 1 file changed, 145 deletions(-) delete mode 100644 sca/darwin/web_vulnerabilities.yml diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml deleted file mode 100644 index 8ee1825c7..000000000 --- a/sca/darwin/web_vulnerabilities.yml +++ /dev/null @@ -1,145 +0,0 @@ -# Security Configuration Assessment -# Checks for auditing Mac systems -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation - -policy: - id: "web_vulnerabilities_mac" - file: "web_vulnerabilities.yml" - name: "System audit for web-related vulnerabilities" - description: "Guidance for establishing a secure configuration for web-related vulnerabilities." - -variables: - $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini - $web_dirs: /Library/WebServer/Documents,/usr/htdocs,/usr/local/var/htdocs,/usr/local/var/www - - -# PHP checks -checks: - - id: 2000 - title: "PHP - Register globals are enabled" - condition: any - rules: - - 'f:$php.ini -> r:^register_globals = On' - - id: 2001 - title: "PHP - Expose PHP is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^expose_php = On' - - id: 2002 - title: "PHP - Allow URL fopen is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^allow_url_fopen = On' - - id: 2003 - title: "PHP - Displaying of errors is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^display_errors = On' -# WEB checks - - id: 2004 - title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> ^.yop$' - - id: 2005 - title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> ^id$' - - id: 2006 - title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> ^.ssh$' - - id: 2007 - title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> ^...$' - - id: 2008 - title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> ^.shell$' -# Outdated Web applications - - id: 2009 - title: "Web vulnerability - Outdated WordPress installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' - - id: 2010 - title: "Web vulnerability - Outdated Joomla installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' - - id: 2011 - title: "Web vulnerability - Outdated osCommerce (v2.2) installation" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" -# Known backdoors - - id: 2012 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' - - id: 2013 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' - - id: 2014 - title: "Web vulnerability - .htaccess file compromised" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' - - id: 2015 - title: "Web vulnerability - .htaccess file compromised - auto append" - compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' From 0fec9c9e1b853c8f0ab99715e2c76c04b4c14413 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 2 Jul 2019 11:05:07 +0200 Subject: [PATCH 167/247] Move web_vulnerabilities.yml to applications --- sca/{generic => applications}/web_vulnerabilities.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sca/{generic => applications}/web_vulnerabilities.yml (100%) diff --git a/sca/generic/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml similarity index 100% rename from sca/generic/web_vulnerabilities.yml rename to sca/applications/web_vulnerabilities.yml From 76f8ea7c2295695b761d062a33dd0f9e1ec3bf09 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Tue, 2 Jul 2019 12:05:54 +0200 Subject: [PATCH 168/247] Add support for Amazon Linux 1 (AMI) --- sca/rhel/6/cis_rhel6_linux.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index 93bc78557..c58a45bb0 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -28,6 +28,7 @@ requirements: - 'f:/etc/redhat-release -> r:^Cloud && r:release 6' - 'f:/etc/redhat-release -> r:^Oracle && r:release 6' - 'f:/etc/redhat-release -> r:^Better && r:release 6' + - 'f:/etc/system-release -> r:^Amazon Linux AMI' variables: $sshd_file: /etc/ssh/sshd_config From 0a0bd21f73543a1204157877a8dfb5f513361dd7 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 2 Jul 2019 12:24:05 +0200 Subject: [PATCH 169/247] Remove cis_debian_linux policy --- sca/debian/cis_debian8_L1.yml | 187 +++++++----- sca/debian/cis_debian9_L1.yml | 189 +++++++----- sca/debian/cis_debian_linux.yml | 517 -------------------------------- 3 files changed, 229 insertions(+), 664 deletions(-) delete mode 100644 sca/debian/cis_debian_linux.yml diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 39c6a4f8d..bad2e62a3 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -347,8 +347,23 @@ checks: rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' + - id: 11025 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: "5.1" + - cis: "1.7.2" + - pci_dss: "2.2.2" + condition: all + rules: + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' + # 2 Services - - id: 11025 + - id: 11026 title: "Ensure xinetd is not installed" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." @@ -360,7 +375,7 @@ checks: rules: - 'c:dpkg -s xinetd -> r:install ok installed' - - id: 11026 + - id: 11027 title: "Ensure inetd is not installed" description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no inetd services required, it is recommended that the daemon be removed." @@ -373,7 +388,7 @@ checks: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - id: 11027 + - id: 11028 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -391,7 +406,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 11028 + - id: 11029 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." @@ -403,7 +418,7 @@ checks: rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' - - id: 11029 + - id: 11030 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." @@ -415,7 +430,7 @@ checks: rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' - - id: 11030 + - id: 11031 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -429,7 +444,7 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' - - id: 11031 + - id: 11032 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -444,7 +459,7 @@ checks: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' - - id: 11032 + - id: 11033 title: "Ensure LDAP server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -458,7 +473,7 @@ checks: rules: - 'c:systemctl is-enabled slapd -> r:^enabled' - - id: 11033 + - id: 11034 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -471,7 +486,7 @@ checks: - 'c:systemctl is-enabled nfs-server -> r:^enabled' - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - id: 11034 + - id: 11035 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -483,7 +498,7 @@ checks: rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' - - id: 11035 + - id: 11036 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -495,7 +510,7 @@ checks: rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' - - id: 11036 + - id: 11037 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -507,7 +522,20 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' - - id: 11037 + - id: 11038 + title: "Ensure IMAP and POP3 server is not enabled" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: "9.2" + - cis: "2.2.11" + - pci_dss: "2.2.2" + condition: none + rules: + - 'c:dpkg -s exim4 -> install ok installed' + + - id: 11039 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -519,7 +547,7 @@ checks: rules: - 'c:systemctl is-enabled smbd -> r:^enabled' - - id: 11038 + - id: 11040 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -531,7 +559,7 @@ checks: rules: - 'c:systemctl is-enabled squid -> r:^enabled' - - id: 11039 + - id: 11041 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -543,7 +571,7 @@ checks: rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' - - id: 11040 + - id: 11042 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -555,7 +583,20 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 11041 + - id: 11043 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: "9.2" + - cis: "2.2.17" + - pci_dss: "2.2.2" + condition: none + rules: + - 'c:systemctl is-enabled nis -> r:^enabled' + + - id: 11044 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -567,7 +608,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 11042 + - id: 11045 title: "Ensure rsh client is not installed" description: "The rshpackage contains the client commands for the rsh services." rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." @@ -580,7 +621,7 @@ checks: - 'c:dpkg -s rsh-client -> r:install ok installed' - 'c:dpkg -s rsh-redone-client -> r:install ok installed' - - id: 11043 + - id: 11046 title: "Ensure talk client is not installed" description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -592,7 +633,7 @@ checks: rules: - 'c:dpkg -s talk -> r:install ok installed' - - id: 11044 + - id: 11047 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -605,7 +646,7 @@ checks: - 'c:dpkg -s telnet -> r:install ok installed' # 3 Network Configuration - - id: 11045 + - id: 11048 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -620,7 +661,7 @@ checks: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' - - id: 11046 + - id: 11049 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -635,7 +676,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - id: 11047 + - id: 11050 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -654,7 +695,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - id: 11048 + - id: 11051 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -673,7 +714,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' - - id: 11049 + - id: 11052 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -688,7 +729,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - id: 11050 + - id: 11053 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -703,7 +744,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - id: 11051 + - id: 11054 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -716,7 +757,7 @@ checks: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - id: 11052 + - id: 11055 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -729,7 +770,7 @@ checks: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - id: 11053 + - id: 11056 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -744,7 +785,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - id: 11054 + - id: 11057 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -757,7 +798,7 @@ checks: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' - - id: 11055 + - id: 11058 title: "Ensure IPv6 router advertisements are not accepted" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -772,7 +813,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' - - id: 11056 + - id: 11059 title: "Ensure /etc/hosts.allow is configured" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." @@ -784,7 +825,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 11057 + - id: 11060 title: "Ensure /etc/hosts.deny is configured" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -797,7 +838,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 11058 + - id: 11061 title: "Ensure DCCP is disabled" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -810,7 +851,7 @@ checks: - 'not c:modprobe -n -v dccp -> r:install /bin/true' - 'c:lsmod -> r:dccp' - - id: 11059 + - id: 11062 title: "Ensure SCTP is disabled" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -823,7 +864,7 @@ checks: - 'not c:modprobe -n -v sctp -> r:install /bin/true' - 'c:lsmod -> r:sctp' - - id: 11060 + - id: 11063 title: "Ensure RDS is disabled" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -836,7 +877,7 @@ checks: - 'not c:modprobe -n -v rds -> r:install /bin/true' - 'c:lsmod -> r:rds' - - id: 11061 + - id: 11064 title: "Ensure TIPC is disabled" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -851,7 +892,7 @@ checks: # 3.5 Firewall configuration - - id: 11062 + - id: 11065 title: "Ensure default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -865,7 +906,7 @@ checks: - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 11063 + - id: 11066 title: "Ensure IPv6 default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -879,7 +920,7 @@ checks: - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 11064 + - id: 11067 title: "Ensure iptables is installed" description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." rationale: "iptables is required for firewall management and configuration." @@ -892,7 +933,7 @@ checks: - 'c:dpkg -s iptables -> r:install ok installed' # 4 Logging and Auditing - - id: 11065 + - id: 11068 title: "Ensure rsyslog Service is enabled" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -904,7 +945,7 @@ checks: rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' - - id: 11066 + - id: 11069 title: "Ensure rsyslog is configured to send logs to a remote log host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." @@ -918,7 +959,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 11067 + - id: 11070 title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -934,7 +975,7 @@ checks: - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' # 5 Access, Authentication and Authorization - - id: 11068 + - id: 11071 title: "Ensure cron daemon is enabled" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." @@ -946,7 +987,7 @@ checks: rules: - 'c:systemctl is-enabled cron -> r:^enabled$' - - id: 11069 + - id: 11072 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -963,7 +1004,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 11070 + - id: 11073 title: "Ensure permissions on /etc/ssh/sshd_config are configured" description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." @@ -975,7 +1016,7 @@ checks: rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' - - id: 11071 + - id: 11074 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -987,7 +1028,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 11072 + - id: 11075 title: "Ensure SSH LogLevel is appropriate" description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -1001,7 +1042,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' - - id: 11073 + - id: 11076 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -1013,7 +1054,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - - id: 11074 + - id: 11077 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -1025,7 +1066,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 11075 + - id: 11078 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -1037,7 +1078,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 11076 + - id: 11079 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -1049,7 +1090,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 11077 + - id: 11080 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -1063,7 +1104,7 @@ checks: # 5.2 SSH Server Configuration - - id: 11078 + - id: 11081 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -1075,7 +1116,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 11079 + - id: 11082 title: "Ensure SSH PermitUserEnvironment is disabled" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -1087,7 +1128,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 11080 + - id: 11083 title: "Ensure SSH Idle Timeout Interval is configured" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1100,7 +1141,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' - - id: 11081 + - id: 11084 title: "Ensure SSH access is limited" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1112,7 +1153,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 11082 + - id: 11085 title: "Ensure SSH warning banner is configured" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." @@ -1126,7 +1167,7 @@ checks: # 5.3 Configure PAM - - id: 11083 + - id: 11086 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -1144,7 +1185,7 @@ checks: - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' - - id: 11084 + - id: 11087 title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -1156,7 +1197,7 @@ checks: rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' - - id: 11085 + - id: 11088 title: "Ensure password reuse is limited" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -1170,7 +1211,7 @@ checks: # 5.4 User Accounts and Environment - - id: 11086 + - id: 11089 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1182,7 +1223,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' - - id: 11087 + - id: 11090 title: "Ensure minimum days between password changes is 7 or more" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1194,7 +1235,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - - id: 11088 + - id: 11091 title: "Ensure password expiration warning days is 7 or more" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1206,7 +1247,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - - id: 11089 + - id: 11092 title: "Ensure inactive password lock is 30 days or less" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1218,7 +1259,7 @@ checks: rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' - - id: 11090 + - id: 11093 title: "Ensure default group for the root account is GID 0" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1230,7 +1271,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 11091 + - id: 11094 title: "Ensure access to the su command is restricted" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1245,7 +1286,7 @@ checks: # 6.2 User and Group Settings - - id: 11092 + - id: 11095 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1257,7 +1298,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 11093 + - id: 11096 title: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1269,7 +1310,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 11094 + - id: 11097 title: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1281,7 +1322,7 @@ checks: rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 11095 + - id: 11098 title: "Ensure no legacy \"+\" entries exist in /etc/group" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1293,7 +1334,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 11096 + - id: 11099 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -1305,7 +1346,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - - id: 11097 + - id: 11100 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 18ee27a8e..e42221a94 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -321,8 +321,23 @@ checks: rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' + - id: 16023 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: "5.1" + - cis: "1.7.2" + - pci_dss: "2.2.2" + condition: all + rules: + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' + # 2 Services - - id: 16023 + - id: 16024 title: "Ensure xinetd is not installed" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." @@ -334,7 +349,7 @@ checks: rules: - 'c:dpkg -s xinetd -> r:install ok installed' - - id: 16024 + - id: 16025 title: "Ensure openbsd-inetd is not installed" description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no inetd services required, it is recommended that the daemon be removed." @@ -347,7 +362,7 @@ checks: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - id: 16025 + - id: 16026 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -365,7 +380,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 16026 + - id: 16027 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." @@ -377,7 +392,7 @@ checks: rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' - - id: 16027 + - id: 16028 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." @@ -389,7 +404,7 @@ checks: rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' - - id: 16028 + - id: 16029 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -403,7 +418,7 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' - - id: 16029 + - id: 16030 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -418,7 +433,7 @@ checks: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' - - id: 16030 + - id: 16031 title: "Ensure LDAP server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -432,7 +447,7 @@ checks: rules: - 'c:systemctl is-enabled slapd -> r:^enabled' - - id: 16031 + - id: 16032 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -445,7 +460,7 @@ checks: - 'c:systemctl is-enabled nfs-server -> r:^enabled' - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - id: 16032 + - id: 16033 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -457,7 +472,7 @@ checks: rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' - - id: 16033 + - id: 16034 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -469,7 +484,7 @@ checks: rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' - - id: 16034 + - id: 16035 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -481,7 +496,20 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' - - id: 16035 + - id: 16036 + title: "Ensure IMAP and POP3 server is not enabled" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: "9.2" + - cis: "2.2.11" + - pci_dss: "2.2.2" + condition: none + rules: + - 'c:dpkg -s exim4 -> install ok installed' + + - id: 16037 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -493,7 +521,7 @@ checks: rules: - 'c:systemctl is-enabled smbd -> r:^enabled' - - id: 16036 + - id: 16038 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -505,7 +533,7 @@ checks: rules: - 'c:systemctl is-enabled squid -> r:^enabled' - - id: 16037 + - id: 16039 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -517,7 +545,7 @@ checks: rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' - - id: 16038 + - id: 16040 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -529,7 +557,20 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 16039 + - id: 16041 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: "9.2" + - cis: "2.2.17" + - pci_dss: "2.2.2" + condition: none + rules: + - 'c:systemctl is-enabled nis -> r:^enabled' + + - id: 16042 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -541,7 +582,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 16040 + - id: 16043 title: "Ensure rsh client is not installed" description: "The rshpackage contains the client commands for the rsh services." rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." @@ -554,7 +595,7 @@ checks: - 'c:dpkg -s rsh-client -> r:install ok installed' - 'c:dpkg -s rsh-redone-client -> r:install ok installed' - - id: 16041 + - id: 16044 title: "Ensure talk client is not installed" description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -566,7 +607,7 @@ checks: rules: - 'c:dpkg -s talk -> r:install ok installed' - - id: 16042 + - id: 16045 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -579,7 +620,7 @@ checks: - 'c:dpkg -s telnet -> r:install ok installed' # 3 Network Configuration - - id: 16043 + - id: 16046 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -594,7 +635,7 @@ checks: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' - - id: 16044 + - id: 16047 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -609,7 +650,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - id: 16045 + - id: 16048 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -628,7 +669,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - id: 16046 + - id: 16049 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -647,7 +688,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' - - id: 16047 + - id: 16050 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -662,7 +703,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - id: 16048 + - id: 16051 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -677,7 +718,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - id: 16049 + - id: 16052 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -690,7 +731,7 @@ checks: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - id: 16050 + - id: 16053 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -703,7 +744,7 @@ checks: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - id: 16051 + - id: 16054 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -718,7 +759,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - id: 16052 + - id: 16055 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -731,7 +772,7 @@ checks: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' - - id: 16053 + - id: 16056 title: "Ensure IPv6 router advertisements are not accepted" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -746,7 +787,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' - - id: 16054 + - id: 16057 title: "Ensure /etc/hosts.allow is configured" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." @@ -758,7 +799,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 16055 + - id: 16058 title: "Ensure /etc/hosts.deny is configured" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -771,7 +812,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 16056 + - id: 16059 title: "Ensure DCCP is disabled" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -784,7 +825,7 @@ checks: - 'not c:modprobe -n -v dccp -> r:install /bin/true' - 'c:lsmod -> r:dccp' - - id: 16057 + - id: 16060 title: "Ensure SCTP is disabled" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -797,7 +838,7 @@ checks: - 'not c:modprobe -n -v sctp -> r:install /bin/true' - 'c:lsmod -> r:sctp' - - id: 16058 + - id: 16061 title: "Ensure RDS is disabled" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -810,7 +851,7 @@ checks: - 'not c:modprobe -n -v rds -> r:install /bin/true' - 'c:lsmod -> r:rds' - - id: 16059 + - id: 16062 title: "Ensure TIPC is disabled" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -825,7 +866,7 @@ checks: # 3.5 Firewall configuration - - id: 16060 + - id: 16063 title: "Ensure default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -839,7 +880,7 @@ checks: - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 16061 + - id: 16064 title: "Ensure IPv6 default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -853,7 +894,7 @@ checks: - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 16062 + - id: 16065 title: "Ensure iptables is installed" description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." rationale: "iptables is required for firewall management and configuration." @@ -866,7 +907,7 @@ checks: - 'c:dpkg -s iptables -> r:install ok installed' # 4 Logging and Auditing - - id: 16063 + - id: 16066 title: "Ensure rsyslog Service is enabled" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -878,7 +919,7 @@ checks: rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' - - id: 16064 + - id: 16067 title: "Ensure rsyslog is configured to send logs to a remote log host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." @@ -892,7 +933,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 16065 + - id: 16068 title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -908,7 +949,7 @@ checks: - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' # 5 Access, Authentication and Authorization - - id: 16066 + - id: 16069 title: "Ensure cron daemon is enabled" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." @@ -920,7 +961,7 @@ checks: rules: - 'c:systemctl is-enabled cron -> r:^enabled$' - - id: 16067 + - id: 16070 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -937,7 +978,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 16068 + - id: 16071 title: "Ensure permissions on /etc/ssh/sshd_config are configured" description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." @@ -949,7 +990,7 @@ checks: rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' - - id: 16069 + - id: 16072 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -961,7 +1002,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 16070 + - id: 16073 title: "Ensure SSH LogLevel is appropriate" description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -975,7 +1016,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' - - id: 16071 + - id: 16074 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -987,7 +1028,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - - id: 16072 + - id: 16075 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -999,7 +1040,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 16073 + - id: 16076 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -1011,7 +1052,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 16074 + - id: 16077 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -1023,7 +1064,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 16075 + - id: 16078 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -1037,7 +1078,7 @@ checks: # 5.2 SSH Server Configuration - - id: 16076 + - id: 16079 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -1049,7 +1090,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 16077 + - id: 16080 title: "Ensure SSH PermitUserEnvironment is disabled" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -1061,7 +1102,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 16078 + - id: 16081 title: "Ensure SSH Idle Timeout Interval is configured" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1074,7 +1115,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' - - id: 16079 + - id: 16082 title: "Ensure SSH access is limited" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1086,7 +1127,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 16080 + - id: 16083 title: "Ensure SSH warning banner is configured" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." @@ -1100,7 +1141,7 @@ checks: # 5.3 Configure PAM - - id: 16081 + - id: 16084 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -1110,7 +1151,7 @@ checks: - cis_csc: "4.4" condition: all rules: - - 'c:dpkg -s libpam-cracklib -> install ok installed' + - 'c:dpkg -s libpam-pwquality -> install ok installed' - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*requisite\s*\t*pam_pwquality.so\s*\t*retry=\d' - 'f:/etc/security/pwquality.conf -> !r:^# && n:minlen\s*\t*=\s*\t*(\d+) compare >= 14' - 'f:/etc/security/pwquality.conf -> !r:^# && r:dcredit' @@ -1118,7 +1159,7 @@ checks: - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' - - id: 16082 + - id: 16085 title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -1130,7 +1171,7 @@ checks: rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' - - id: 16083 + - id: 16086 title: "Ensure password reuse is limited" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -1144,7 +1185,7 @@ checks: # 5.4 User Accounts and Environment - - id: 16084 + - id: 16087 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1156,7 +1197,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' - - id: 16085 + - id: 16088 title: "Ensure minimum days between password changes is 7 or more" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1168,7 +1209,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - - id: 16086 + - id: 16089 title: "Ensure password expiration warning days is 7 or more" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1180,7 +1221,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - - id: 16087 + - id: 16090 title: "Ensure inactive password lock is 30 days or less" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1192,7 +1233,7 @@ checks: rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' - - id: 16088 + - id: 16091 title: "Ensure default group for the root account is GID 0" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1204,7 +1245,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 16089 + - id: 16092 title: "Ensure access to the su command is restricted" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1219,7 +1260,7 @@ checks: # 6.2 User and Group Settings - - id: 16090 + - id: 16093 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1231,7 +1272,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 16091 + - id: 16094 title: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1243,7 +1284,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 16092 + - id: 16095 title: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1255,7 +1296,7 @@ checks: rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 16093 + - id: 16096 title: "Ensure no legacy \"+\" entries exist in /etc/group" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1267,7 +1308,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 16094 + - id: 16097 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -1279,7 +1320,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - - id: 16095 + - id: 16098 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." diff --git a/sca/debian/cis_debian_linux.yml b/sca/debian/cis_debian_linux.yml deleted file mode 100644 index 408409b2f..000000000 --- a/sca/debian/cis_debian_linux.yml +++ /dev/null @@ -1,517 +0,0 @@ -# Security Configuration Assessment -# CIS Checks for Debian/Ubuntu -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation -# -# Based on: -# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 -# Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 -# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 - -policy: - id: "cis_debian" - file: "cis_debian_linux.yml" - name: "CIS benchmark for Debian/Linux" - description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux systems running on x86 and x64 platforms. Many lists are included including filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned." - references: - - https://www.cisecurity.org/cis-benchmarks/ - -requirements: - title: "Check Debian version" - description: "Requirements for running the SCA scan against Debian/Ubuntu." - condition: all - rules: - - 'f:/etc/debian_version' - - 'f:/proc/sys/kernel/ostype -> Linux' - -checks: -# Section 1.1 - Filesystem Configuration - - id: 5000 - title: "Ensure /tmp is configured" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." - remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." - compliance: - - cis_csc: "5.1" - - cis: "1.1.2" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - condition: all - rules: - - 'c:mount -> r:\s/tmp\s' - - - id: 5001 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." - remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." - compliance: - - cis_csc: "5.1" - - cis: "1.1.3" - - pci_dss: "2.2.4" - condition: all - rules: - - 'c:mount -> r:\s/tmp\s && r:nodev' - - - id: 5002 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.6" - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'c:mount -> r:\s/var\s' - - - id: 5003 - title: "Ensure separate partition exists for /var/tmp" - description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: "5.1" - - cis: "1.1.7" - condition: all - rules: - - 'c:mount -> r:\s/var/tmp\s' - - - id: 5004 - title: "Ensure nodev option set on /var/tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" - compliance: - - cis_csc: "5.1" - - cis: "1.1.8" - - pci_dss: "2.2.4" - condition: all - rules: - - 'c:mount -> r:\s/var/tmp\s && r:nodev' - - - id: 5005 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" - compliance: - - cis_csc: "5.1" - - cis: "1.1.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'c:mount -> r:\s/home\s && r:nodev' - - - id: 5006 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.14" - condition: all - rules: - - 'c:mount -> r:\s/dev/shm\s && r:nodev' - - - id: 5007 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.15" - condition: all - rules: - - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - - - id: 5008 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." - compliance: - - cis_csc: "5.1" - - cis: "1.1.16" - condition: all - rules: - - 'c:mount -> r:\s/dev/shm\s && r:noexec' - -# Section 1.7 - Warning banners - - id: 5009 - title: "Ensure GDM login banner is configured" - description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." - remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" - compliance: - - cis_csc: "5.1" - - cis: "1.7.2" - - pci_dss: "2.2.2" - condition: all - rules: - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' - -# Section 2 - Filesystem Configuration - Debian 7 - - id: 5010 - title: "Add nodev option to /run/shm Partition" - description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" - compliance: - - cis_csc: "5.1" - - cis: "2.14" - - pci_dss: "2.2.4" - condition: all - rules: - - 'c:mount -> r:\s/run/shm\s && r:nodev' - - - id: 5011 - title: "Add nosuid option to /run/shm Partition" - description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." - compliance: - - cis_csc: "5.1" - - cis: "2.15" - condition: all - rules: - - 'c:mount -> r:\s/run/shm\s && r:nosuid' - - - id: 5012 - title: "Add noexec option to /run/shm Partition" - description: "Set noexec on the shared memory partition to prevent programs from executing from there." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." - compliance: - - cis_csc: "5.1" - - cis: "2.16" - condition: all - rules: - - 'c:mount -> r:\s/run/shm\s && r:noexec' - -# Section 2.1 - Inetd services - - id: 5013 - title: "Ensure inetd is not installed" - description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." - rationale: "If there are no inetd services required, it is recommended that the daemon be removed." - remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" - compliance: - - cis_csc: "9.2" - - cis: "2.1.2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - 'c:dpkg -s openbsd-inetd -> r:install ok installed' - -# Section 2.2 - Special purpose services - - id: 5014 - title: "Ensure FTP Server is not enabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.9" - - pci_dss: "2.2.3" - condition: any - rules: - - 'c:systemctl is-enabled vsftpd -> r:disabled' - - - id: 5015 - title: "Ensure IMAP and POP3 server is not enabled" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:dpkg -s exim4 -> install ok installed' - - - id: 5017 - title: "Ensure Samba is not enabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable smbd: # systemctl disable smbd" - compliance: - - cis_csc: "9.2" - - cis: "2.2.12" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:systemctl is-enabled smb -> r:^enabled' - - - id: 5018 - title: "Ensure NFS and RPC are not enabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" - compliance: - - cis_csc: "9.2" - - cis: "2.2.7" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:systemctl is-enabled nfs-server -> r:^enabled' - - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - - id: 5019 - title: "Ensure NIS Server is not enabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable nis: # systemctl disable nis" - compliance: - - cis_csc: "9.2" - - cis: "2.2.17" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:systemctl is-enabled nis -> r:^enabled' - - - id: 5020 - title: "Ensure HTTP server is not enabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable apache2: # systemctl disable apache2" - compliance: - - cis_csc: "9.2" - - cis: "2.2.10" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:systemctl is-enabled apache2 -> r:^enabled' - - - id: 5021 - title: "Ensure DNS Server is not enabled" - description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable named: # systemctl disable bind9" - compliance: - - cis_csc: "9.2" - - cis: "2.2.8" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:systemctl is-enabled bind9 -> r:^enabled' - - - id: 5022 - title: "Ensure HTTP Proxy Server is not enabled" - description: "Squid is a standard proxy server used in many distributions and environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable squid: # systemctl disable squid" - compliance: - - cis_csc: "9.2" - - cis: "2.2.13" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:systemctl is-enabled squid -> r:^enabled' - -# Section 2.3 - Service clients - - id: 5023 - title: "Ensure rsh client is not installed" - description: "The rsh package contains the client commands for the rsh services." - rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." - remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" - compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.2" - - pci_dss: "2.2.2" - condition: none - rules: - - 'c:dpkg -s rsh-client -> install ok installed' - - 'c:dpkg -s rsh-redone-client -> install ok installed' - - - id: 5024 - title: "Ensure telnet client is not installed" - description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." - remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" - compliance: - - cis_csc: "2.6, 4.5" - - cis: "2.3.4" - - pci_dss: "2.2.3" - condition: none - rules: - - 'c:dpkg -s telnet -> install ok installed' - -# Section 3.1 - Network Parameters (Host Only) - - id: 5025 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.1.1" - condition: all - rules: - - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' - - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' - - - id: 5026 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.1.1" - condition: all - rules: - - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' - - 'c:grep -Rh net\.ipv6\.ip_forward\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' - -# Section 3.2 - Network Parameters (Host and Router) - - id: 5027 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" - compliance: - - cis_csc: "5.1" - - cis: "3.2.1" - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - - id: 5028 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" - compliance: - - cis_csc: "5.1" - - cis: "3.2.5" - condition: all - rules: - - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' - -# Section 5.2 - SSH Server Configuration - - id: 5029 - title: "Ensure SSH Protocol is set to 2" - description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis_csc: "14.4" - - cis: "5.2.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - - id: 5030 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis_csc: "9.2" - - cis: "5.2.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+yes' - - - id: 5031 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis_csc: "16.3" - - cis: "5.2.9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+no' - - - id: 5032 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis_csc: "4.3" - - cis: "5.2.10" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' - - - id: 5033 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis_csc: "16.3" - - cis: "5.2.11" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' - -# Section 6.2 - User and Group Settings - - id: 5034 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " - compliance: - - cis_csc: "4.4" - - cis: "6.2.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 5035 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis_csc: "5.1" - - cis: "6.2.5" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' From df55e27d520ce891ee2062e17347ad69fb0bf93d Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 2 Jul 2019 15:32:46 +0200 Subject: [PATCH 170/247] Add UNIX generic policy --- sca/generic/unix_audit.yml | 280 +++++++++++++++++++++++++++++++++++++ 1 file changed, 280 insertions(+) create mode 100644 sca/generic/unix_audit.yml diff --git a/sca/generic/unix_audit.yml b/sca/generic/unix_audit.yml new file mode 100644 index 000000000..93b574a30 --- /dev/null +++ b/sca/generic/unix_audit.yml @@ -0,0 +1,280 @@ +# Security Configuration Assessment +# Audit for UNIX systems +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Mostly based on +# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 +# Center for Internet Security Red Hat Enterprise Linux 7 v2.2.0 - 12-27-2017 +# Center for Internet Security SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017 +# OSSEC v3.2.0 + +policy: + id: "unix_audit" + file: "unix_audit.yml" + name: "System audit for Unix based systems" + description: "Guidance for establishing a secure configuration for SSH service vulnerabilities and secure passwords." + references: + - https://www.ssh.com/ssh/ + +requirements: + title: "Check that the SSH service is installed on the system and password-related files are present on the system" + description: "Requirements for running the SCA scan against the Unix policy." + condition: all + rules: + - 'f:/etc/ssh/sshd_config' + - 'f:/etc/passwd' + - 'f:/etc/shadow' + +checks: + - id: 1500 + title: "SSH Hardening - 1: Port should not be 22" + description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." + rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." + remediation: "Change the Port option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' + + - id: 1501 + title: "SSH Hardening - 2: Protocol should be set to 2" + description: "The SSH protocol should not be 1." + rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." + remediation: "Change the Protocol option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' + + - id: 1502 + title: "SSH Hardening - 3: Root account should not be able to log in" + description: "The option PermitRootLogin should be set to no." + rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." + remediation: "Change the PermitRootLogin option value in the sshd_config file." + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' + + - id: 1503 + title: "SSH Hardening - 4: No Public Key authentication" + description: "The option PubkeyAuthentication should be set yes." + rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." + remediation: "Change the PubkeyAuthentication option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' + + - id: 1504 + title: "SSH Hardening - 5: Password Authentication should be disabled" + description: "The option PasswordAuthentication should be set to no." + rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." + remediation: "Change the PasswordAuthentication option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' + + - id: 1505 + title: "SSH Hardening - 6: Empty passwords should not be allowed" + description: "The option PermitEmptyPasswords should be set to no." + rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." + remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' + + - id: 1506 + title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" + description: "The option IgnoreRhosts should be set to yes." + rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." + remediation: "Change the IgnoreRhosts option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' + + - id: 1507 + title: "SSH Hardening - 8: Grace Time should be one minute or less." + description: "The option LoginGraceTime should be set to 60 or less." + rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." + remediation: "Change the LoginGraceTime option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 60' + + - id: 1508 + title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" + description: "The option MaxAuthTries should be set to 4 or less." + rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." + remediation: "Change the MaxAuthTries option value in the sshd_config file." + compliance: + - pci_dss: "2.2.4" + condition: all + rules: + - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' + + - id: 1509 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - pci_dss: "4.1" + - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" + - nist_800_53: "SC.8" + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' + + - id: 1510 + title: "Ensure password creation requirements are configured" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + + - id: 1511 + title: "Ensure passwords are longer than 14 characters" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' + + - id: 1512 + title: "Ensure passwords contain at least one digit" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:dcredit=-1' + + - id: 1513 + title: "Ensure passwords contain at least one lowercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:lcredit=-1' + + - id: 1514 + title: "Ensure passwords contain at least one uppercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ucredit=-1' + + - id: 1515 + title: "Ensure passwords contain at least one special character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: "5.3.1" + - cis_csc: "4.4, 5.7, 16.12" + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ocredit=-1' + + - id: 1516 + title: "Ensure lockout for failed password attempts is configured" + description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users." + rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." + remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: #auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" + compliance: + - cis: "5.3.2" + condition: all + rules: + - 'f:/etc/pam.d/common-auth -> r:^auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d+\s*\t*unlock_time=\d+$' + + - id: 1517 + title: "Ensure password hashing algorithm is SHA-512" + description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." + remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" + compliance: + - cis: "5.3.4" + - cis_csc: "16.14" + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' + + - id: 1518 + title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" + description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." + remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256." + references: + - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ + - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' + +# 5.4 User accounts and Environment + - id: 1519 + title: "Ensure password expiration is 365 days or less" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." + rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." + compliance: + - cis: "5.4.1.1" + - cis_csc: "4.4, 16" + references: + - https://www.thegeekdiary.com/understanding-etclogin-defs-file + condition: any + rules: + - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' + + \ No newline at end of file From 041d0eec53c92be127354a5e3ae1675c84cd913b Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 2 Jul 2019 15:44:45 +0200 Subject: [PATCH 171/247] Add variables to Unix policy --- sca/generic/unix_audit.yml | 44 ++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/sca/generic/unix_audit.yml b/sca/generic/unix_audit.yml index 93b574a30..247a0e528 100644 --- a/sca/generic/unix_audit.yml +++ b/sca/generic/unix_audit.yml @@ -9,9 +9,6 @@ # # Mostly based on # Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 -# Center for Internet Security Red Hat Enterprise Linux 7 v2.2.0 - 12-27-2017 -# Center for Internet Security SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017 -# OSSEC v3.2.0 policy: id: "unix_audit" @@ -30,6 +27,11 @@ requirements: - 'f:/etc/passwd' - 'f:/etc/shadow' + +variables: + $sshd_file: /etc/ssh/sshd_config + $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd + checks: - id: 1500 title: "SSH Hardening - 1: Port should not be 22" @@ -40,7 +42,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' + - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22\s\t*$' - id: 1501 title: "SSH Hardening - 2: Protocol should be set to 2" @@ -51,7 +53,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2\s*\t*$' - id: 1502 title: "SSH Hardening - 3: Root account should not be able to log in" @@ -60,7 +62,7 @@ checks: remediation: "Change the PermitRootLogin option value in the sshd_config file." condition: all rules: - - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' + - 'f:$sshd_file -> r:^\s*PermitRootLogin\s*\t*no' - id: 1503 title: "SSH Hardening - 4: No Public Key authentication" @@ -71,7 +73,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' + - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\s*\t*yes' - id: 1504 title: "SSH Hardening - 5: Password Authentication should be disabled" @@ -82,7 +84,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' + - 'f:$sshd_file -> r:^\s*PasswordAuthentication\s*\t*no' - id: 1505 title: "SSH Hardening - 6: Empty passwords should not be allowed" @@ -93,7 +95,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' + - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\s*\t*no' - id: 1506 title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" @@ -104,7 +106,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' + - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\s*\t*yes' - id: 1507 title: "SSH Hardening - 8: Grace Time should be one minute or less." @@ -115,7 +117,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 60' + - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+)s compare <= 60' - id: 1508 title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" @@ -126,7 +128,7 @@ checks: - pci_dss: "2.2.4" condition: all rules: - - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' + - 'f:$sshd_file -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4' - id: 1509 title: "Ensure SSH HostbasedAuthentication is disabled" @@ -139,7 +141,7 @@ checks: - nist_800_53: "SC.8" condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\s*\t*no' - id: 1510 title: "Ensure password creation requirements are configured" @@ -153,8 +155,8 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' - - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' + - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' - id: 1511 title: "Ensure passwords are longer than 14 characters" @@ -168,7 +170,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' + - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' - id: 1512 title: "Ensure passwords contain at least one digit" @@ -182,7 +184,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:dcredit=-1' + - 'f:$pam_d_files-> r:pam_cracklib.so && r:dcredit=-1' - id: 1513 title: "Ensure passwords contain at least one lowercase character" @@ -196,7 +198,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:lcredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=-1' - id: 1514 title: "Ensure passwords contain at least one uppercase character" @@ -210,7 +212,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ucredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit=-1' - id: 1515 title: "Ensure passwords contain at least one special character" @@ -224,7 +226,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ocredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit=-1' - id: 1516 title: "Ensure lockout for failed password attempts is configured" @@ -247,7 +249,7 @@ checks: - cis_csc: "16.14" condition: all rules: - - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' + - 'f:$pam_d_files -> r:^password\.+pam_unix.so\.+sha512' - id: 1518 title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" From 654e26e9efd0cbf51ba495af79f4a51b4aa8b97f Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 2 Jul 2019 16:35:57 +0200 Subject: [PATCH 172/247] Add more generic checks to the win_audit_rcl policy --- sca/windows/win_audit.yml | 847 +++++++++++++++++++++++++++++++++++++- 1 file changed, 839 insertions(+), 8 deletions(-) diff --git a/sca/windows/win_audit.yml b/sca/windows/win_audit.yml index c0d802f2d..8148c3a00 100644 --- a/sca/windows/win_audit.yml +++ b/sca/windows/win_audit.yml @@ -23,6 +23,456 @@ requirements: checks: - id: 2500 + title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." + rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + compliance: + - cis: "2.3.2.2" + - cis_csc: "6" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' + + - id: 2501 + title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" + description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." + rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + compliance: + - cis: "2.3.4.1" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' + + - id: 2502 + title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" + compliance: + - cis: "2.3.6.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' + + - id: 2503 + title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" + compliance: + - cis: "2.3.6.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' + + - id: 2504 + title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" + compliance: + - cis: "2.3.6.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' + + - id: 2505 + title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." + rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + compliance: + - cis: "2.3.6.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + + - id: 2506 + title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." + rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + compliance: + - cis: "2.3.6.4" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' + + - id: 2507 + title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." + rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + compliance: + - cis: "2.3.6.6" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' + + - id: 2508 + title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." + rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" + compliance: + - cis: "2.3.7.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' + + - id: 2509 + title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." + rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" + compliance: + - cis: "2.3.7.2" + - cis_csc: "8" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' + + - id: 2510 + title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." + rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + compliance: + - cis: "2.3.7.7" + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' + + - id: 2511 + title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." + rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + compliance: + - cis: "2.3.7.9" + - cis_csc: "16.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' + + - id: 2512 + title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" + compliance: + - cis: "2.3.8.1" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' + + - id: 2513 + title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" + compliance: + - cis: "2.3.8.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' + + - id: 2514 + title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + compliance: + - cis: "2.3.8.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' + + - id: 2515 + title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" + description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." + rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + compliance: + - cis: "2.3.9.1" + - cis_csc: "3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' + + - id: 2516 + title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" + compliance: + - cis: "2.3.9.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' + + - id: 2517 + title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" + compliance: + - cis: "2.3.9.3" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' + + - id: 2518 + title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + compliance: + - cis: "2.3.10.4" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' + + - id: 2519 + title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + compliance: + - cis: "2.3.10.5" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' + + - id: 2520 + title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." + rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + compliance: + - cis: "2.3.10.9" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' + + - id: 2521 + title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." + rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + compliance: + - cis: "2.3.10.10" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' + - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' + + - id: 2522 + title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." + rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + compliance: + - cis: "2.3.10.11" + - cis_csc: "14, 16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' + + - id: 2523 + title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." + rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + compliance: + - cis: "2.3.11.5" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' + + - id: 2524 + title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." + rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + compliance: + - cis: "2.3.11.7" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' + + - id: 2525 + title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." + rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + compliance: + - cis: "2.3.11.8" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1' + + - id: 2526 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + compliance: + - cis: "2.3.11.9" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' + + - id: 2527 + title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + compliance: + - cis: "2.3.11.10" + - cis_csc: "13" + references: + - https://workbench.cisecurity.org/benchmarks/288 + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' + + - id: 2528 + title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." + rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" + compliance: + - cis: "2.3.15.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' + + - id: 2529 + title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." + rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" + compliance: + - cis: "2.3.15.2" + - cis_csc: "14.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' + + - id: 2530 + title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" + compliance: + - cis: "9.2.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' + + - id: 2531 + title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" + compliance: + - cis: "9.3.1" + - cis_csc: "9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' + + - id: 2532 title: "Ensure Registry tools set is enabled" compliance: - pci_dss: "10.6.1" @@ -34,7 +484,7 @@ checks: - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' - - id: 2501 + - id: 2533 title: "Ensure DCOM is enabled" description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." compliance: @@ -49,7 +499,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - - id: 2502 + - id: 2534 title: "LM authentication not allowed (disable weak passwords)" compliance: - pci_dss: "10.6.1, 11.4" @@ -63,7 +513,7 @@ checks: # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). - - id: 2503 + - id: 2535 title: "Ensure Firewall/Anti Virus notifications are enabled" compliance: - pci_dss: "10.6.1" @@ -82,7 +532,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' # Checking for the microsoft firewall. - - id: 2504 + - id: 2536 title: "Ensure Microsoft Firewall is enabled" compliance: - pci_dss: "10.6.1, 1.4" @@ -94,7 +544,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' - - id: 2505 + - id: 2537 title: "Ensure Null sessions are not allowed" compliance: - pci_dss: "11.4" @@ -105,7 +555,7 @@ checks: - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - id: 2506 + - id: 2538 title: "Ensure Turn off Windows Error reporting is enabled" compliance: - pci_dss: "10.6.1" @@ -122,7 +572,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - - id: 2507 + - id: 2539 title: "Ensure Automatic Logon is disabled" compliance: - pci_dss: "10.6.1" @@ -134,7 +584,7 @@ checks: - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 2508 + - id: 2540 title: "Ensure Winpcap packet filter driver is not present" compliance: - pci_dss: "10.6.1" @@ -144,3 +594,384 @@ checks: rules: - 'f:%WINDIR%\System32\drivers\npf.sys' - 'f:%WINDIR%\Sysnative\drivers\npf.sys' + + - id: 2541 + title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." + rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.1" + - cis_csc: "16" + references: + - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + + - id: 2542 + title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.2" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' + + - id: 2543 + title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.3" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' + + - id: 2544 + title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.8" + - cis_csc: "8" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' + + - id: 2545 + title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." + rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.9" + - cis_csc: "16.5" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' + + - id: 2546 + title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." + rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + compliance: + - cis: "18.4.12" + - cis_csc: "6.3" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' + + - id: 2547 + title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." + rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.21.2" + - cis_csc: "3.7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' + + - id: 2548 + title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + rationale: "Users might download drivers that include malicious code." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.1" + - cis_csc: "2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' + + - id: 2549 + title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." + rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.5" + - cis_csc: "7" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' + + - id: 2550 + title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." + rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.6" + - cis_csc: "13.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' + + - id: 2551 + title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.35.1" + - cis_csc: "9.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' + + - id: 2552 + title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." + rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + compliance: + - cis: "18.8.35.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' + + - id: 2553 + title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." + rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.8.3" + - cis_csc: "8.3" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' + + - id: 2554 + title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." + rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.2.2" + - cis_csc: "16.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' + + - id: 2555 + title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" + description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." + rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.3.2" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' + + - id: 2556 + title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." + rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." + compliance: + - cis: "18.9.58.3.9.1" + - cis_csc: "16.14" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' + + - id: 2557 + title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." + rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.58.3.9.3" + - cis_csc: "3.4" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' + + - id: 2558 + title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" + description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." + rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.85.2" + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' + + - id: 2559 + title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.9.101.2" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' + + - id: 2560 + title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." + rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + compliance: + - cis: "18.9.101.4" + - cis_csc: "4.5" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' + + - id: 2561 + title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.10" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' + + - id: 2562 + title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + compliance: + - cis: "18.4.11" + - cis_csc: "9" + references: + - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' + + - id: 2563 + title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." + rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.8" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' + + - id: 2564 + title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" + description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." + rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.10" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' + + - id: 2565 + title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.11" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' + + - id: 2566 + title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" + description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." + rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + compliance: + - cis: "18.8.22.1.13" + - cis_csc: "13" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' \ No newline at end of file From 93a171104d25be5d2675ab5d0b3761a45fe57ce3 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 2 Jul 2019 16:41:02 +0200 Subject: [PATCH 173/247] Change compliance format and add check --- sca/generic/unix_audit.yml | 83 +++++++++++++++++++++++++------------- 1 file changed, 54 insertions(+), 29 deletions(-) diff --git a/sca/generic/unix_audit.yml b/sca/generic/unix_audit.yml index 247a0e528..75d33a081 100644 --- a/sca/generic/unix_audit.yml +++ b/sca/generic/unix_audit.yml @@ -39,7 +39,7 @@ checks: rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." remediation: "Change the Port option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22\s\t*$' @@ -50,7 +50,7 @@ checks: rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." remediation: "Change the Protocol option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2\s*\t*$' @@ -70,7 +70,7 @@ checks: rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." remediation: "Change the PubkeyAuthentication option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\s*\t*yes' @@ -81,7 +81,7 @@ checks: rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." remediation: "Change the PasswordAuthentication option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*PasswordAuthentication\s*\t*no' @@ -92,7 +92,7 @@ checks: rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\s*\t*no' @@ -103,7 +103,7 @@ checks: rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." remediation: "Change the IgnoreRhosts option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\s*\t*yes' @@ -114,7 +114,7 @@ checks: rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." remediation: "Change the LoginGraceTime option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+)s compare <= 60' @@ -125,7 +125,7 @@ checks: rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." remediation: "Change the MaxAuthTries option value in the sshd_config file." compliance: - - pci_dss: "2.2.4" + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -136,9 +136,9 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\s*\t*no' @@ -149,8 +149,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -164,8 +164,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -178,8 +178,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -192,8 +192,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -206,8 +206,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -220,8 +220,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -234,7 +234,7 @@ checks: rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: #auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" compliance: - - cis: "5.3.2" + - cis: ["5.3.2"] condition: all rules: - 'f:/etc/pam.d/common-auth -> r:^auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d+\s*\t*unlock_time=\d+$' @@ -245,8 +245,8 @@ checks: rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" compliance: - - cis: "5.3.4" - - cis_csc: "16.14" + - cis: ["5.3.4"] + - cis_csc: ["16.14"] condition: all rules: - 'f:$pam_d_files -> r:^password\.+pam_unix.so\.+sha512' @@ -270,8 +270,8 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] references: - https://www.thegeekdiary.com/understanding-etclogin-defs-file condition: any @@ -279,4 +279,29 @@ checks: - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' - \ No newline at end of file + - id: 1520 + title: "Ensure SELinux or AppArmor are installed" + description: "SELinux and AppArmor provide Mandatory Access Controls." + rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." + remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" + compliance: + - cis: ["1.6.3"] + - cis_csc: ["14.4","14.6"] + condition: any + rules: + - 'c:dpkg -s selinux-basics -> r:install ok installed' + - 'c:dpkg -s apparmor -> r:install ok installed' + + - id: 10507 + title: "Ensure CUPS is not enabled" + description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." + rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." + remediation: "Run the following command to disable cups: # systemctl disable cups" + compliance: + - cis: ["2.2.4"] + - cis_csc: ["9.1","9.2"] + references: + - 'https://www.cups.org' + condition: none + rules: + - 'c:systemctl is-enabled cups -> r:^enabled' From 40ca279c86c645f44929ae701a61140c8fe1adaa Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 2 Jul 2019 17:10:54 +0200 Subject: [PATCH 174/247] Remove old generic policies --- sca/generic/system_audit_pw.yml | 160 ------------------------------- sca/generic/system_audit_ssh.yml | 137 -------------------------- sca/generic/unix_audit.yml | 35 +++---- 3 files changed, 15 insertions(+), 317 deletions(-) delete mode 100644 sca/generic/system_audit_pw.yml delete mode 100644 sca/generic/system_audit_ssh.yml diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml deleted file mode 100644 index 589383e99..000000000 --- a/sca/generic/system_audit_pw.yml +++ /dev/null @@ -1,160 +0,0 @@ -# Security Configuration Assessment -# Checks for Password Security on Linux Systems -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation -# -# Mostly based on -# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 -# Center for Internet Security Red Hat Enterprise Linux 7 v2.2.0 - 12-27-2017 -# Center for Internet Security SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017 -# OSSEC v3.2.0 - -policy: - id: "system_audit_pw" - file: "system_audit_pw.yml" - name: "System audit for password-related vulnerabilities" - description: "Guidance for establishing a secure configuration for password vulnerabilities." - references: - - https://www.cisecurity.org/cis-benchmarks/ - -requirements: - title: "Check that password-related files are present on the system" - description: "Requirements for running the SCA scan against the password-related policy." - condition: any - rules: - - 'f:/etc/passwd' - - 'f:/etc/shadow' - -variables: - $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd - -checks: -# 5.3 Configure PAM - - id: 13000 - title: "Ensure password creation requirements are configured" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: all - rules: - - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' - - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' - - - id: 13001 - title: "Ensure passwords are longer than 13 characters" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' - - - id: 13002 - title: "Ensure passwords contain at least one digit" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:dcredit=-1' - - - id: 13003 - title: "Ensure passwords contain at least one lowercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:lcredit=-1' - - - id: 13004 - title: "Ensure passwords contain at least one uppercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ucredit=-1' - - - id: 13005 - title: "Ensure passwords contain at least one special character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: "5.3.1" - - cis_csc: "4.4, 5.7, 16.12" - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ocredit=-1' - - - id: 13006 - title: "Ensure password hashing algorithm is SHA-512" - description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." - rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." - remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" - compliance: - - cis: "5.3.4" - - cis_csc: "16.14" - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' - - - id: 13007 - title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" - description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." - rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." - remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256." - references: - - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ - - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' - -# 5.4 User accounts and Environment - - id: 13008 - title: "Ensure password expiration is 365 days or less" - description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." - rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." - remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." - compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" - references: - - https://www.thegeekdiary.com/understanding-etclogin-defs-file - condition: any - rules: - - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' - - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml deleted file mode 100644 index 5024bbe57..000000000 --- a/sca/generic/system_audit_ssh.yml +++ /dev/null @@ -1,137 +0,0 @@ -# Security Configuration Assessment -# Checks for SSH hardening -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation - -policy: - id: "system_audit_ssh" - file: "system_audit_ssh.yml" - name: "System audit for SSH hardening" - description: "Guidance for establishing a secure configuration for SSH service vulnerabilities." - references: - - https://www.ssh.com/ssh/ - -requirements: - title: "Check that the SSH service is installed on the system" - description: "Requirements for running the SCA scan against the SSH policy." - condition: all - rules: - - 'f:/etc/ssh/sshd_config' - -variables: - $sshd_file: /etc/ssh/sshd_config - -checks: - - id: 1500 - title: "SSH Hardening - 1: Port should not be 22" - description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." - rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." - remediation: "Change the Port option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' - - - id: 1501 - title: "SSH Hardening - 2: Protocol should not be 1" - description: "The SSH protocol should not be 1." - rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." - remediation: "Change the Protocol option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' - - - id: 1502 - title: "SSH Hardening - 3: Root account should not be able to log in" - description: "The option PermitRootLogin should be set to no." - rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." - remediation: "Change the PermitRootLogin option value in the sshd_config file." - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' - - - id: 1503 - title: "SSH Hardening - 4: No Public Key authentication" - description: "The option PubkeyAuthentication should be set yes." - rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." - remediation: "Change the PubkeyAuthentication option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' - - - id: 1504 - title: "SSH Hardening - 5: Password Authentication should be disabled" - description: "The option PasswordAuthentication should be set to no." - rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." - remediation: "Change the PasswordAuthentication option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' - - - id: 1505 - title: "SSH Hardening - 6: Empty passwords should not be allowed" - description: "The option PermitEmptyPasswords should be set to no." - rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." - remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' - - - id: 1506 - title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" - description: "The option IgnoreRhosts should be set to yes." - rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." - remediation: "Change the IgnoreRhosts option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' - - - id: 1507 - title: "SSH Hardening - 8: Grace Time should be 30 or less." - description: "The option LoginGraceTime should be set to 30 or less." - rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." - remediation: "Change the LoginGraceTime option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 30' - - - id: 1508 - title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" - description: "The option MaxAuthTries should be set to 4 or less." - rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." - remediation: "Change the MaxAuthTries option value in the sshd_config file." - compliance: - - pci_dss: "2.2.4" - condition: all - rules: - - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' - - - id: 1509 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' diff --git a/sca/generic/unix_audit.yml b/sca/generic/unix_audit.yml index 75d33a081..f6eabbd98 100644 --- a/sca/generic/unix_audit.yml +++ b/sca/generic/unix_audit.yml @@ -6,22 +6,19 @@ # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation -# -# Mostly based on -# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 policy: id: "unix_audit" file: "unix_audit.yml" name: "System audit for Unix based systems" - description: "Guidance for establishing a secure configuration for SSH service vulnerabilities and secure passwords." + description: "Guidance for establishing a secure configuration for Unix based systems." references: - https://www.ssh.com/ssh/ requirements: title: "Check that the SSH service is installed on the system and password-related files are present on the system" - description: "Requirements for running the SCA scan against the Unix policy." - condition: all + description: "Requirements for running the SCA scan against the Unix based systems policy." + condition: any rules: - 'f:/etc/ssh/sshd_config' - 'f:/etc/passwd' @@ -149,7 +146,6 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: ["5.3.1"] - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ @@ -164,7 +160,6 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: ["5.3.1"] - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ @@ -178,7 +173,6 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: ["5.3.1"] - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ @@ -192,7 +186,6 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: ["5.3.1"] - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ @@ -206,7 +199,6 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: ["5.3.1"] - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ @@ -220,7 +212,6 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis: ["5.3.1"] - cis_csc: ["4.4","5.7","16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ @@ -233,8 +224,6 @@ checks: description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: #auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" - compliance: - - cis: ["5.3.2"] condition: all rules: - 'f:/etc/pam.d/common-auth -> r:^auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d+\s*\t*unlock_time=\d+$' @@ -245,7 +234,6 @@ checks: rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" compliance: - - cis: ["5.3.4"] - cis_csc: ["16.14"] condition: all rules: @@ -263,14 +251,12 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' -# 5.4 User accounts and Environment - id: 1519 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." compliance: - - cis: ["5.4.1.1"] - cis_csc: ["4.4","16"] references: - https://www.thegeekdiary.com/understanding-etclogin-defs-file @@ -285,23 +271,32 @@ checks: rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis: ["1.6.3"] - cis_csc: ["14.4","14.6"] condition: any rules: - 'c:dpkg -s selinux-basics -> r:install ok installed' - 'c:dpkg -s apparmor -> r:install ok installed' - - id: 10507 + - id: 1521 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: ["2.2.4"] - cis_csc: ["9.1","9.2"] references: - 'https://www.cups.org' condition: none rules: - 'c:systemctl is-enabled cups -> r:^enabled' + + - id: 1522 + title: "Ensure auditd service is enabled" + description: "Turn on the auditd daemon to record system events." + rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." + remediation: "Run the following command to enable auditd: # systemctl enable auditd" + compliance: + - cis_csc: ["6.2","6.3"] + condition: all + rules: + - 'c:systemctl is-enabled auditd -> r:^enabled' From 63856070d3c44d12f00b0b267049b52b73e40565 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 10:29:07 +0200 Subject: [PATCH 175/247] Fix typo --- sca/windows/cis_win10_enterprise_L1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 8584b3741..8da5a2c1b 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -2659,7 +2659,7 @@ checks: rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdma -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - id: 12189 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" From ad5ab624ee91569fbf76f032c26441c37d5639fc Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 10:29:30 +0200 Subject: [PATCH 176/247] Add new checks for generic Windows policy --- sca/windows/win_audit.yml | 269 +++++++++++++++++++------------------- 1 file changed, 131 insertions(+), 138 deletions(-) diff --git a/sca/windows/win_audit.yml b/sca/windows/win_audit.yml index 8148c3a00..94e37cc8b 100644 --- a/sca/windows/win_audit.yml +++ b/sca/windows/win_audit.yml @@ -23,12 +23,24 @@ requirements: checks: - id: 2500 + title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." + rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" + compliance: + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' + + - id: 2501 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.2" - cis_csc: "6" condition: all rules: @@ -36,13 +48,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - id: 2501 + - id: 2502 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - cis_csc: "5.1" condition: all rules: @@ -50,13 +61,25 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - id: 2502 + - id: 2503 + title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + compliance: + - cis_csc: "5.1" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' + - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' + + - id: 2504 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - cis_csc: "13" condition: all rules: @@ -64,13 +87,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 2503 + - id: 2505 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - cis_csc: "13" condition: all rules: @@ -78,13 +100,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 2504 + - id: 2506 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - cis_csc: "13" condition: all rules: @@ -92,27 +113,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 2505 - title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." - rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" - compliance: - - cis: "2.3.6.4" - - cis_csc: "16" - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - - id: 2506 + - id: 2507 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - cis_csc: "16" condition: all rules: @@ -120,13 +126,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 2507 + - id: 2508 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - cis_csc: "13" condition: all rules: @@ -134,13 +139,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 2508 + - id: 2509 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis: "2.3.7.1" - cis_csc: "13" condition: all rules: @@ -148,13 +152,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 2509 + - id: 2510 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" - cis_csc: "8" condition: all rules: @@ -162,13 +165,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 2510 + - id: 2511 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.7" - cis_csc: "16" condition: all rules: @@ -176,13 +178,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - - id: 2511 + - id: 2512 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - cis_csc: "16.5" condition: all rules: @@ -190,13 +191,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - id: 2512 + - id: 2513 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - cis_csc: "13" condition: all rules: @@ -204,13 +204,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 2513 + - id: 2514 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - cis_csc: "13" condition: all rules: @@ -218,13 +217,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 2514 + - id: 2515 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - cis_csc: "13" condition: all rules: @@ -232,28 +230,25 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 2515 + - id: 2516 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - cis_csc: "3" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 2516 + - id: 2517 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - cis_csc: "13" condition: all rules: @@ -261,13 +256,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 2517 + - id: 2518 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - cis_csc: "13" condition: all rules: @@ -275,13 +269,25 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 2518 + - id: 2519 + title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" + description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." + rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" + compliance: + - cis_csc: "16" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' + + - id: 2520 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - cis_csc: "16.14" condition: all rules: @@ -289,13 +295,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - - id: 2519 + - id: 2521 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - cis_csc: "14, 16" condition: all rules: @@ -303,13 +308,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - id: 2520 + - id: 2522 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - cis_csc: "14, 16" condition: all rules: @@ -317,13 +321,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - id: 2521 + - id: 2523 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.10" - cis_csc: "14, 16" condition: all rules: @@ -331,13 +334,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - - id: 2522 + - id: 2524 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.11" - cis_csc: "14, 16" condition: all rules: @@ -345,13 +347,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - id: 2523 + - id: 2525 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - cis_csc: "16.14" condition: all rules: @@ -359,13 +360,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - id: 2524 + - id: 2526 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - cis_csc: "13" condition: all rules: @@ -373,13 +373,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 2525 + - id: 2527 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - cis_csc: "13" condition: all rules: @@ -387,13 +386,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1' - - id: 2526 + - id: 2528 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - cis_csc: "13" condition: all rules: @@ -401,13 +399,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - id: 2527 + - id: 2529 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - cis_csc: "13" references: - https://workbench.cisecurity.org/benchmarks/288 @@ -417,26 +414,24 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - id: 2528 + - id: 2530 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - - cis: "2.3.15.1" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - id: 2529 + - id: 2531 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - cis_csc: "14.4" condition: all rules: @@ -444,13 +439,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - id: 2530 + - id: 2532 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - cis_csc: "9.2" condition: all rules: @@ -458,13 +452,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - id: 2531 + - id: 2533 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - cis_csc: "9.2" condition: all rules: @@ -472,7 +465,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - id: 2532 + - id: 2534 title: "Ensure Registry tools set is enabled" compliance: - pci_dss: "10.6.1" @@ -484,7 +477,7 @@ checks: - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' - - id: 2533 + - id: 2535 title: "Ensure DCOM is enabled" description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." compliance: @@ -499,7 +492,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - - id: 2534 + - id: 2536 title: "LM authentication not allowed (disable weak passwords)" compliance: - pci_dss: "10.6.1, 11.4" @@ -513,7 +506,7 @@ checks: # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). - - id: 2535 + - id: 2537 title: "Ensure Firewall/Anti Virus notifications are enabled" compliance: - pci_dss: "10.6.1" @@ -532,7 +525,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' # Checking for the microsoft firewall. - - id: 2536 + - id: 2538 title: "Ensure Microsoft Firewall is enabled" compliance: - pci_dss: "10.6.1, 1.4" @@ -544,7 +537,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' - - id: 2537 + - id: 2539 title: "Ensure Null sessions are not allowed" compliance: - pci_dss: "11.4" @@ -555,7 +548,7 @@ checks: - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - id: 2538 + - id: 2540 title: "Ensure Turn off Windows Error reporting is enabled" compliance: - pci_dss: "10.6.1" @@ -572,7 +565,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - - id: 2539 + - id: 2541 title: "Ensure Automatic Logon is disabled" compliance: - pci_dss: "10.6.1" @@ -584,7 +577,7 @@ checks: - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 2540 + - id: 2542 title: "Ensure Winpcap packet filter driver is not present" compliance: - pci_dss: "10.6.1" @@ -595,13 +588,12 @@ checks: - 'f:%WINDIR%\System32\drivers\npf.sys' - 'f:%WINDIR%\Sysnative\drivers\npf.sys' - - id: 2541 + - id: 2543 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.1" - cis_csc: "16" references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows @@ -612,13 +604,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 2542 + - id: 2544 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.2" - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -628,13 +619,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - id: 2543 + - id: 2545 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.3" - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -644,13 +634,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - id: 2544 + - id: 2546 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - cis_csc: "8" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -660,13 +649,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - id: 2545 + - id: 2547 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.9" - cis_csc: "16.5" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -676,13 +664,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - id: 2546 + - id: 2548 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - cis_csc: "6.3" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -692,13 +679,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' - - id: 2547 + - id: 2549 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.2" - cis_csc: "3.7" condition: all rules: @@ -706,13 +692,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - id: 2548 + - id: 2550 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.1" - cis_csc: "2" condition: all rules: @@ -720,13 +705,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - id: 2549 + - id: 2551 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.5" - cis_csc: "7" condition: all rules: @@ -734,13 +718,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - id: 2550 + - id: 2552 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.6" - cis_csc: "13.1" condition: all rules: @@ -748,13 +731,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - id: 2551 + - id: 2553 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.1" - cis_csc: "9.1" condition: all rules: @@ -762,13 +744,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 2552 + - id: 2554 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.2" - cis_csc: "5.1" condition: all rules: @@ -776,13 +757,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - - id: 2553 + - id: 2555 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.8.3" - cis_csc: "8.3" condition: all rules: @@ -790,13 +770,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' - - id: 2554 + - id: 2556 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.2.2" - cis_csc: "16.4" condition: all rules: @@ -804,13 +783,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 2555 + - id: 2557 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.2" - cis_csc: "13" condition: all rules: @@ -818,13 +796,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 2556 + - id: 2558 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.9.1" - cis_csc: "16.14" condition: all rules: @@ -832,13 +809,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 2557 + - id: 2559 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.3" - cis_csc: "3.4" condition: all rules: @@ -846,13 +822,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 2558 + - id: 2560 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.85.2" - cis_csc: "5.1" condition: all rules: @@ -860,13 +835,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 2559 + - id: 2561 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.2" - cis_csc: "4.5" condition: all rules: @@ -874,13 +848,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 2560 + - id: 2562 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.101.4" - cis_csc: "4.5" condition: all rules: @@ -888,13 +861,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' - - id: 2561 + - id: 2563 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.10" - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -904,13 +876,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 2562 + - id: 2564 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.11" - cis_csc: "9" references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -920,13 +891,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 2563 + - id: 2565 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.8" - cis_csc: "13" condition: all rules: @@ -934,13 +904,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 2564 + - id: 2566 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.10" - cis_csc: "13" condition: all rules: @@ -948,13 +917,12 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 2565 + - id: 2567 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.11" - cis_csc: "13" condition: all rules: @@ -962,16 +930,41 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 2566 + - id: 2568 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.13" - cis_csc: "13" condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' \ No newline at end of file + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + + - id: 2569 + title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" + description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." + rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" + compliance: + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' + + - id: 2570 + title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" + description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" + rationale: "Unauthenticated RPC communication can create a security vulnerability." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" + compliance: + - cis_csc: "9.1, 9.2" + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' \ No newline at end of file From 042132fc92f80949ce4b637cf4db38289c7f095b Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 10:33:38 +0200 Subject: [PATCH 177/247] Change name for generic policies --- sca/generic/{unix_audit.yml => sca_unix_audit.yml} | 0 sca/windows/{win_audit.yml => sca_win_audit.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename sca/generic/{unix_audit.yml => sca_unix_audit.yml} (100%) rename sca/windows/{win_audit.yml => sca_win_audit.yml} (100%) diff --git a/sca/generic/unix_audit.yml b/sca/generic/sca_unix_audit.yml similarity index 100% rename from sca/generic/unix_audit.yml rename to sca/generic/sca_unix_audit.yml diff --git a/sca/windows/win_audit.yml b/sca/windows/sca_win_audit.yml similarity index 100% rename from sca/windows/win_audit.yml rename to sca/windows/sca_win_audit.yml From 0a530f29156852530f4aaa103688aaed308bb450 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 11:15:38 +0200 Subject: [PATCH 178/247] Fix some typos --- sca/rhel/6/cis_rhel6_linux_rcl.yml | 2 +- sca/windows/cis_win2012r2_memberL2_rcl.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux_rcl.yml b/sca/rhel/6/cis_rhel6_linux_rcl.yml index 9c1613ca0..0382135e2 100644 --- a/sca/rhel/6/cis_rhel6_linux_rcl.yml +++ b/sca/rhel/6/cis_rhel6_linux_rcl.yml @@ -828,7 +828,7 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: ["5].2.7" + - cis: ["5.2.7"] - cis_csc: ["9"] - pci_dss: ["4.1"] - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] diff --git a/sca/windows/cis_win2012r2_memberL2_rcl.yml b/sca/windows/cis_win2012r2_memberL2_rcl.yml index f70cd8fb9..7279a5cc6 100644 --- a/sca/windows/cis_win2012r2_memberL2_rcl.yml +++ b/sca/windows/cis_win2012r2_memberL2_rcl.yml @@ -310,7 +310,7 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task" compliance: - - cis: 18.8.22.1.9" + - cis: ["18.8.22.1.9"] - cis_csc: ["13"] condition: all rules: From 5c1548d5bb2f54aeaa976cad185c2846c301ae7e Mon Sep 17 00:00:00 2001 From: Skeptor Date: Fri, 28 Jun 2019 12:25:19 +0200 Subject: [PATCH 179/247] Change compliance format --- sca/applications/cis_apache2224.yml | 144 +-- sca/applications/cis_mysql5-6_community.yml | 38 +- sca/applications/cis_mysql5-6_enterprise.yml | 52 +- sca/applications/web_vulnerabilities.yml | 48 +- sca/darwin/15/cis_apple_macOS_10.11.yml | 66 +- sca/darwin/16/cis_apple_macOS_10.12.yml | 60 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 60 +- sca/darwin/web_vulnerabilities.yml | 145 +++ sca/debian/cis_debian7_L1.yml | 235 +++-- sca/debian/cis_debian7_L2.yml | 58 +- sca/debian/cis_debian8_L1.yml | 392 ++++---- sca/debian/cis_debian8_L2.yml | 112 +-- sca/debian/cis_debian_linux_rcl.yml | 517 +++++++++++ sca/generic/system_audit_pw.yml | 160 ++++ sca/generic/system_audit_ssh.yml | 137 +++ sca/rhel/5/cis_rhel5_linux.yml | 272 +++--- sca/rhel/6/cis_rhel6_linux.yml | 330 +++---- sca/rhel/7/cis_rhel7_linux.yml | 392 ++++---- sca/sles/11/cis_sles11_linux.yml | 346 +++---- sca/sles/12/cis_sles12_linux.yml | 384 ++++---- sca/sunos/cis_solaris11.yml | 110 +-- sca/windows/acsc_office2016.yml | 14 +- sca/windows/cis_win10_enterprise_L1.yml | 918 +++++++++---------- sca/windows/cis_win10_enterprise_L2.yml | 332 +++---- sca/windows/cis_win2012r2_domainL1.yml | 614 ++++++------- sca/windows/cis_win2012r2_domainL2.yml | 148 +-- sca/windows/cis_win2012r2_memberL1.yml | 634 ++++++------- sca/windows/cis_win2012r2_memberL2.yml | 170 ++-- sca/windows/win_audit_rcl.yml | 146 +++ 29 files changed, 4106 insertions(+), 2928 deletions(-) create mode 100644 sca/darwin/web_vulnerabilities.yml create mode 100644 sca/debian/cis_debian_linux_rcl.yml create mode 100644 sca/generic/system_audit_pw.yml create mode 100644 sca/generic/system_audit_ssh.yml create mode 100644 sca/windows/win_audit_rcl.yml diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache2224.yml index 7f9107681..261513ed5 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache2224.yml @@ -51,8 +51,8 @@ checks: rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls." remediation: "For source builds with static modules run the Apache ./configure script without including the mod_dav , and mod_dav_fs in the --enable-modules=configure script options. For dynamically loaded modules comment out the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file." compliance: - - cis: "2.3" - - cis_csc: "9.1" + - cis: ["2.3"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_dav.html - https://httpd.apache.org/docs/2.4/mod/mod_dav.html @@ -67,8 +67,8 @@ checks: rationale: "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files." remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file." compliance: - - cis: "2.4" - - cis_csc: "9.1" + - cis: ["2.4"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_status.html - https://httpd.apache.org/docs/2.4/mod/mod_status.html @@ -83,8 +83,8 @@ checks: rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed." remediation: "For source builds with static modules, run the Apache ./configure script with the - -disable-autoindex configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_autoindex module from the httpd.conf file." compliance: - - cis: "2.5" - - cis_csc: "18" + - cis: ["2.5"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html @@ -99,8 +99,8 @@ checks: rationale: "A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended." remediation: "For source builds with static modules, run the Apache ./configure script without including the mod_proxy and all other proxy modules in the --enable- modules=configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_proxy module and all other proxy modules from the httpd.conf file." compliance: - - cis: "2.6" - - cis_csc: "9.1" + - cis: ["2.6"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html @@ -115,8 +115,8 @@ checks: rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network." remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script option. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_userdir module from the httpd.conf file." compliance: - - cis: "2.7" - - cis_csc: "18" + - cis: ["2.7"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html @@ -131,8 +131,8 @@ checks: rationale: "Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory .htaccess files. This can leak sensitive information from the configuration directives of other Apache modules." remediation: "For source builds with static modules, run the Apache ./configure script without including mod_info in the --enable-modules= configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file." compliance: - - cis: "2.8" - - cis_csc: "9.1" + - cis: ["2.8"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_info.html - https://httpd.apache.org/docs/2.4/mod/mod_info.html @@ -147,8 +147,8 @@ checks: rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system." remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" compliance: - - cis: "3.2" - - cis_csc: "16" + - cis: ["3.2"] + - cis_csc: ["16"] condition: none rules: - 'f:/etc/passwd -> r:apache' @@ -160,8 +160,8 @@ checks: rationale: "As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from su-ing to apache using the password." remediation: "Use the passwd command to lock the apache account: # passwd -l apache" compliance: - - cis: "3.3" - - cis_csc: "16" + - cis: ["3.3"] + - cis_csc: ["16"] condition: all rules: - 'c:passwd -S apache -> r:Password locked' @@ -173,8 +173,8 @@ checks: rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." compliance: - - cis: "4.4" - - cis_csc: "14.4" + - cis: ["4.4"] + - cis_csc: ["14.4"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride @@ -193,8 +193,8 @@ checks: rationale: "The options for other directories and hosts should be restricted to the minimal options required. A setting of None is recommended; however, other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, Indexes." remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." compliance: - - cis: "5.3" - - cis_csc: "18" + - cis: ["5.3"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_include.html - https://httpd.apache.org/docs/2.2/mod/core.html#options @@ -212,8 +212,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:/var/www -> index.html' @@ -226,8 +226,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$confdirs -> r:manual.conf|apache2-doc.conf' @@ -239,8 +239,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' @@ -253,8 +253,8 @@ checks: rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The printenv script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via the Script , ScriptAlias , ScriptAliasMatch , or ScriptInterpreterSource directives. Remove the printenv default CGI in the cgi-bin directory if it is installed." compliance: - - cis: "5.5" - - cis_csc: "18" + - cis: ["5.5"] + - cis_csc: ["18"] condition: none rules: - 'd:/var/www/cgi-bin -> printenv' @@ -267,8 +267,8 @@ checks: rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The test-cgi script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. Remove the test-cgi default CGI in the cgi-bin directory if it is installed." compliance: - - cis: "5.6" - - cis_csc: "18.9" + - cis: ["5.6"] + - cis_csc: ["18.9"] condition: none rules: - 'd:/var/www/cgi-bin -> test-cgi' @@ -281,8 +281,8 @@ checks: rationale: "The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods." remediation: "Search for the directive on the document root directory, ensure that the access control order within the directive is deny, allow. Add a directive within the group of document root directives and search in other Apache configuration files in places other than de root directory." compliance: - - cis: "5.7" - - cis_csc: "9.1" + - cis: ["5.7"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept - https://www.ietf.org/rfc/rfc2616.txt @@ -299,8 +299,8 @@ checks: rationale: "The HTTP 1.1 protocol requires support for the TRACE request method, which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled." remediation: "Locate the main Apache configuration file such as httpd.conf. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or ." compliance: - - cis: "5.8" - - cis_csc: "9.1" + - cis: ["5.8"] + - cis_csc: ["9.1"] references: - https://www.ietf.org/rfc/rfc2616.txt - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable @@ -316,8 +316,8 @@ checks: rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an IP address or interface that was not intended for the web server." remediation: "Find any Listen directives in the Apache configuration file with no IP address specified or with an IP address of all zeroes similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address and port." compliance: - - cis: "5.13" - - cis_csc: "9.1" + - cis: ["5.13"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen @@ -337,8 +337,8 @@ checks: rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site." remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frame-Options header in the Apache configuration to have the condition always , an action of append , and a value of SAMEORIGIN , as shown: Header always append X-Frame-Options SAMEORIGIN" compliance: - - cis: "5.14" - - cis_csc: "18" + - cis: ["5.14"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header @@ -355,8 +355,8 @@ checks: rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." compliance: - - cis: "6.1" - - cis_csc: "6.2" + - cis: ["6.1"] + - cis_csc: ["6.2"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -376,8 +376,8 @@ checks: rationale: "It is easy for web server error logs to be overlooked in the log monitoring process, yet application-level attacks have become the most common and are extremely important for detecting attacks early, as well as detecting non-malicious problems such as a broken link or internal errors." remediation: "Add an ErrorLog directive if not already configured. Any appropriate syslog facility may be used in place of local1. Add a similar ErrorLog directive for each virtual host if necessary." compliance: - - cis: "6.2" - - cis_csc: "6.6" + - cis: ["6.2"] + - cis_csc: ["6.6"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -396,8 +396,8 @@ checks: rationale: "The seriousness and ramification of this attack warrants that servers and clients be upgraded to support the improved SSL/TLS protocols. Therefore, the recommendation is to not enable the insecure renegotiation." remediation: "Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present, modify the value to be off. If the directive is not present, no action is required: SSLInsecureRenegotiation off" compliance: - - cis: "7.6" - - cis_csc: "14.2" + - cis: ["7.6"] + - cis_csc: ["14.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation @@ -414,8 +414,8 @@ checks: rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator that can be used to impersonate the account associated with the authenticator." remediation: "Verify the Apache version is 2.2.24 or later with httpd -v. Search the Apache configuration files for the SSLCompression directive. Update the directive to have a value of off." compliance: - - cis: "7.7" - - cis_csc: "14.2" + - cis: ["7.7"] + - cis_csc: ["14.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression @@ -432,8 +432,8 @@ checks: rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." remediation: "Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" compliance: - - cis: "8.1" - - cis_csc: "18.9" + - cis: ["8.1"] + - cis_csc: ["18.9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens condition: any @@ -448,8 +448,8 @@ checks: rationale: "Server signatures are helpful when the server is acting as a proxy because they help the user distinguish errors from the proxy rather than the destination server. However, in this context there is no need for the additional information." remediation: "Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" compliance: - - cis: "8.2" - - cis_csc: "18" + - cis: ["8.2"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature @@ -465,8 +465,8 @@ checks: rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." remediation: "The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conf file. Alternatively, the icon alias directive and the directory access control configuration can be commented out." compliance: - - cis: "8.4" - - cis_csc: "18.9" + - cis: ["8.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' @@ -479,8 +479,8 @@ checks: rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." remediation: "Add or modify the Timeout directive in the Apache configuration files to have a value of 10 seconds or less." compliance: - - cis: "9.1" - - cis_csc: "9" + - cis: ["9.1"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#timeout - https://httpd.apache.org/docs/2.4/mod/core.html#timeout @@ -495,8 +495,8 @@ checks: rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks." remediation: "Add or modify the KeepAlive directive in the Apache configuration to have a value of On." compliance: - - cis: "9.2" - - cis_csc: "9" + - cis: ["9.2"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive @@ -511,8 +511,8 @@ checks: rationale: "Limiting the number of requests per connection may improve a server's resiliency to DoS attacks." remediation: "Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more." compliance: - - cis: "9.3" - - cis_csc: "9" + - cis: ["9.3"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests @@ -527,8 +527,8 @@ checks: rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." remediation: "Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less." compliance: - - cis: "9.4" - - cis_csc: "9" + - cis: ["9.4"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout @@ -543,8 +543,8 @@ checks: rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." remediation: "Load the mod_requesttimeout module in the Apache configuration. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less." compliance: - - cis: "9.5" - - cis_csc: "9" + - cis: ["9.5"] + - cis_csc: ["9"] references: - https://ha.ckers.org/slowloris/ - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t @@ -562,8 +562,8 @@ checks: rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." remediation: "Load the mod_requesttimeout module in the Apache configuration and add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less." compliance: - - cis: "9.6" - - cis_csc: "9" + - cis: ["9.6"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html @@ -579,8 +579,8 @@ checks: rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestLine directive in the Apache configuration to have a value of 512 or less." compliance: - - cis: "10.1" - - cis_csc: "9" + - cis: ["10.1"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline @@ -595,8 +595,8 @@ checks: rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of 100." compliance: - - cis: "10.2" - - cis_csc: "9" + - cis: ["10.2"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields @@ -611,8 +611,8 @@ checks: rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFieldSize directive in the Apache configuration to have a value of 1024 or less." compliance: - - cis: "10.3" - - cis_csc: "9" + - cis: ["10.3"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize @@ -627,8 +627,8 @@ checks: rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server." compliance: - - cis: "10.4" - - cis_csc: "9" + - cis: ["10.4"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index cae172d81..459a7e5e9 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -33,7 +33,7 @@ checks: rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - - cis: "1.3" + - cis: ["1.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 @@ -47,7 +47,7 @@ checks: rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: none rules: - 'c:getent passwd mysql -> r:^\s$' @@ -58,7 +58,7 @@ checks: rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." compliance: - - cis: "1.6" + - cis: ["1.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none @@ -72,7 +72,7 @@ checks: rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." compliance: - - cis: "4.3" + - cis: ["4.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs @@ -86,7 +86,7 @@ checks: rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.4" + - cis: ["4.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html @@ -100,7 +100,7 @@ checks: rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" compliance: - - cis: "4.5" + - cis: ["4.5"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all @@ -113,7 +113,7 @@ checks: rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." compliance: - - cis: "4.6" + - cis: ["4.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links @@ -127,7 +127,7 @@ checks: rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.8" + - cis: ["4.8"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all @@ -140,7 +140,7 @@ checks: rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - - cis: "4.9" + - cis: ["4.9"] condition: all rules: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' @@ -152,7 +152,7 @@ checks: rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." compliance: - - cis: "6.1" + - cis: ["6.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all @@ -165,7 +165,7 @@ checks: rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." compliance: - - cis: "6.2" + - cis: ["6.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html @@ -179,7 +179,7 @@ checks: rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.3" + - cis: ["6.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all @@ -192,7 +192,7 @@ checks: rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" compliance: - - cis: "6.4" + - cis: ["6.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw @@ -207,7 +207,7 @@ checks: rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." compliance: - - cis: "7.1" + - cis: ["7.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html @@ -224,7 +224,7 @@ checks: rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." compliance: - - cis: "7.2" + - cis: ["7.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all @@ -237,7 +237,7 @@ checks: rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " compliance: - - cis: "7.3" + - cis: ["7.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none @@ -250,7 +250,7 @@ checks: rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - - cis: "7.4" + - cis: ["7.4"] condition: all rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' @@ -261,7 +261,7 @@ checks: rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." compliance: - - cis: "7.6" + - cis: ["7.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all @@ -281,7 +281,7 @@ checks: rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." compliance: - - cis: "9.2" + - cis: ["9.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index e3bf9be80..f87edcff1 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -33,7 +33,7 @@ checks: rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - - cis: "1.3" + - cis: ["1.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 @@ -47,7 +47,7 @@ checks: rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: none rules: - 'c:getent passwd mysql -> r:^\s$' @@ -58,7 +58,7 @@ checks: rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." compliance: - - cis: "1.6" + - cis: ["1.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none @@ -72,7 +72,7 @@ checks: rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." compliance: - - cis: "4.3" + - cis: ["4.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs @@ -86,7 +86,7 @@ checks: rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.4" + - cis: ["4.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html @@ -100,7 +100,7 @@ checks: rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" compliance: - - cis: "4.5" + - cis: ["4.5"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all @@ -113,7 +113,7 @@ checks: rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." compliance: - - cis: "4.6" + - cis: ["4.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links @@ -127,7 +127,7 @@ checks: rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.8" + - cis: ["4.8"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all @@ -140,7 +140,7 @@ checks: rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - - cis: "4.9" + - cis: ["4.9"] condition: all rules: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' @@ -152,7 +152,7 @@ checks: rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." compliance: - - cis: "6.1" + - cis: ["6.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all @@ -165,7 +165,7 @@ checks: rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." compliance: - - cis: "6.2" + - cis: ["6.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html @@ -179,7 +179,7 @@ checks: rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.3" + - cis: ["6.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all @@ -192,7 +192,7 @@ checks: rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" compliance: - - cis: "6.4" + - cis: ["6.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw @@ -207,7 +207,7 @@ checks: rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." compliance: - - cis: "7.1" + - cis: ["7.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html @@ -224,7 +224,7 @@ checks: rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." compliance: - - cis: "7.2" + - cis: ["7.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all @@ -237,7 +237,7 @@ checks: rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " compliance: - - cis: "7.3" + - cis: ["7.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none @@ -250,7 +250,7 @@ checks: rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - - cis: "7.4" + - cis: ["7.4"] condition: all rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' @@ -261,7 +261,7 @@ checks: rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." compliance: - - cis: "7.6" + - cis: ["7.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all @@ -281,7 +281,7 @@ checks: rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." compliance: - - cis: "9.2" + - cis: ["9.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all @@ -295,7 +295,7 @@ checks: rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." compliance: - - cis: "6.5" + - cis: ["6.5"] condition: none rules: - 'c:grep -Rh audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE' @@ -306,7 +306,7 @@ checks: rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." compliance: - - cis: "6.6" + - cis: ["6.6"] condition: all rules: - 'c:grep -Rh audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' @@ -317,7 +317,7 @@ checks: rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." remediation: "Set audit_log_include_accounts=NULL in my.cnf." compliance: - - cis: "6.7" + - cis: ["6.7"] condition: all rules: - 'c:grep -Rh audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' @@ -328,7 +328,7 @@ checks: rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" compliance: - - cis: "6.9" + - cis: ["6.9"] condition: all rules: - 'c:grep -Rh audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins' @@ -339,7 +339,7 @@ checks: rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." compliance: - - cis: "6.10" + - cis: ["6.10"] condition: all rules: - 'c:grep -Rh audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$' @@ -350,7 +350,7 @@ checks: rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." compliance: - - cis: "6.11" + - cis: ["6.11"] condition: all rules: - 'c:grep -Rh audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' @@ -361,7 +361,7 @@ checks: rationale: "This makes disables unloading on the plugin." remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.12" + - cis: ["6.12"] condition: all rules: - 'c:grep -Rh force_plus_permanent /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 156801d8d..25cd7902b 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -55,8 +55,8 @@ checks: - id: 1004 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.yop$' @@ -64,8 +64,8 @@ checks: - id: 1005 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^id$' @@ -73,8 +73,8 @@ checks: - id: 1006 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.ssh$' @@ -82,8 +82,8 @@ checks: - id: 1007 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^...$' @@ -91,8 +91,8 @@ checks: - id: 1008 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.shell$' @@ -101,8 +101,8 @@ checks: - id: 1009 title: "Web vulnerability - Outdated WordPress installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' @@ -110,8 +110,8 @@ checks: - id: 1010 title: "Web vulnerability - Outdated Joomla installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' @@ -119,8 +119,8 @@ checks: - id: 1011 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' @@ -129,8 +129,8 @@ checks: - id: 1012 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' @@ -138,8 +138,8 @@ checks: - id: 1013 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' @@ -147,8 +147,8 @@ checks: - id: 1014 title: "Web vulnerability - .htaccess file compromised" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none @@ -158,8 +158,8 @@ checks: - id: 1015 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 93ab41f4e..0ba3fc8ab 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -102,7 +102,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -114,7 +114,7 @@ checks: rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." remediation: "1. Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo" compliance: - - cis: "2.2.3" + - cis: ["2.2.3"] condition: all rules: - 'f:/etc/ntp-restrict.conf -> r:restrict lo' @@ -126,7 +126,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -138,7 +138,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -150,7 +150,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -162,7 +162,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -175,7 +175,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -c -g -> r:womp && !r:\s0$' @@ -188,7 +188,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1" + - cis: ["2.6.1"] condition: all rules: - 'c:diskutil cs list -> r:^Encryption Status && r:Unlocked' @@ -201,7 +201,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -213,7 +213,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -227,7 +227,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -241,7 +241,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -253,7 +253,7 @@ checks: rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -265,7 +265,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -277,7 +277,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -289,7 +289,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: any rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -301,7 +301,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -314,7 +314,7 @@ checks: rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'c:launchctl list -> r:com.apple.ftpd' @@ -326,7 +326,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - - cis: "4.6" + - cis: ["4.6"] condition: none rules: - 'p:nfsd' @@ -340,7 +340,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.7" + - cis: ["5.7"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -352,7 +352,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.8" + - cis: ["5.8"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -364,7 +364,7 @@ checks: rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." compliance: - - cis: "5.9" + - cis: ["5.9"] condition: all rules: - 'c:defaults read com.apple.screensaver askForPassword -> 1' @@ -376,7 +376,7 @@ checks: rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." remediation: "1. Run the following command in Terminal: sudo vi /etc/pam.d/screensaver 2. Locate \"account required pam_group.so no_warn group=admin,wheel fail_safe\" 3. Remove \"admin,\" 4. Save" compliance: - - cis: "5.11" + - cis: ["5.11"] condition: none rules: - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel && r:fail_safe' @@ -388,7 +388,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.18" + - cis: ["5.18"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -400,7 +400,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -412,7 +412,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -424,7 +424,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -436,7 +436,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: any rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index dbd8f9e4a..bcf991d9a 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -102,7 +102,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -114,7 +114,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -126,7 +126,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -138,7 +138,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -150,7 +150,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -163,7 +163,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -g -> r:womp && !r:\s0$' @@ -175,7 +175,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1.1" + - cis: ["2.6.1.1"] condition: all rules: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' @@ -187,7 +187,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -199,7 +199,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -213,7 +213,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -227,7 +227,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -239,7 +239,7 @@ checks: rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -251,7 +251,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -263,7 +263,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -275,7 +275,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -287,7 +287,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -300,7 +300,7 @@ checks: rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'c:launchctl list -> r:com.apple.ftpd' @@ -312,7 +312,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" compliance: - - cis: "4.6" + - cis: ["4.6"] condition: none rules: - 'p:nfsd' @@ -326,7 +326,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.8" + - cis: ["5.8"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -338,7 +338,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.9" + - cis: ["5.9"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -351,7 +351,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.20" + - cis: ["5.20"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -363,7 +363,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -375,7 +375,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -387,7 +387,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -399,7 +399,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: any rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index c98b175f8..b3560768f 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -103,7 +103,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -115,7 +115,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -127,7 +127,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -139,7 +139,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -151,7 +151,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -164,7 +164,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0" compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -g -> r:womp && !r:\s0$' @@ -176,7 +176,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1.1" + - cis: ["2.6.1.1"] condition: all rules: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' @@ -188,7 +188,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -200,7 +200,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services " compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -214,7 +214,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -228,7 +228,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -240,7 +240,7 @@ checks: rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming MacOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -252,7 +252,7 @@ checks: rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." compliance: - - cis: "2.13" + - cis: ["2.13"] condition: all rules: - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes' @@ -265,7 +265,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -277,7 +277,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -289,7 +289,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -301,7 +301,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -314,7 +314,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'p:nfsd' @@ -328,7 +328,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.11" + - cis: ["5.11"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -340,7 +340,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.12" + - cis: ["5.12"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -352,7 +352,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.23" + - cis: ["5.23"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -364,7 +364,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -376,7 +376,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -388,7 +388,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -400,7 +400,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: all rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml new file mode 100644 index 000000000..ff23ba5d7 --- /dev/null +++ b/sca/darwin/web_vulnerabilities.yml @@ -0,0 +1,145 @@ +# Security Configuration assessment +# Checks for auditing Mac systems +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation + +policy: + id: "web_vulnerabilities_mac" + file: "web_vulnerabilities.yml" + name: "System audit for web-related vulnerabilities" + description: "Guidance for establishing a secure configuration for web-related vulnerabilities." + +variables: + $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini + $web_dirs: /Library/WebServer/Documents,/usr/htdocs,/usr/local/var/htdocs,/usr/local/var/www + + +# PHP checks +checks: + - id: 2000 + title: "PHP - Register globals are enabled" + condition: any + rules: + - 'f:$php.ini -> r:^register_globals = On' + - id: 2001 + title: "PHP - Expose PHP is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^expose_php = On' + - id: 2002 + title: "PHP - Allow URL fopen is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^allow_url_fopen = On' + - id: 2003 + title: "PHP - Displaying of errors is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^display_errors = On' +# WEB checks + - id: 2004 + title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^.yop$' + - id: 2005 + title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^id$' + - id: 2006 + title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^.ssh$' + - id: 2007 + title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^...$' + - id: 2008 + title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^.shell$' +# Outdated Web applications + - id: 2009 + title: "Web vulnerability - Outdated WordPress installation" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' + - id: 2010 + title: "Web vulnerability - Outdated Joomla installation" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' + - id: 2011 + title: "Web vulnerability - Outdated osCommerce (v2.2) installation" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" +# Known backdoors + - id: 2012 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' + - id: 2013 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' + - id: 2014 + title: "Web vulnerability - .htaccess file compromised" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' + - id: 2015 + title: "Web vulnerability - .htaccess file compromised - auto append" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index faff7db87..020b0f3e3 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -36,7 +36,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "2.1" + - cis: ["2.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -49,7 +49,7 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - - cis: "2.2" + - cis: ["2.2"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -61,7 +61,7 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - - cis: "2.3" + - cis: ["2.3"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -73,7 +73,7 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" compliance: - - cis: "2.4" + - cis: ["2.4"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -85,7 +85,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.5" + - cis: ["2.5"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -98,7 +98,7 @@ checks: rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" compliance: - - cis: "2.6" + - cis: ["2.6"] condition: all rules: - 'c:findmnt -> r:/var/tmp && r:[/tmp]' @@ -110,7 +110,7 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.7" + - cis: ["2.7"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -123,7 +123,7 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.8" + - cis: ["2.8"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -136,7 +136,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.9" + - cis: ["2.9"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -149,7 +149,7 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'not c:mount -> r:\s/home\s' @@ -161,7 +161,7 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" compliance: - - cis: "2.14" + - cis: ["2.14"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -173,7 +173,7 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" compliance: - - cis: "2.15" + - cis: ["2.15"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -185,7 +185,7 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" compliance: - - cis: "2.16" + - cis: ["2.16"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -197,7 +197,7 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "2.25" + - cis: ["2.25"] condition: none rules: - 'c:find /etc/rc* -name *autofsc* -> r:S\.' @@ -210,7 +210,7 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' @@ -222,7 +222,7 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "3.4" + - cis: ["3.4"] condition: none rules: - 'f:/etc/shadow -> r:^root:*:|^root:!:' @@ -234,7 +234,7 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' @@ -246,7 +246,7 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" compliance: - - cis: "4.3" + - cis: ["4.3"] condition: all rules: - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' @@ -259,7 +259,7 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get purge nis" compliance: - - cis: "5.1.1" + - cis: ["5.1.1"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -270,7 +270,7 @@ checks: rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" compliance: - - cis: "5.1.2" + - cis: ["5.1.2"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:^shell|^login|^exec' @@ -281,7 +281,7 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" compliance: - - cis: "5.1.4" + - cis: ["5.1.4"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:^talk|^ntalk' @@ -292,7 +292,7 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" compliance: - - cis: "5.1.6" + - cis: ["5.1.6"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:telnet' @@ -303,7 +303,7 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" compliance: - - cis: "5.1.7" + - cis: ["5.1.7"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:tftp' @@ -314,7 +314,7 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Disable xinetd: # update-rc.d xinetd disable" compliance: - - cis: "5.1.8" + - cis: ["5.1.8"] condition: none rules: - 'c:find /etc/rc* -name *xinetd* -> r:S\.' @@ -325,7 +325,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" compliance: - - cis: "5.2" + - cis: ["5.2"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:chargen' @@ -336,7 +336,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" compliance: - - cis: "5.3" + - cis: ["5.3"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:daytime' @@ -347,7 +347,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" compliance: - - cis: "5.4" + - cis: ["5.4"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:echo' @@ -358,7 +358,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" compliance: - - cis: "5.5" + - cis: ["5.5"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:discard' @@ -369,7 +369,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" compliance: - - cis: "5.6" + - cis: ["5.6"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:time' @@ -382,7 +382,7 @@ checks: rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: none rules: - 'c:find /etc/rc* -name *avahi-daemon* -> r:S\.' @@ -393,7 +393,7 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Disable cups: # update-rc.d cups disable" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: none rules: - 'c:find /etc/rc* -name *cups* -> r:S\.' @@ -406,7 +406,7 @@ checks: references: - "https://www.isc.org/dhcp/" compliance: - - cis: "6.4" + - cis: ["6.4"] condition: none rules: - 'c:find /etc/rc* -name *isc-dhcp-server* -> r:S\.' @@ -417,7 +417,7 @@ checks: rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." remediation: "Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." compliance: - - cis: "6.5" + - cis: ["6.5"] references: - http://www.ntp.org/ condition: all @@ -434,7 +434,7 @@ checks: rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Uninstall the slapd package: # apt-get purge slapd" compliance: - - cis: "6.6" + - cis: ["6.6"] references: - http://www.openldap.org condition: none @@ -447,7 +447,7 @@ checks: rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" compliance: - - cis: "6.7" + - cis: ["6.7"] condition: none rules: - 'c:find /etc/rc* -name *rpcbind* -> r:S\.' @@ -459,7 +459,7 @@ checks: rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable bind9: # update-rc.d bind9 disable" compliance: - - cis: "6.8" + - cis: ["6.8"] condition: none rules: - 'c:find /etc/rc* -name *bind9* -> r:S\.' @@ -470,7 +470,7 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable vsftpd: # update-rc.d vsftpd disable" compliance: - - cis: "6.9" + - cis: ["6.9"] condition: none rules: - 'c:find /etc/rc* -name *vsftpd* -> r:S\.' @@ -481,7 +481,7 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable apache2: # update-rc.d apache2 disable" compliance: - - cis: "6.10" + - cis: ["6.10"] condition: none rules: - 'c:find /etc/rc* -name *apache2* -> r:S\.' @@ -492,7 +492,7 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "Disable dovecot: # update-rc.d dovecot disable" compliance: - - cis: "6.11" + - cis: ["6.11"] condition: none rules: - 'c:find /etc/rc* -name *dovecot* -> r:S\.' @@ -503,7 +503,7 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Disable samba: # update-rc.d samba disable" compliance: - - cis: "6.12" + - cis: ["6.12"] condition: none rules: - 'c:find /etc/rc* -name *smb* -> r:S\.' @@ -514,7 +514,7 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Disable squid3: # update-rc.d squid3 disable" compliance: - - cis: "6.13" + - cis: ["6.13"] condition: none rules: - 'c:find /etc/rc* -name *squid3* -> r:S\.' @@ -525,7 +525,7 @@ checks: rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Disable snmpd: # update-rc.d snmpd disable" compliance: - - cis: "6.14" + - cis: ["6.14"] condition: none rules: - 'c:find /etc/rc* -name *snmpd* -> r:S\.' @@ -536,7 +536,7 @@ checks: rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" compliance: - - cis: "6.15" + - cis: ["6.15"] condition: all rules: - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:\p127.0.0.1\s*\p\s*::1\p$|\p::1\s*\p\s*127.0.0.1\p$|\p127.0.0.1\p$|\p::1\p$' @@ -547,7 +547,7 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" compliance: - - cis: "6.16" + - cis: ["6.16"] condition: none rules: - 'c:dpkg -s rsync -> install ok installed' @@ -561,7 +561,7 @@ checks: rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.1.1" + - cis: ["7.1.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -572,7 +572,7 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.1.2" + - cis: ["7.1.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -584,7 +584,7 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.1" + - cis: ["7.2.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -596,7 +596,7 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.2" + - cis: ["7.2.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -608,7 +608,7 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.3" + - cis: ["7.2.3"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -620,7 +620,7 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.4" + - cis: ["7.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -632,7 +632,7 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.5" + - cis: ["7.2.5"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -643,7 +643,7 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.6" + - cis: ["7.2.6"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -654,7 +654,7 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.7" + - cis: ["7.2.7"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -666,7 +666,7 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.8" + - cis: ["7.2.8"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -677,7 +677,7 @@ checks: rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.3.1" + - cis: ["7.3.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -689,7 +689,7 @@ checks: rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.3.2" + - cis: ["7.3.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -701,7 +701,7 @@ checks: rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" compliance: - - cis: "7.3.3" + - cis: ["7.3.3"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:=\s*\t*1$' @@ -717,7 +717,7 @@ checks: rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "7.4.2" + - cis: ["7.4.2"] condition: all rules: - 'f:/etc/hosts.allow' @@ -728,7 +728,7 @@ checks: rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "7.4.4" + - cis: ["7.4.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -740,7 +740,7 @@ checks: rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.1" + - cis: ["7.5.1"] condition: none rules: - 'c:lsmod -> r:dccp' @@ -751,7 +751,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.2" + - cis: ["7.5.2"] condition: none rules: - 'c:lsmod -> r:sctp' @@ -762,7 +762,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.3" + - cis: ["7.5.3"] condition: none rules: - 'c:lsmod -> r:rds' @@ -773,7 +773,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.4" + - cis: ["7.5.4"] condition: none rules: - 'c:lsmod -> r:tipc' @@ -784,7 +784,7 @@ checks: rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" compliance: - - cis: "7.7" + - cis: ["7.7"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -799,7 +799,7 @@ checks: rationale: "If the rsyslog service is not activated the system will not have a syslog service running." remediation: "Enable rsyslog: # update-rc.d rsyslog enable" compliance: - - cis: "8.2.2" + - cis: ["8.2.2"] condition: all rules: - 'c:find /etc/rc* -name *rsyslog* -> r:S\.' @@ -810,7 +810,7 @@ checks: rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" remediation: "Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host). *.* @@loghost.example.com # Execute the following command to restart rsyslogd # pkill -HUP rsyslogd Note: The double \"at\" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol." compliance: - - cis: "8.2.5" + - cis: ["8.2.5"] references: - rsyslog.conf(5) man page condition: all @@ -823,7 +823,7 @@ checks: rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so $InputTCPServerRun 514 Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd" compliance: - - cis: "8.2.6" + - cis: ["8.2.6"] references: - rsyslog.conf(8) man page condition: all @@ -839,7 +839,7 @@ checks: rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" compliance: - - cis: "9.1.1" + - cis: ["9.1.1"] condition: all rules: - 'c:find /etc/rc* -name *cron* -> r:S\.' @@ -851,7 +851,7 @@ checks: rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "9.1.8" + - cis: ["9.1.8"] condition: all rules: - 'f:/etc/cron.allow' @@ -867,7 +867,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "1) Install the libpam-cracklib package: # apt-get install libpam-cracklib 2) Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" compliance: - - cis: "9.2.1" + - cis: ["9.2.1"] condition: all rules: - 'c:dpkg -s libpam-cracklib -> install ok installed' @@ -879,7 +879,7 @@ checks: rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." compliance: - - cis: "9.2.2" + - cis: ["9.2.2"] condition: all rules: - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny=\d && r:unlock_time=\d\d\d+' @@ -890,7 +890,7 @@ checks: rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." compliance: - - cis: "9.2.3" + - cis: ["9.2.3"] condition: all rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password && r:pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' @@ -901,7 +901,7 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "9.3.1" + - cis: ["9.3.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -912,7 +912,7 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "9.3.2" + - cis: ["9.3.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' @@ -923,7 +923,7 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' @@ -934,7 +934,7 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "9.3.5" + - cis: ["9.3.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -945,7 +945,7 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "9.3.6" + - cis: ["9.3.6"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -956,7 +956,7 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "9.3.7" + - cis: ["9.3.7"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -967,7 +967,7 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "9.3.8" + - cis: ["9.3.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -978,7 +978,7 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "9.3.9" + - cis: ["9.3.9"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -989,7 +989,7 @@ checks: rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "9.3.10" + - cis: ["9.3.10"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1000,7 +1000,7 @@ checks: rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "9.3.12" + - cis: ["9.3.12"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' @@ -1012,7 +1012,7 @@ checks: rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "9.3.13" + - cis: ["9.3.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' @@ -1023,7 +1023,7 @@ checks: rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "9.3.14" + - cis: ["9.3.14"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' @@ -1034,7 +1034,7 @@ checks: rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid 2) Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." compliance: - - cis: "9.5" + - cis: ["9.5"] condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth && r:required && r:pam_wheel.so && r:use_uid' @@ -1048,7 +1048,7 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " compliance: - - cis: "10.1.1" + - cis: ["10.1.1"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' @@ -1059,7 +1059,7 @@ checks: rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " compliance: - - cis: "10.1.2" + - cis: ["10.1.2"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' @@ -1070,7 +1070,7 @@ checks: rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " compliance: - - cis: "10.1.3" + - cis: ["10.1.3"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare >= 7' @@ -1081,7 +1081,7 @@ checks: rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." remediation: "# usermod -g 0 root" compliance: - - cis: "10.3" + - cis: ["10.3"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1092,7 +1092,7 @@ checks: rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" compliance: - - cis: "10.4" + - cis: ["10.4"] condition: all rules: - 'c:grep -Rh ^umask[[:space:]][[:space:]]*077 /etc/profile.d/ -> !r:^# && r:umask\s*\t*077' @@ -1104,7 +1104,7 @@ checks: rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." remediation: "# useradd -D -f 35" compliance: - - cis: "10.5" + - cis: ["10.5"] condition: all rules: - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' @@ -1116,7 +1116,7 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" compliance: - - cis: "11.1" + - cis: ["11.1"] condition: all rules: - 'f:/etc/motd' @@ -1132,7 +1132,7 @@ checks: rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." compliance: - - cis: "11.2" + - cis: ["11.2"] condition: none rules: - 'f:/etc/issue -> r:\v|\r|\m|\s' @@ -1147,7 +1147,7 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "13.1" + - cis: ["13.1"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1158,7 +1158,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.2" + - cis: ["13.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1169,7 +1169,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.3" + - cis: ["13.3"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1179,7 +1179,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.4" + - cis: ["13.4"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' @@ -1190,18 +1190,51 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." remediation: "Delete any other entries that are displayed." compliance: - - cis: "13.5" + - cis: ["13.5"] condition: none rules: - - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 10598 + - id: 10600 + title: "Check for Presence of User .rhosts Files" + description: "While no .rhosts files are shipped by default, users can easily create them." + rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." + remediation: "If any users have .rhosts files determine why they have them." + compliance: + - cis: ["13.10"] + condition: none + rules: + - 'd:/home -> r:^.rhosts$' + + - id: 10601 + title: "Check for Presence of User .netrc Files" + description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." + rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." + compliance: + - cis: ["13.18"] + condition: none + rules: + - 'd:/home -> r:^.netrc$' + + - id: 10602 + title: "Check for Presence of User .forward Files" + description: "The .forward file specifies an email address to forward the user's mail to." + rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." + compliance: + - cis: ["13.19"] + condition: none + rules: + - 'd:/home -> r:^.forward$' + + - id: 10603 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "13.20" + - cis: ["13.20"] condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index 40872af96..de64b8610 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -36,7 +36,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" compliance: - - cis: "2.18" + - cis: ["2.18"] condition: all rules: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' @@ -48,7 +48,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" compliance: - - cis: "2.19" + - cis: ["2.19"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -60,7 +60,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" compliance: - - cis: "2.20" + - cis: ["2.20"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -72,7 +72,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" compliance: - - cis: "2.21" + - cis: ["2.21"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -84,7 +84,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" compliance: - - cis: "2.22" + - cis: ["2.22"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -96,7 +96,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" compliance: - - cis: "2.23" + - cis: ["2.23"] condition: all rules: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' @@ -108,7 +108,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" compliance: - - cis: "2.24" + - cis: ["2.24"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -122,7 +122,7 @@ checks: rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." compliance: - - cis: "4.5" + - cis: ["4.5"] condition: all rules: - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0' @@ -136,7 +136,7 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." compliance: - - cis: "8.1.1.1" + - cis: ["8.1.1.1"] condition: all rules: - 'd:/etc/audit' @@ -149,7 +149,7 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "8.1.1.2" + - cis: ["8.1.1.2"] condition: all rules: - 'd:/etc/audit' @@ -164,7 +164,7 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" compliance: - - cis: "8.1.1.3" + - cis: ["8.1.1.3"] condition: all rules: - 'd:/etc/audit' @@ -177,7 +177,7 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Install auditd: # apt-get install auditd If needed enable auditd in /etc/rc*.d: # update-rc.d auditd enable" compliance: - - cis: "8.1.2" + - cis: ["8.1.2"] condition: all rules: - 'c:dpkg -s auditd -> r:install ok installed' @@ -189,7 +189,7 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" compliance: - - cis: "8.1.3" + - cis: ["8.1.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\p*audit\s*=\s*1\p*' @@ -200,7 +200,7 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.4" + - cis: ["8.1.4"] condition: all rules: - 'd:/etc/audit' @@ -217,7 +217,7 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.5" + - cis: ["8.1.5"] condition: all rules: - 'd:/etc/audit' @@ -234,7 +234,7 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.6" + - cis: ["8.1.6"] condition: all rules: - 'f:/etc/audit' @@ -252,7 +252,7 @@ checks: rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.7" + - cis: ["8.1.7"] condition: all rules: - 'd:/etc/audit' @@ -265,7 +265,7 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.&& r:rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.8" + - cis: ["8.1.8"] condition: all rules: - 'd:/etc/audit' @@ -280,7 +280,7 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" compliance: - - cis: "8.1.9" + - cis: ["8.1.9"] condition: all rules: - 'd:/etc/audit' @@ -295,7 +295,7 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.10" + - cis: ["8.1.10"] condition: all rules: - 'd:/etc/audit' @@ -313,7 +313,7 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.11" + - cis: ["8.1.11"] condition: all rules: - 'd:/etc/audit' @@ -329,7 +329,7 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.13" + - cis: ["8.1.13"] condition: all rules: - 'd:/etc/audit' @@ -343,7 +343,7 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.14" + - cis: ["8.1.14"] condition: all rules: - 'd:/etc/audit' @@ -357,7 +357,7 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.15" + - cis: ["8.1.15"] condition: all rules: - 'd:/etc/audit' @@ -370,7 +370,7 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" compliance: - - cis: "8.1.16" + - cis: ["8.1.16"] condition: all rules: - 'd:/etc/audit' @@ -383,7 +383,7 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" compliance: - - cis: "8.1.17" + - cis: ["8.1.17"] condition: all rules: - 'd:/etc/audit' @@ -399,7 +399,7 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" compliance: - - cis: "8.1.18" + - cis: ["8.1.18"] condition: all rules: - 'd:/etc/audit' @@ -413,7 +413,7 @@ checks: rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." compliance: - - cis: "8.3.1" + - cis: ["8.3.1"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -424,7 +424,7 @@ checks: rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - - cis: "8.3.2" + - cis: ["8.3.2"] condition: all rules: - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*--check' diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index bad2e62a3..d658bf4c9 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -34,8 +34,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs" compliance: - - cis: "1.1.1.1" - - cis_csc: "13" + - cis: ["1.1.1.1"] + - cis_csc: ["13"] condition: all rules: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' @@ -47,8 +47,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install freevxfs /bin/true. 2) Run the following command to unload the freevxfs module: # rmmod freevxfs" compliance: - - cis: "1.1.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.2"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -60,8 +60,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install jffs2 /bin/true. 2) Run the following command to unload the jffs2 module: # rmmod jffs2" compliance: - - cis: "1.1.1.3" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.3"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -73,8 +73,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfs /bin/true. 2) Run the following command to unload the hfs module: # rmmod hfs" compliance: - - cis: "1.1.1.4" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.4"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -86,8 +86,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfsplus /bin/true. 2) Run the following command to unload the hfsplus module: # rmmod hfsplus" compliance: - - cis: "1.1.1.5" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.5"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -99,8 +99,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install squashfs /bin/true. 2) Run the following command to unload the squashfs module: # rmmod squashfs" compliance: - - cis: "1.1.1.6" - - cis_csc: "13" + - cis: ["1.1.1.6"] + - cis_csc: ["13"] condition: all rules: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' @@ -112,8 +112,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install udf /bin/true. 2) Run the following command to unload the udf module: # rmmod udf" compliance: - - cis: "1.1.1.7" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.7"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -126,8 +126,8 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "1.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.1.2"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ @@ -141,8 +141,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - cis_csc: "13, 5.1" + - cis: ["1.1.3"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -153,8 +153,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - cis_csc: "13, 5.1" + - cis: ["1.1.4"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -165,8 +165,8 @@ checks: rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" compliance: - - cis: "1.1.7" - - cis_csc: "13, 5.1" + - cis: ["1.1.7"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' @@ -177,8 +177,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp" compliance: - - cis: "1.1.8" - - cis_csc: "13, 5.1" + - cis: ["1.1.8"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' @@ -189,8 +189,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp" compliance: - - cis: "1.1.9" - - cis_csc: "2, 2.6" + - cis: ["1.1.9"] + - cis_csc: ["2","2.6"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' @@ -201,8 +201,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "1.1.13" - - cis_csc: "13, 15.1, 5.1" + - cis: ["1.1.13"] + - cis_csc: ["13","15.1","5.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -213,8 +213,8 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.14" - - cis_csc: "13, 5.1" + - cis: ["1.1.14"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -225,8 +225,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.15" - - cis_csc: "13, 5.1" + - cis: ["1.1.15"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -237,8 +237,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm" compliance: - - cis: "1.1.16" - - cis_csc: "13, 5.1" + - cis: ["1.1.16"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -249,8 +249,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "1.1.21" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["1.1.21"] + - cis_csc: ["8.3","8.4","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -262,8 +262,8 @@ checks: rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" compliance: - - cis: "1.3.1" - - cis_csc: "3.5, 14.9" + - cis: ["1.3.1"] + - cis_csc: ["3.5","14.9"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -274,8 +274,8 @@ checks: rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - - cis: "1.3.2" - - cis_csc: "3.5, 14.9" + - cis: ["1.3.2"] + - cis_csc: ["3.5","14.9"] condition: all rules: - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+' @@ -287,8 +287,8 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "1) Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is 2) Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" 3) Run the following to update the grub configuration: # update-grub" compliance: - - cis: "1.4.2" - - cis_csc: "5.1" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' @@ -300,8 +300,8 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "1.4.3" - - cis_csc: "5.1" + - cis: ["1.4.3"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/shadow -> r:^root:*:|^root:!:' @@ -313,8 +313,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0 and set the active kernel parameter." compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' @@ -327,8 +327,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.3, 8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.3","8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$' @@ -341,8 +341,8 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" compliance: - - cis: "1.7.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.7.1.2"] + - cis_csc: ["13","5.1"] condition: none rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' @@ -369,8 +369,8 @@ checks: rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # apt-get remove xinetd" compliance: - - cis: "2.1.1" - - cis_csc: "9.1, 9.2" + - cis: ["2.1.1"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:dpkg -s xinetd -> r:install ok installed' @@ -381,8 +381,8 @@ checks: rationale: "If there are no inetd services required, it is recommended that the daemon be removed." remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd" compliance: - - cis: "2.1.2" - - cis_csc: "9.1, 9.2" + - cis: ["2.1.2"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' @@ -394,8 +394,8 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] references: - http://www.ntp.org/ condition: all @@ -412,8 +412,8 @@ checks: rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server " compliance: - - cis: "2.2.1.3" - - cis_csc: "6.1" + - cis: ["2.2.1.3"] + - cis_csc: ["6.1"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -424,8 +424,8 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -436,8 +436,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.1","9.2"] references: - https://www.cups.org condition: none @@ -452,8 +452,8 @@ checks: references: - https://www.isc.org/dhcp/ compliance: - - cis: "2.2.5" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.5"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' @@ -465,8 +465,8 @@ checks: rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Run the following command to disable slapd: # systemctl disable slapd" compliance: - - cis: "2.2.6" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.6"] + - cis_csc: ["9.1","9.2"] references: - https://www.openldap.org condition: none @@ -479,8 +479,8 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled nfs-server -> r:^enabled' @@ -492,8 +492,8 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable named: # systemctl disable bind9" compliance: - - cis: "2.2.8" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' @@ -504,8 +504,8 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "2.2.9" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -516,8 +516,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable apache2: # systemctl disable apache2" compliance: - - cis: "2.2.10" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.10"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' @@ -541,8 +541,8 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Run the following command to disable smbd: # systemctl disable smbd" compliance: - - cis: "2.2.12" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled smbd -> r:^enabled' @@ -553,8 +553,8 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "2.2.13" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -565,8 +565,8 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "2.2.14" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -577,8 +577,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsync: # systemctl disable rsync" compliance: - - cis: "2.2.16" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.16"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled rsync -> r:^enabled' @@ -602,8 +602,8 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get remove nis" compliance: - - cis: "2.3.1" - - cis_csc: "2, 2.6" + - cis: ["2.3.1"] + - cis_csc: ["2","2.6"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -614,8 +614,8 @@ checks: rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" compliance: - - cis: "2.3.2" - - cis_csc: "3.4, 4.5" + - cis: ["2.3.2"] + - cis_csc: ["3.4","4.5"] condition: none rules: - 'c:dpkg -s rsh-client -> r:install ok installed' @@ -627,8 +627,8 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to uninstall talk: apt-get remove talk" compliance: - - cis: "2.3.3" - - cis_csc: "2, 2.6" + - cis: ["2.3.3"] + - cis_csc: ["2","2.6"] condition: none rules: - 'c:dpkg -s talk -> r:install ok installed' @@ -639,8 +639,8 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - - cis: "2.3.4" - - cis_csc: "3.4, 4.5" + - cis: ["2.3.4"] + - cis_csc: ["3.4","4.5"] condition: none rules: - 'c:dpkg -s telnet -> r:install ok installed' @@ -652,8 +652,8 @@ checks: rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11, 5.1" + - cis: ["3.1.1"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -667,8 +667,8 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11, 5.1" + - cis: ["3.1.2"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -682,8 +682,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.1"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -701,8 +701,8 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.2" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.2"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -720,8 +720,8 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.3" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.3"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -735,8 +735,8 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.4" - - cis_csc: "6, 6.2, 6.3" + - cis: ["3.2.4"] + - cis_csc: ["6","6.2","6.3"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -750,8 +750,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.5" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.5"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -763,8 +763,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.6" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.6"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -776,8 +776,8 @@ checks: rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.7"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -791,8 +791,8 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.8"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -804,8 +804,8 @@ checks: rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.9" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.9"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -819,8 +819,8 @@ checks: rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." remediation: "Run the following command to create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow. Where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "3.3.2" - - cis_csc: "9.2, 9.4" + - cis: ["3.3.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'f:/etc/hosts.allow' @@ -831,8 +831,8 @@ checks: rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." remediation: "Run the following command to create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "3.3.3" - - cis_csc: "9.2, 9.4" + - cis: ["3.3.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -844,8 +844,8 @@ checks: rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true" compliance: - - cis: "3.4.1" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.1"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v dccp -> r:install /bin/true' @@ -857,8 +857,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true" compliance: - - cis: "3.4.2" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.2"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v sctp -> r:install /bin/true' @@ -870,8 +870,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true" compliance: - - cis: "3.4.3" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.3"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v rds -> r:install /bin/true' @@ -883,8 +883,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true" compliance: - - cis: "3.4.4" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.4"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v tipc -> r:install /bin/true' @@ -898,8 +898,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.1.1" - - cis_csc: "9.1, 9.4" + - cis: ["3.5.1.1"] + - cis_csc: ["9.1","9.4"] condition: all rules: - 'c:iptables -L -> r:^Chain INPUT && r:policy DROP' @@ -912,8 +912,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.2.1" - - cis_csc: "9.1, 9.4" + - cis: ["3.5.2.1"] + - cis_csc: ["9.1","9.4"] condition: all rules: - 'c:ip6tables -L -> r:^Chain INPUT && r:policy DROP' @@ -926,8 +926,8 @@ checks: rationale: "iptables is required for firewall management and configuration." remediation: "Run the following command to install iptables: # apt-get install iptables" compliance: - - cis: "3.5.3" - - cis_csc: "9.2, 9.4" + - cis: ["3.5.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -939,8 +939,8 @@ checks: rationale: "If the rsyslog service is not activated the system will not have a syslog service running." remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" compliance: - - cis: "4.2.1.1" - - cis_csc: "6.2, 6.3" + - cis: ["4.2.1.1"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' @@ -951,8 +951,8 @@ checks: rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.4" - - cis_csc: "6.6, 6.8" + - cis: ["4.2.1.4"] + - cis_csc: ["6.6","6.8"] references: - rsyslog.conf(5) man page condition: all @@ -965,8 +965,8 @@ checks: rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.5" - - cis_csc: "9.1, 9.2" + - cis: ["4.2.1.5"] + - cis_csc: ["9.1","9.2"] references: - rsyslog.conf(8) man page condition: all @@ -981,8 +981,8 @@ checks: rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." remediation: "Run the following command to enable cron: systemctl enable cron" compliance: - - cis: "5.1.1" - - cis_csc: "6, 5.1" + - cis: ["5.1.1"] + - cis_csc: ["6","5.1"] condition: all rules: - 'c:systemctl is-enabled cron -> r:^enabled$' @@ -993,8 +993,8 @@ checks: rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "5.1.8" - - cis_csc: "16" + - cis: ["5.1.8"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/cron.allow' @@ -1010,8 +1010,8 @@ checks: rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config" compliance: - - cis: "5.2.1" - - cis_csc: "5.1" + - cis: ["5.2.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' @@ -1022,8 +1022,8 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.4" - - cis_csc: "3.4, 4.5" + - cis: ["5.2.4"] + - cis_csc: ["3.4","4.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -1036,8 +1036,8 @@ checks: references: - https://www.ssh.com/ssh/sshd_config/ compliance: - - cis: "5.2.5" - - cis_csc: "16, 6.2, 6.3" + - cis: ["5.2.5"] + - cis_csc: ["16","6.2","6.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' @@ -1048,8 +1048,8 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - - cis: "5.2.6" - - cis_csc: "16, 9.2" + - cis: ["5.2.6"] + - cis_csc: ["16","9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' @@ -1060,8 +1060,8 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.7" - - cis_csc: "16, 16.13" + - cis: ["5.2.7"] + - cis_csc: ["16","16.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -1072,8 +1072,8 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.8" - - cis_csc: "9, 9.2" + - cis: ["5.2.8"] + - cis_csc: ["9","9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -1084,8 +1084,8 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.9" - - cis_csc: "9, 16.3" + - cis: ["5.2.9"] + - cis_csc: ["9","16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -1096,8 +1096,8 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.10" - - cis_csc: "5.8, 4.3" + - cis: ["5.2.10"] + - cis_csc: ["5.8","4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -1110,8 +1110,8 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.11" - - cis_csc: "16, 16.3" + - cis: ["5.2.11"] + - cis_csc: ["16","16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -1122,8 +1122,8 @@ checks: rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "5.2.12" - - cis_csc: "16, 5.1" + - cis: ["5.2.12"] + - cis_csc: ["16","5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1134,8 +1134,8 @@ checks: rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "5.2.16" - - cis_csc: "16.4, 16.11" + - cis: ["5.2.16"] + - cis_csc: ["16.4","16.11"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' @@ -1147,8 +1147,8 @@ checks: rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "5.2.18" - - cis_csc: "5.1, 5.8, 4.3" + - cis: ["5.2.18"] + - cis_csc: ["5.1","5.8","4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' @@ -1159,8 +1159,8 @@ checks: rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "5.2.19" - - cis_csc: "5.1" + - cis: ["5.2.19"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|Banner\s\t*/etc/issue' @@ -1173,8 +1173,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol." compliance: - - cis: "5.3.1" - - cis_csc: "5.7, 16.12, 4.4" + - cis: ["5.3.1"] + - cis_csc: ["5.7","16.12","4.4"] condition: all rules: - 'c:dpkg -s libpam-pwquality -> r:install ok installed' @@ -1191,8 +1191,8 @@ checks: rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the \"audit\" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." compliance: - - cis: "5.3.2" - - cis_csc: "16.7" + - cis: ["5.3.2"] + - cis_csc: ["16.7"] condition: all rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' @@ -1203,8 +1203,8 @@ checks: rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here." compliance: - - cis: "5.3.3" - - cis_csc: "16" + - cis: ["5.3.3"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' @@ -1217,8 +1217,8 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' @@ -1229,8 +1229,8 @@ checks: rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.2" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.2"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' @@ -1241,8 +1241,8 @@ checks: rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.3" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.3"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' @@ -1253,8 +1253,8 @@ checks: rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." compliance: - - cis: "5.4.1.4" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.4"] + - cis_csc: ["4.4","16"] condition: all rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' @@ -1265,8 +1265,8 @@ checks: rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root" compliance: - - cis: "5.4.3" - - cis_csc: "5, 5.1" + - cis: ["5.4.3"] + - cis_csc: ["5","5.1"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1277,8 +1277,8 @@ checks: rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root, Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default." compliance: - - cis: "5.6" - - cis_csc: "5.1" + - cis: ["5.6"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so' @@ -1292,8 +1292,8 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16, 4.4" + - cis: ["6.2.1"] + - cis_csc: ["16","4.4"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1304,8 +1304,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/passwd if they exist." compliance: - - cis: "6.2.2" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.2"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1316,8 +1316,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/shadow if they exist." compliance: - - cis: "6.2.3" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.3"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1328,8 +1328,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/group if they exist." compliance: - - cis: "6.2.4" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.4"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' @@ -1340,8 +1340,8 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' @@ -1352,8 +1352,8 @@ checks: rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "6.2.20" - - cis_csc: "5.1" + - cis: ["6.2.20"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 6e2fd9789..e92093741 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -34,8 +34,8 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.5" - - cis_csc: "13, 5.1" + - cis: ["1.1.5"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -48,8 +48,8 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" - - cis_csc: "13, 5.1" + - cis: ["1.1.6"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -62,8 +62,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.10" - - cis_csc: "6.3, 6.4" + - cis: ["1.1.10"] + - cis_csc: ["6.3","6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -76,8 +76,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.11" - - cis_csc: "6.3, 6.4" + - cis: ["1.1.11"] + - cis_csc: ["6.3","6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -90,8 +90,8 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.12" - - cis_csc: "13, 5.1" + - cis: ["1.1.12"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -104,8 +104,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "1.1.21" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["1.1.21"] + - cis_csc: ["8.3","8.4","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -117,8 +117,8 @@ checks: rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis: "1.6.3" - - cis_csc: "14.4, 14.6" + - cis: ["1.6.3"] + - cis_csc: ["14.4","14.6"] condition: any rules: - 'c:dpkg -s selinux-basics -> r:install ok installed' @@ -132,8 +132,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.1","9.2"] references: - 'https://www.cups.org' condition: none @@ -148,8 +148,8 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." compliance: - - cis: "4.1.1.1" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -162,8 +162,8 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "4.1.1.2" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -178,8 +178,8 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" compliance: - - cis: "4.1.1.3" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.3"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -192,8 +192,8 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Run the following command to enable auditd: # systemctl enable auditd" compliance: - - cis: "4.1.2" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.2"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled auditd -> r:^enabled' @@ -204,8 +204,8 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "4.1.3" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.3"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' @@ -216,8 +216,8 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" compliance: - - cis: "4.1.4" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.4"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -234,8 +234,8 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.5" - - cis_csc: "5.4, 4.8" + - cis: ["4.1.5"] + - cis_csc: ["5.4","4.8"] condition: all rules: - 'd:/etc/audit' @@ -252,8 +252,8 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.6" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.6"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -271,8 +271,8 @@ checks: rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.7"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -286,8 +286,8 @@ checks: rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.7"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -301,8 +301,8 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.8" - - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" + - cis: ["4.1.8"] + - cis_csc: ["5.5, 16.10, 16.4, 4.9, 16.11, 16.13"] condition: all rules: - 'd:/etc/audit' @@ -317,8 +317,8 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.9" - - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" + - cis: ["4.1.9"] + - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] condition: all rules: - 'd:/etc/audit' @@ -333,8 +333,8 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.10" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.10"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -352,8 +352,8 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.11" - - cis_csc: "14.6, 14.9" + - cis: ["4.1.11"] + - cis_csc: ["14.6","14.9"] condition: all rules: - 'd:/etc/audit' @@ -369,8 +369,8 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.13" - - cis_csc: "13, 5.1" + - cis: ["4.1.13"] + - cis_csc: ["13","5.1"] condition: all rules: - 'd:/etc/audit' @@ -384,8 +384,8 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.14" - - cis_csc: "13" + - cis: ["4.1.14"] + - cis_csc: ["13"] condition: all rules: - 'd:/etc/audit' @@ -399,8 +399,8 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.15" - - cis_csc: "5.4, 4.8" + - cis: ["4.1.15"] + - cis_csc: ["5.4","4.8"] condition: all rules: - 'd:/etc/audit' @@ -414,8 +414,8 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.16" - - cis_csc: "5.1, 5.5, 4.9" + - cis: ["4.1.16"] + - cis_csc: ["5.1","5.5","4.9"] condition: all rules: - 'd:/etc/audit' @@ -428,8 +428,8 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.17" - - cis_csc: "3, 5.1" + - cis: ["4.1.17"] + - cis_csc: ["3","5.1"] condition: all rules: - 'd:/etc/audit' @@ -445,8 +445,8 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." compliance: - - cis: "4.1.18" - - cis_csc: "3, 6, 6.2, 6.3" + - cis: ["4.1.18"] + - cis_csc: ["3","6","6.2","6.3"] condition: all rules: - 'd:/etc/audit' diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml new file mode 100644 index 000000000..36a02ba05 --- /dev/null +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -0,0 +1,517 @@ +# Security Configuration assessment +# CIS Checks for Debian/Ubuntu +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Based on: +# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 +# Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 +# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 + +policy: + id: "cis_debian" + file: "cis_debian_linux_rcl.yml" + name: "CIS benchmark for Debian/Linux" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux systems running on x86 and x64 platforms. Many lists are included including filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check Debian version" + description: "Requirements for running the SCA scan against Debian/Ubuntu." + condition: all + rules: + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' + +checks: +# Section 1.1 - Filesystem Configuration + - id: 5000 + title: "Ensure /tmp is configured" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." + remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.2"] + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ + condition: all + rules: + - 'c:mount -> r:\s/tmp\s' + + - id: 5001 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/tmp\s && r:nodev' + + - id: 5002 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.6"] + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var\s' + + - id: 5003 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.7"] + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s' + + - id: 5004 + title: "Ensure nodev option set on /var/tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.8"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s && r:nodev' + + - id: 5005 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/home\s && r:nodev' + + - id: 5006 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.14"] + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:nodev' + + - id: 5007 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.15"] + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' + + - id: 5008 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.16"] + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:noexec' + +# Section 1.7 - Warning banners + - id: 5009 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.7.2"] + - pci_dss: ["2.2.2"] + condition: all + rules: + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' + +# Section 2 - Filesystem Configuration - Debian 7 + - id: 5010 + title: "Add nodev option to /run/shm Partition" + description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" + compliance: + - cis_csc: ["5.1"] + - cis: ["2.14"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/run/shm\s && r:nodev' + + - id: 5011 + title: "Add nosuid option to /run/shm Partition" + description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["2.15"] + condition: all + rules: + - 'c:mount -> r:\s/run/shm\s && r:nosuid' + + - id: 5012 + title: "Add noexec option to /run/shm Partition" + description: "Set noexec on the shared memory partition to prevent programs from executing from there." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["2.16"] + condition: all + rules: + - 'c:mount -> r:\s/run/shm\s && r:noexec' + +# Section 2.1 - Inetd services + - id: 5013 + title: "Ensure inetd is not installed" + description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no inetd services required, it is recommended that the daemon be removed." + remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.1.2"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s inetutils-inetd -> r:install ok installed' + - 'c:dpkg -s openbsd-inetd -> r:install ok installed' + +# Section 2.2 - Special purpose services + - id: 5014 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.9"] + - pci_dss: ["2.2.3"] + condition: any + rules: + - 'c:systemctl is-enabled vsftpd -> r:disabled' + + - id: 5015 + title: "Ensure IMAP and POP3 server is not enabled" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.11"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s exim4 -> install ok installed' + + - id: 5017 + title: "Ensure Samba is not enabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable smbd: # systemctl disable smbd" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.12"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled smb -> r:^enabled' + + - id: 5018 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.7"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled nfs-server -> r:^enabled' + - 'c:systemctl is-enabled rpcbind -> r:^enabled' + + - id: 5019 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.17"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled nis -> r:^enabled' + + - id: 5020 + title: "Ensure HTTP server is not enabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable apache2: # systemctl disable apache2" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.10"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled apache2 -> r:^enabled' + + - id: 5021 + title: "Ensure DNS Server is not enabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable named: # systemctl disable bind9" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.8"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled bind9 -> r:^enabled' + + - id: 5022 + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable squid: # systemctl disable squid" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.13"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled squid -> r:^enabled' + +# Section 2.3 - Service clients + - id: 5023 + title: "Ensure rsh client is not installed" + description: "The rsh package contains the client commands for the rsh services." + rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." + remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" + compliance: + - cis_csc: ["2.6","4.5"] + - cis: ["2.3.2"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s rsh-client -> install ok installed' + - 'c:dpkg -s rsh-redone-client -> install ok installed' + + - id: 5024 + title: "Ensure telnet client is not installed" + description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." + remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" + compliance: + - cis_csc: ["2.6","4.5"] + - cis: ["2.3.4"] + - pci_dss: ["2.2.3"] + condition: none + rules: + - 'c:dpkg -s telnet -> install ok installed' + +# Section 3.1 - Network Parameters (Host Only) + - id: 5025 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.1.1"] + condition: all + rules: + - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + + - id: 5026 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.1.1"] + condition: all + rules: + - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.ip_forward\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' + +# Section 3.2 - Network Parameters (Host and Router) + - id: 5027 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.2.1"] + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + + - id: 5028 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.2.5"] + condition: all + rules: + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' + +# Section 5.2 - SSH Server Configuration + - id: 5029 + title: "Ensure SSH Protocol is set to 2" + description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis_csc: ["14.4"] + - cis: ["5.2.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' + + - id: 5030 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis_csc: ["9.2"] + - cis: ["5.2.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+yes' + + - id: 5031 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis_csc: ["16.3"] + - cis: ["5.2.9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+no' + + - id: 5032 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis_csc: ["4.3"] + - cis: ["5.2.10"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' + + - id: 5033 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis_csc: ["16.3"] + - cis: ["5.2.11"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' + +# Section 6.2 - User and Group Settings + - id: 5034 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " + compliance: + - cis_csc: ["4.4"] + - cis: ["6.2.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 5035 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis_csc: ["5.1"] + - cis: ["6.2.5"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml new file mode 100644 index 000000000..d89930110 --- /dev/null +++ b/sca/generic/system_audit_pw.yml @@ -0,0 +1,160 @@ +# Security Configuration assessment +# Checks for Password Security on Linux Systems +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Mostly based on +# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 +# Center for Internet Security Red Hat Enterprise Linux 7 v2.2.0 - 12-27-2017 +# Center for Internet Security SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017 +# OSSEC v3.2.0 + +policy: + id: "system_audit_pw" + file: "system_audit_pw.yml" + name: "System audit for password-related vulnerabilities" + description: "Guidance for establishing a secure configuration for password vulnerabilities." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check that password-related files are present on the system" + description: "Requirements for running the SCA scan against the password-related policy." + condition: any + rules: + - 'f:/etc/passwd' + - 'f:/etc/shadow' + +variables: + $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd + +checks: +# 5.3 Configure PAM + - id: 13000 + title: "Ensure password creation requirements are configured" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + + - id: 13001 + title: "Ensure passwords are longer than 13 characters" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' + + - id: 13002 + title: "Ensure passwords contain at least one digit" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:dcredit=-1' + + - id: 13003 + title: "Ensure passwords contain at least one lowercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:lcredit=-1' + + - id: 13004 + title: "Ensure passwords contain at least one uppercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ucredit=-1' + + - id: 13005 + title: "Ensure passwords contain at least one special character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ocredit=-1' + + - id: 13006 + title: "Ensure password hashing algorithm is SHA-512" + description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." + remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" + compliance: + - cis: ["5.3.4"] + - cis_csc: ["16.14"] + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' + + - id: 13007 + title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" + description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." + remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256." + references: + - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ + - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' + +# 5.4 User accounts and Environment + - id: 13008 + title: "Ensure password expiration is 365 days or less" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." + rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." + compliance: + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] + references: + - https://www.thegeekdiary.com/understanding-etclogin-defs-file + condition: any + rules: + - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml new file mode 100644 index 000000000..e57c4cb96 --- /dev/null +++ b/sca/generic/system_audit_ssh.yml @@ -0,0 +1,137 @@ +# Security Configuration assessment +# Checks for SSH hardening +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation + +policy: + id: "system_audit_ssh" + file: "system_audit_ssh.yml" + name: "System audit for SSH hardening" + description: "Guidance for establishing a secure configuration for SSH service vulnerabilities." + references: + - https://www.ssh.com/ssh/ + +requirements: + title: "Check that the SSH service is installed on the system" + description: "Requirements for running the SCA scan against the SSH policy." + condition: all + rules: + - 'f:/etc/ssh/sshd_config' + +variables: + $sshd_file: /etc/ssh/sshd_config + +checks: + - id: 1500 + title: "SSH Hardening - 1: Port should not be 22" + description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." + rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." + remediation: "Change the Port option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' + + - id: 1501 + title: "SSH Hardening - 2: Protocol should not be 1" + description: "The SSH protocol should not be 1." + rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." + remediation: "Change the Protocol option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' + + - id: 1502 + title: "SSH Hardening - 3: Root account should not be able to log in" + description: "The option PermitRootLogin should be set to no." + rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." + remediation: "Change the PermitRootLogin option value in the sshd_config file." + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' + + - id: 1503 + title: "SSH Hardening - 4: No Public Key authentication" + description: "The option PubkeyAuthentication should be set yes." + rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." + remediation: "Change the PubkeyAuthentication option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' + + - id: 1504 + title: "SSH Hardening - 5: Password Authentication should be disabled" + description: "The option PasswordAuthentication should be set to no." + rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." + remediation: "Change the PasswordAuthentication option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' + + - id: 1505 + title: "SSH Hardening - 6: Empty passwords should not be allowed" + description: "The option PermitEmptyPasswords should be set to no." + rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." + remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' + + - id: 1506 + title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" + description: "The option IgnoreRhosts should be set to yes." + rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." + remediation: "Change the IgnoreRhosts option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' + + - id: 1507 + title: "SSH Hardening - 8: Grace Time should be 30 or less." + description: "The option LoginGraceTime should be set to 30 or less." + rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." + remediation: "Change the LoginGraceTime option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 30' + + - id: 1508 + title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" + description: "The option MaxAuthTries should be set to 4 or less." + rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." + remediation: "Change the MaxAuthTries option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' + + - id: 1509 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index 9745a648f..b1195ffdc 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -41,7 +41,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /tmp . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.1" + - cis: ["1.1.1"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14161-4 @@ -56,8 +56,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.2" - - pci_dss: "2.2.4" + - cis: ["1.1.2"] + - pci_dss: ["2.2.4"] references: - CCE-14412-1 condition: all @@ -71,8 +71,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp ." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)." compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] references: - CCE-14940-1 condition: all @@ -86,8 +86,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] references: - CCE-14412-1 condition: all @@ -101,7 +101,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.5" + - cis: ["1.1.5"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14777-7 @@ -116,7 +116,7 @@ checks: rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - CCE-14584-7 condition: all @@ -130,7 +130,7 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14011-1 @@ -145,7 +145,7 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log/audit . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.8" + - cis: ["1.1.8"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14171-3 @@ -160,7 +160,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.9" + - cis: ["1.1.9"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14559-9 @@ -175,8 +175,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /home" compliance: - - cis: "1.1.10" - - pci_dss: "2.2.4" + - cis: ["1.1.10"] + - pci_dss: ["2.2.4"] references: - CCE-4249-9 condition: all @@ -190,8 +190,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /dev/shm). # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] references: - CCE-15007-8 condition: all @@ -205,8 +205,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] references: - CCE-14306-5 condition: all @@ -220,8 +220,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] references: - CCE-14927-8 condition: all @@ -238,9 +238,9 @@ checks: rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly." remediation: "Disable the yum-updatesd daemon by running the following command: # chkconfig yum-updatesd off" compliance: - - cis: "1.2.5" - - pci_dss: "6.2" - - nist_800_53: "SI.2" + - cis: ["1.2.5"] + - pci_dss: ["6.2"] + - nist_800_53: ["SI.2"] references: - CCE-4218-4 condition: none @@ -257,8 +257,8 @@ checks: rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten." remediation: "Remove all instances of selinux=0 and enforcing=0 from /etc/grub.conf." compliance: - - cis: "1.4.1" - - pci_dss: "2.2.4" + - cis: ["1.4.1"] + - pci_dss: ["2.2.4"] references: - CCE-3977-6 condition: none @@ -272,8 +272,8 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.4.2" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - pci_dss: ["2.2.4"] references: - CCE-3999-0 condition: all @@ -287,8 +287,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.4.3" - - pci_dss: "2.2.4" + - cis: ["1.4.3"] + - pci_dss: ["2.2.4"] references: - CCE-3624-4 condition: all @@ -302,8 +302,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "rpm -qa setroubleshoot" compliance: - - cis: "1.4.4" - - pci_dss: "2.2.4" + - cis: ["1.4.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:setroubleshoot && r::on' @@ -315,8 +315,8 @@ checks: rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system." remediation: "# chkconfig mctrans off" compliance: - - cis: "1.4.5" - - pci_dss: "2.2.4" + - cis: ["1.4.5"] + - pci_dss: ["2.2.4"] references: - CCE-3668-1 condition: none @@ -333,8 +333,8 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Set a bootloader password" compliance: - - cis: "1.5.3" - - pci_dss: "2.2.4" + - cis: ["1.5.3"] + - pci_dss: ["2.2.4"] references: - CCE-3818-2 condition: all @@ -348,8 +348,8 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Add the following to /etc/inittab : ~:S:wait:/sbin/sulogin" compliance: - - cis: "1.5.4" - - pci_dss: "2.2.4" + - cis: ["1.5.4"] + - pci_dss: ["2.2.4"] references: - CCE-4241-6 condition: none @@ -363,8 +363,8 @@ checks: rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Set the PROMPT parameter in /etc/sysconfig/init to no ." compliance: - - cis: "1.5.5" - - pci_dss: "2.2.4" + - cis: ["1.5.5"] + - pci_dss: ["2.2.4"] references: - CCE-4245-7 condition: all @@ -381,8 +381,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - - cis: "1.6.1" - - pci_dss: "2.2.4" + - cis: ["1.6.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -396,8 +396,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" compliance: - - cis: "1.6.3" - - pci_dss: "2.2.4" + - cis: ["1.6.3"] + - pci_dss: ["2.2.4"] references: - CCE-4146-7 condition: all @@ -412,8 +412,8 @@ checks: rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1" compliance: - - cis: "1.6.2" - - pci_dss: "2.2.4" + - cis: ["1.6.2"] + - pci_dss: ["2.2.4"] references: - CCE-4168-1 condition: all @@ -429,7 +429,7 @@ checks: rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)." remediation: "Edit /etc/sysconfig/prelink and set PRELINKING=no" compliance: - - cis: "1.6.5" + - cis: ["1.6.5"] condition: all rules: - 'f:/etc/sysconfig/prelink -> r:^PRELINKING=no$' @@ -447,9 +447,9 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions." remediation: "# yum erase telnet-server" compliance: - - cis: "2.1.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3390-2 - CCE-4330-7 @@ -464,9 +464,9 @@ checks: rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "# yum erase rsh-server" compliance: - - cis: "2.1.3" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.3"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-4308-3 condition: none @@ -479,9 +479,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "# yum erase ypbind" compliance: - - cis: "2.1.5" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.5"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) @@ -496,9 +496,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." remediation: "# yum erase ypserv" compliance: - - cis: "2.1.6" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) @@ -513,9 +513,9 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "# yum erase tftp-server" compliance: - - cis: "2.1.8" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-4273-9 (disable) - CCE-3916-4 (uninstall) @@ -530,9 +530,9 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "# yum erase talk-server" compliance: - - cis: "2.1.10" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.10"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa talk-server -> r:\.' @@ -547,7 +547,7 @@ checks: rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." remediation: "Add the following line to the /etc/sysconfig/init file. umask 027" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/sysconfig/init -> umask 027' @@ -559,8 +559,8 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Edit /etc/inittab set default runlevel as follows: s/:5:/:3:/ Uninstall the X Windows System: # yum groupremove 'X Window System'" compliance: - - cis: "3.3" - - pci_dss: "2.2.2" + - cis: ["3.3"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/inittab -> r:^\s*id:3:initdefault' @@ -573,8 +573,8 @@ checks: rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf." compliance: - - cis: "3.1.1" - - pci_dss: "2.2.2" + - cis: ["3.1.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:avahi-daemon && r::on' @@ -586,8 +586,8 @@ checks: rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "# chkconfig nfslock off; #chkconfig rpcgssd off; #chkconfig rpcidmapd off; # chkconfig portmap off;" compliance: - - cis: "3.8" - - pci_dss: "2.2.2" + - cis: ["3.8"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on' @@ -599,9 +599,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "# yum erase vsftpd" compliance: - - cis: "3.10" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["3.10"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa vsftpd -> r:\.' @@ -613,8 +613,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "# yum erase httpd" compliance: - - cis: "3.11" - - pci_dss: "2.2.2" + - cis: ["3.11"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa httpd -> r:\.' @@ -626,8 +626,8 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "# yum erase dovecot" compliance: - - cis: "3.12" - - pci_dss: "2.2.2" + - cis: ["3.12"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa dovecot -> r:\.' @@ -639,8 +639,8 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "# yum erase samba" compliance: - - cis: "3.13" - - pci_dss: "2.2.2" + - cis: ["3.13"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa samba -> r:\.' @@ -652,8 +652,8 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "# yum erase squid" compliance: - - cis: "3.14" - - pci_dss: "2.2.2" + - cis: ["3.14"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa squid -> r:\.' @@ -665,8 +665,8 @@ checks: rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "# yum erase net-snmp" compliance: - - cis: "3.15" - - pci_dss: "2.2.2" + - cis: ["3.15"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa net-snmp -> r:\.' @@ -684,8 +684,8 @@ checks: rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf and modify active kernel parameters to match:" compliance: - - cis: "4.1.1" - - pci_dss: "2.2.4" + - cis: ["4.1.1"] + - pci_dss: ["2.2.4"] references: - CCE-3561-8 condition: all @@ -700,8 +700,8 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf" compliance: - - cis: "4.1.2" - - pci_dss: "2.2.4" + - cis: ["4.1.2"] + - pci_dss: ["2.2.4"] references: - CCE-4151-7 - CCE-4155-8 @@ -722,8 +722,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.1" - - pci_dss: "2.2.4" + - cis: ["4.2.1"] + - pci_dss: ["2.2.4"] references: - CCE-4236-6 - CCE-4091-5 @@ -741,8 +741,8 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.2" - - pci_dss: "2.2.4" + - cis: ["4.2.2"] + - pci_dss: ["2.2.4"] references: - CCE-4217-6 - CCE-4186-3 @@ -760,8 +760,8 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.3" - - pci_dss: "2.2.4" + - cis: ["4.2.3"] + - pci_dss: ["2.2.4"] references: - CCE-3472-8 - CCE-3339-9 @@ -779,8 +779,8 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.4" - - pci_dss: "2.2.4" + - cis: ["4.2.4"] + - pci_dss: ["2.2.4"] references: - CCE-4320-8 condition: all @@ -797,8 +797,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.5" - - pci_dss: "2.2.4" + - cis: ["4.2.5"] + - pci_dss: ["2.2.4"] references: - CCE-3644-2 condition: all @@ -813,8 +813,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.6" - - pci_dss: "2.2.4" + - cis: ["4.2.6"] + - pci_dss: ["2.2.4"] references: - CCE-4133-5 condition: all @@ -829,8 +829,8 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.7" - - pci_dss: "2.2.4" + - cis: ["4.2.7"] + - pci_dss: ["2.2.4"] references: - CCE-4080-8 - CCE-3840-6 @@ -848,8 +848,8 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding." remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match." compliance: - - cis: "4.2.8" - - pci_dss: "2.2.4" + - cis: ["4.2.8"] + - pci_dss: ["2.2.4"] references: - CCE-4265-5 condition: all @@ -870,10 +870,10 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "6.2.1" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.1"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4245-7 - https://www.ssh.com/ssh/ @@ -888,11 +888,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -904,9 +904,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -918,10 +918,10 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "6.2.6" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.6"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4250-7 condition: all @@ -935,10 +935,10 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "6.2.7" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.7"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4251-5 condition: all @@ -952,10 +952,10 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "6.2.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4252-3 condition: all @@ -969,10 +969,10 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "6.2.9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4256-4 condition: all @@ -992,10 +992,10 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "9.2.5" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["9.2.5"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] references: - CCE-4009-7 condition: none diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index c58a45bb0..42ee98a30 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -42,7 +42,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -56,8 +56,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -69,8 +69,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp ." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -82,9 +82,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -96,7 +96,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -110,7 +110,7 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -122,8 +122,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -137,8 +137,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -152,7 +152,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -166,8 +166,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -179,8 +179,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -192,8 +192,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -205,9 +205,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -222,9 +222,9 @@ checks: rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." remediation: "Edit /boot/grub/grub.conf and remove all instances of selinux=0 and enforcing=0 on all kernel lines." compliance: - - cis: "1.6.1.1" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.1"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' @@ -236,9 +236,9 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.2"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' @@ -250,8 +250,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" + - cis: ["1.6.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' @@ -263,8 +263,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot" compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:rpm -qa setroubleshoot -> r:\.' @@ -276,8 +276,8 @@ checks: rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" + - cis: ["1.6.1.5"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:rpm -qa mcstrans -> r:\.' @@ -292,9 +292,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security." remediation: "Create an encrypted password with grub-md5-crypt, copy and paste the into the global section of /boot/grub/grub.conf." compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' @@ -306,9 +306,9 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin ': SINGLE=/sbin/sulogin" compliance: - - cis: "1.4.3" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.3"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' @@ -320,9 +320,9 @@ checks: rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no" compliance: - - cis: "1.4.4" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.4"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/sysconfig/init -> r:^PROMPT=no$' @@ -337,8 +337,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) )." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0; fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -352,8 +352,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -372,10 +372,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet-server && r::on' @@ -387,10 +387,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Disable rsh, rlogin, and rexec." compliance: - - cis: "2.1.6" - - cis_csc: "3.4" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rsh|rlogin|rsh && r::on' @@ -403,10 +403,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to uninstall ypbind : # yum remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -418,10 +418,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to disable ypserv: # chkconfig ypserv off" compliance: - - cis: "2.2.16" - - cis_csc: "9.4" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.4"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:ypserv && r::on' @@ -433,10 +433,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp && r::on' @@ -448,10 +448,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk && r::on' @@ -467,9 +467,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -481,9 +481,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -495,9 +495,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # chkconfig nfs off # chkconfig rpcbind off" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -509,9 +509,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off" compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -523,8 +523,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # chkconfig httpd off" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:httpd && r::on' @@ -536,9 +536,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:dovecot && r::on' @@ -550,9 +550,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # chkconfig smb off" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -564,9 +564,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -578,9 +578,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off" compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -598,9 +598,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and run # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -613,9 +613,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -633,9 +633,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -650,9 +650,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -667,9 +667,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -684,9 +684,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -701,9 +701,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -716,8 +716,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1" compliance: - - cis: "3.2.6" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -730,8 +730,8 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" compliance: - - cis: "3.2.7" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -746,9 +746,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -767,11 +767,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' @@ -783,11 +783,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -799,9 +799,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -813,11 +813,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' @@ -829,11 +829,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5].2.7" + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' @@ -845,11 +845,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' @@ -861,11 +861,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' @@ -883,11 +883,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index 82eebedaa..4cd017c88 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -42,7 +42,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition for /tmp if not using tmpfs. Enable systemd /tmp mounting" compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -56,8 +56,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -69,8 +69,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -82,9 +82,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -96,7 +96,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -110,7 +110,7 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -122,8 +122,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -137,8 +137,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -152,7 +152,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -166,8 +166,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -179,8 +179,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -192,8 +192,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -205,9 +205,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -222,9 +222,9 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.2"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sestatus -> r:^SELinux status:\s+enabled$' @@ -239,8 +239,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" + - cis: ["1.6.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sestatus -> r:^Loaded policy name:\s+targeted$' @@ -253,8 +253,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "Run the following command to uninstall s etroubleshoot: # yum remove setroubleshoot" compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' @@ -266,8 +266,8 @@ checks: rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" + - cis: ["1.6.1.5"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' @@ -282,9 +282,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword" compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub2/grub.cfg -> r:^GRUB2_PASSWORD=\.+' @@ -299,8 +299,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and set the active kernel parameter" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -314,8 +314,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -334,10 +334,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ypserv -> r:^enabled' @@ -349,10 +349,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " compliance: - - cis: "2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.17"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled rsh.socket -> r:^enabled' @@ -366,10 +366,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # systemctl disable ntalk" compliance: - - cis: "2.2.18" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.18"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ntalk -> r:^enabled' @@ -381,10 +381,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" compliance: - - cis: "2.2.19" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.19"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled telnet.socket -> r:^enabled' @@ -396,10 +396,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" compliance: - - cis: "2.2.20" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.20"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled tftp.socket -> r:^enabled' @@ -411,10 +411,10 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsync: # systemctl disable rsyncd" compliance: - - cis: "2.2.21" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.21"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled rsyncd -> r:^enabled' @@ -426,10 +426,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind: # yum remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:rpm -q ypbind -> r:^package ypbind is not installed$' @@ -441,10 +441,10 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled xinetd -> r:^enabled' @@ -456,10 +456,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*chargen-dgram:\s*\t*on' @@ -472,8 +472,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime-dgram and daytime-stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" compliance: - - cis: "2.1.2" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*daytime-dgram:\s*\t*on' @@ -486,10 +486,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard-dgram and discard-stream: # chkconfig discard-dgram off; # chkconfig discard-stream off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*discard-dgram:\s*\t*on' @@ -502,10 +502,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo-dgram and echo-stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*echo-dgram:\s*\t*on' @@ -518,10 +518,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time-dgram and time-stream: # chkconfig time-dgram off; # chkconfig time-stream off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*time-dgram:\s*\t*on' @@ -534,9 +534,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' @@ -548,9 +548,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -562,9 +562,9 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] references: - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp condition: none @@ -578,9 +578,9 @@ checks: rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Run the following command to disable slapd: # systemctl disable dhcpd" compliance: - - cis: "2.2.6" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.6"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] references: - More detailed documentation on OpenLDAP is available at https://www.openldap.org condition: none @@ -594,9 +594,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': - OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' @@ -612,9 +612,9 @@ checks: rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "1) Add or edit restrict lines in /etc/chrony.conf to match the following: - 1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include: - OPTIONS='-u chronyd'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -627,9 +627,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # systemctl disable nfs; # systemctl disable nfs-server; # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:^enabled' @@ -643,9 +643,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -657,8 +657,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # systemctl disable httpd" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled httpd -> r:^enabled' @@ -670,9 +670,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:^enabled' @@ -684,9 +684,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # systemctl disable smb" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled smb -> r:^enabled' @@ -698,9 +698,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -712,9 +712,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -732,9 +732,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and set the active kernel parameters." compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -747,9 +747,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -767,9 +767,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters." compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -784,9 +784,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -801,9 +801,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -818,9 +818,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -835,9 +835,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -850,9 +850,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 and set the active kernel parameters." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -865,9 +865,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1 and set the active kernel parameters." compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -882,9 +882,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -903,11 +903,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' @@ -919,11 +919,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -935,9 +935,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -949,11 +949,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' @@ -965,11 +965,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' @@ -981,11 +981,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' @@ -997,11 +997,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' @@ -1019,11 +1019,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 4359ad8e4..528deebd2 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -38,7 +38,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -51,8 +51,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -63,8 +63,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -76,9 +76,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -90,7 +90,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -103,8 +103,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -118,8 +118,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -133,7 +133,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -146,8 +146,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -159,8 +159,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -172,8 +172,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -185,9 +185,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -202,9 +202,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub-md5-crypt : # grub-md5-crypt. The result is an . Copy and paste the into the global section of /boot/grub/menu.lst: password --md5 Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub/menu.lst -> r:^password --md5' @@ -219,8 +219,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0." compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -234,8 +234,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -254,8 +254,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' @@ -266,8 +266,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime - and daytime-udp: # chkconfig daytime-off # chkconfig daytime-udp off" compliance: - - cis: "2.1.2,3.1" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:daytime:|daytime-udp: && r::on' @@ -279,8 +279,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' @@ -291,8 +291,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' @@ -303,8 +303,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" compliance: - - cis: "2.1.5" - - cis_csc: "9.1" + - cis: ["2.1.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:time:|time-udp: && r::on' @@ -315,10 +315,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' @@ -329,10 +329,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk: && r::on' @@ -343,10 +343,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet: && r::on' @@ -357,10 +357,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp: && r::on' @@ -371,8 +371,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd : # chkconfig rsyncd off" compliance: - - cis: "2.1.10, 2.2.17" - - pci_dss: "2.2.2" + - cis: ["2.1.10","2.2.17"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -386,9 +386,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: any rules: - 'f:/etc/ntp.conf -> r:restrict -4 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' @@ -403,9 +403,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -417,9 +417,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -430,8 +430,8 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # chkconfig dhcpd off" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:dhcpd && r::on' @@ -443,9 +443,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind : # chkconfig nfs off # chkconfig rpcbind off" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -456,9 +456,9 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # chkconfig named off" compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:named && r::on' @@ -469,9 +469,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # chkconfig vsftpd off Notes: Additional FTP servers also exist and should be audited." compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -483,8 +483,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface. Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." remediation: "Run the following command to disable apache2 : # chkconfig apache2 off" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:apache2 && r::on' @@ -495,9 +495,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cyrus : # chkconfig cyrus off Notes: Several IMAP/POP3 servers exist and can use other service names. dovecot is an example service that provides an IMAP/POP3 server. These and other services should also be audited." compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list cyrus -> r:cyrus && r::on' @@ -509,9 +509,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # chkconfig smb off" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -522,9 +522,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -535,9 +535,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: node rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -548,10 +548,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." remediation: "Run the following command to disable ypserv : # chkconfig ypserv off" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:ypserv && r::on' @@ -563,10 +563,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -584,9 +584,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' @@ -599,9 +599,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' @@ -619,9 +619,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -636,9 +636,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -653,9 +653,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -669,9 +669,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -686,9 +686,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -701,9 +701,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -716,9 +716,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -733,9 +733,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -754,11 +754,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:^\s*\t*Protocol\s*\t*2' @@ -770,11 +770,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' @@ -786,9 +786,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' @@ -800,11 +800,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' @@ -816,11 +816,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' @@ -832,11 +832,11 @@ checks: rationale: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' @@ -848,11 +848,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' @@ -870,11 +870,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -885,11 +885,11 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.1"] + - cis_csc: ["16"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index 20156b0af..7b8a05d5b 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -36,7 +36,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab or the systemd tmp.mount service as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -49,8 +49,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -61,8 +61,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -74,9 +74,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -88,7 +88,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -101,8 +101,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -116,8 +116,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -131,7 +131,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -145,12 +145,52 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' +# 1.1.18 nodev on removable media partitions (not scored) + - id: 7512 + title: "Ensure nodev option set on removable media partitions" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: ["1.1.18"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/media\s && r:nodev' + +# 1.1.19 nosuid on removable media partitions (not scored) + - id: 7513 + title: "Ensure nosuid option set on removable media partitions" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: ["1.1.19"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/media\s && r:nosuid' + +# 1.1.20 noexec on removable media partitions (not scored) + - id: 7514 + title: "Ensure noexec option set on removable media partitions" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: ["1.1.20"] + - cis_csc: ["8"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/media\s && r:noexec' + # 1.1.15 /dev/shm: nodev - id: 7509 title: "Ensure nodev option set on /dev/shm partition" @@ -158,8 +198,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -171,8 +211,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -184,9 +224,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -201,8 +241,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -216,8 +256,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -237,8 +277,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' @@ -249,8 +289,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime and daytime-udp: # chkconfig daytime off # chkconfig daytime-udp off" compliance: - - cis: "2.1.2" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:daytime:|daytime-udp && r::on' @@ -261,8 +301,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' @@ -273,8 +313,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' @@ -285,8 +325,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" compliance: - - cis: "2.1.5" - - cis_csc: "9.1" + - cis: ["2.1.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:time:|time-udp && r::on' @@ -297,10 +337,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' @@ -311,10 +351,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk: && r::on' @@ -325,10 +365,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet: && r::on' @@ -339,10 +379,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable atftpd" compliance: - - cis: "2.1.9, 2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9","2.2.17"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp: && r::on' @@ -353,8 +393,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" compliance: - - cis: "2.1.10, 2.2.18" - - pci_dss: "2.2.2" + - cis: ["2.1.10","2.2.18"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -365,8 +405,8 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd : # systemctl disable xinetd" compliance: - - cis: "2.1.11" - - cis_csc: "9.1" + - cis: ["2.1.11"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled xinetd -> r:enabled' @@ -380,9 +420,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery' @@ -397,9 +437,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -411,9 +451,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:enabled' @@ -424,8 +464,8 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled dhcpd -> r:enabled' @@ -437,9 +477,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:enabled' @@ -451,9 +491,9 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # systemctl disable named" compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled named -> r:enabled' @@ -464,9 +504,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd Notes: Additional FTP servers also exist and should be audited." compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:enabled' @@ -478,8 +518,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable apache2 : # systemctl disable apache2 Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:enabled' @@ -490,9 +530,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot : # systemctl disable dovecot Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited." compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:enabled' @@ -504,9 +544,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # systemctl disable smb" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled smb -> r:enabled' @@ -517,9 +557,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # systemctl disable squid Notes: Several HTTP proxy servers exist. These and other services should be checked." compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:enabled' @@ -530,9 +570,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:enabled' @@ -543,10 +583,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv : # systemctl disable ypserv" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ypserv -> r:enabled' @@ -558,10 +598,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -579,9 +619,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' @@ -594,9 +634,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -614,9 +654,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -631,9 +671,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -648,9 +688,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -664,9 +704,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -681,9 +721,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -696,9 +736,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -711,9 +751,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -728,9 +768,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -749,11 +789,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:Protocol\s*\t*2$' @@ -765,11 +805,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*INFO' @@ -781,9 +821,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -795,11 +835,11 @@ checks: rationale: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:IgnoreRhosts\s*\t*yes' @@ -811,11 +851,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:HostbasedAuthentication\s*\t*no' @@ -827,11 +867,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no' @@ -843,11 +883,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: none rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitEmptyPasswords\s*\t*no' @@ -865,11 +905,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -880,11 +920,11 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.1"] + - cis_csc: ["16"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 89161716a..c5c33e35e 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -33,7 +33,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" compliance: - - cis: "2.1" + - cis: ["2.1"] condition: none rules: - 'p:gdm' @@ -45,7 +45,7 @@ checks: rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems." remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" compliance: - - cis: "2.2" + - cis: ["2.2"] condition: none rules: - 'c:netstat -an -> r:.25\s*\t* && !r:127.0.0.1.25|::1' @@ -56,7 +56,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" compliance: - - cis: "2.3" + - cis: ["2.3"] condition: none rules: - 'p:keyserv' @@ -67,7 +67,7 @@ checks: rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain" compliance: - - cis: "2.4" + - cis: ["2.4"] condition: none rules: - 'p:ypserv' @@ -83,7 +83,7 @@ checks: rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client # svcadm disable svc:/network/nis/domain" compliance: - - cis: "2.5" + - cis: ["2.5"] condition: none rules: - 'p:ypserv' @@ -99,7 +99,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" compliance: - - cis: "2.6" + - cis: ["2.6"] condition: none rules: - 'p:ktkt_warnd' @@ -110,7 +110,7 @@ checks: rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" compliance: - - cis: "2.7" + - cis: ["2.7"] condition: none rules: - 'p:gssd' @@ -121,7 +121,7 @@ checks: rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports." remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver" compliance: - - cis: "2.8" + - cis: ["2.8"] condition: none rules: - 'p:smserverd' @@ -132,7 +132,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" compliance: - - cis: "2.9" + - cis: ["2.9"] condition: none rules: - 'p:automountd' @@ -143,7 +143,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/http:apache22" compliance: - - cis: "2.10" + - cis: ["2.10"] references: - http://httpd.apache.org/docs/2.0/misc/security_tips.html condition: none @@ -157,7 +157,7 @@ checks: rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'p:rpcbind' @@ -168,7 +168,7 @@ checks: rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts." remediation: "To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo \"ALL: /, , ...\" > /etc/hosts.allow where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true # svcadm refresh rpc/bind The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information." compliance: - - cis: "2.12" + - cis: ["2.12"] references: - ipfilter(5) man page condition: all @@ -183,7 +183,7 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" compliance: - - cis: "2.13" + - cis: ["2.13"] condition: all rules: - 'p:telnet' @@ -195,7 +195,7 @@ checks: rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data." remediation: "To implement the recommendation, run the commands: # chmod 700 /var/cores # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'f:/etc/coreadm.conf' @@ -215,7 +215,7 @@ checks: rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed." remediation: "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file: # if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then cat <>/etc/system set noexec_user_stack=1 set noexec_user_stack_log=1 END_CFG fi" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/system' @@ -228,7 +228,7 @@ checks: rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this." remediation: "Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file: # cd /etc/default # awk '/TCP_STRONG_ISS=/ { $1 = \"TCP_STRONG_ISS=2\" }; { print }' inetinit > inetinit.CIS # mv inetinit.CIS inetinit To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp" compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' @@ -240,7 +240,7 @@ checks: rationale: "To simplify administration, a CIS specific audit class should be created." remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark' @@ -251,7 +251,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service- specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_ACCEPT AUE_CONNECT AUE_SOCKACCEPT AUE_SOCKCONNECT AUE_inetd_connect" compliance: - - cis: "4.2" + - cis: ["4.2"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACCEPT:\.+cis\.*' @@ -266,7 +266,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHMOD AUE_CHOWN AUE_FCHOWN AUE_FCHMOD AUE_LCHOWN AUE_ACLSET AUE_FACLSET" compliance: - - cis: "4.3" + - cis: ["4.3"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHMOD:\.+cis\.*' @@ -283,7 +283,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHROOT AUE_SETREUID AUE_SETREGID AUE_FCHROOT AUE_PFEXEC AUE_SETUID AUE_NICE AUE_SETGID AUE_PRIOCNTLSYS AUE_SETEGID AUE_SETEUID AUE_SETPPRIV AUE_SETSID AUE_SETPGID" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHROOT:\.+cis\.*' @@ -307,7 +307,7 @@ checks: rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls." remediation: "To enforce this setting, use the command: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis # auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n . w q END_CRON # chown root:root /var/audit # chmod 750 /var/audit" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: all rules: - 'c:auditconfig -getcond -> audit condition = auditing' @@ -325,7 +325,7 @@ checks: rationale: "The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world." remediation: "Perform the following to implement the recommended state: # svccfg -s svc:/system/environment:init setprop umask/umask = astring: \"022\"" compliance: - - cis: "5.1" + - cis: ["5.1"] condition: all rules: - 'c:svcprop -p umask/umask svc:/system/environment:init -> 022' @@ -337,7 +337,7 @@ checks: rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/ENABLE_NOBODY_KEYS=/ { $1 = \"ENABLE_NOBODY_KEYS=NO\" } { print }' keyserv > keyserv.CIS # mv keyserv.CIS keyserv" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'f:/etc/default/keyserv' @@ -349,7 +349,7 @@ checks: rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs." remediation: "Perform the following to implement the recommended state: # awk '/^X11Forwarding / { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: none rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' @@ -360,7 +360,7 @@ checks: rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks." remediation: "Perform the following to implement the recommended state: # awk '/^MaxAuthTries/ { $2 = \"3\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.4" + - cis: ["6.4"] condition: all rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' @@ -371,7 +371,7 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with SSH." remediation: "Perform the following to implement the recommended state: # awk '/^IgnoreRhosts/ { $2 = \"yes\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed." compliance: - - cis: "6.5" + - cis: ["6.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' @@ -382,7 +382,7 @@ checks: rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user." remediation: "Perform the following to implement the recommended state: # awk '/^PermitRootLogin/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.6" + - cis: ["6.6"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' @@ -393,7 +393,7 @@ checks: rationale: "Permitting login without a password is inherently risky." remediation: "Perform the following to implement the recommended state: # awk '/^PermitEmptyPasswords/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.7" + - cis: ["6.7"] condition: none rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' @@ -404,7 +404,7 @@ checks: rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default." remediation: "Perform the following to implement the recommended state: # cd /etc # cp pam.conf pam.conf.pre-CIS # sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - - cis: "6.8" + - cis: ["6.8"] condition: all rules: - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' @@ -416,7 +416,7 @@ checks: rationale: "FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default." remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." compliance: - - cis: "6.9" + - cis: ["6.9"] condition: none rules: - 'f:/etc/ftpd/ftpusers -> r:^root' @@ -446,7 +446,7 @@ checks: rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/SLEEPTIME=/ { $1 = \"SLEEPTIME=4\" } { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "6.10" + - cis: ["6.10"] condition: all rules: - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' @@ -457,7 +457,7 @@ checks: rationale: "As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)." remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - - cis: "6.11" + - cis: ["6.11"] condition: none rules: - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' @@ -468,7 +468,7 @@ checks: rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults # cp XScreenSaver XScreenSaver.orig # awk '/^\\*timeout:/ { $2 = \"0:10:00\" } /^\\*lockTimeout:/ { $2 = \"0:00:00\" } /^\\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS # mv xScreenSaver.CIS xScreenSaver" compliance: - - cis: "6.12" + - cis: ["6.12"] condition: all rules: - 'f:/usr/share/X11/app-defaults/XScreensaver' @@ -482,7 +482,7 @@ checks: rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d # mv cron.deny cron.deny.cis # mv at.deny at.deny.cis # echo root > cron.allow # cp /dev/null at.allow # chown root:root cron.allow at.allow # chmod 400 cron.allow at.allow" compliance: - - cis: "6.13" + - cis: ["6.13"] condition: all rules: - 'not f:/etc/cron.d/cron.deny' @@ -498,7 +498,7 @@ checks: rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "6.14" + - cis: ["6.14"] condition: none rules: - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' @@ -509,7 +509,7 @@ checks: rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS # mv login.CIS login # cd /etc/security # awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS # mv policy.conf.CIS policy.conf # svcadm restart svc:/system/name-service/cache Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle" compliance: - - cis: "6.15" + - cis: ["6.15"] condition: all rules: - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' @@ -521,7 +521,7 @@ checks: rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password." remediation: "Perform the following to implement the recommended state: # /boot/grub/bin/grub grub> md5crypt Password: [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)] The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user: # chmod 600 /rpool/boot/grub/menu.lst Next, add the following line to the menu.lst file above the entries added by bootadm: password --md5 [enter md5 password string generated above] Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect): title Solaris failsafe lock" compliance: - - cis: "6.17" + - cis: ["6.17"] condition: all rules: - 'f:/rpool/boot/grub/menu.lst' @@ -534,7 +534,7 @@ checks: rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)." remediation: "Perform the following to implement the recommended state: # logins -ox | awk -F: '($1 == \"root\" || $8 == \"LK\" || $8 == \"NL\") { next } ; { $cmd = \"passwd\" } ; ($11 91) { $cmd = $cmd \" -x 91\" } ($10 < 7) { $cmd = $cmd \" -n 7\" } ($12 < 28) { $cmd = $cmd \" -w 28\" } ($cmd != \"passwd\") { print $cmd \" \" $1 }' > /etc/CISupd_accounts # /sbin/sh /etc/CISupd_accounts # rm -f /etc/CISupd_accounts # cd /etc/default # grep -v WEEKS passwd > passwd.CIS # cat <> passwd.CIS MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 EODefaults # mv passwd.CIS passwd" compliance: - - cis: "7.1" + - cis: ["7.1"] condition: all rules: - 'f:/etc/default/passwd -> n:^maxweeks\(\d+) compare <= 13' @@ -547,7 +547,7 @@ checks: rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=8\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=10\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS # mv passwd.CIS passwd" compliance: - - cis: "7.2" + - cis: ["7.2"] condition: all rules: - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' @@ -569,7 +569,7 @@ checks: rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "7.3" + - cis: ["7.3"] condition: none rules: - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' @@ -580,7 +580,7 @@ checks: rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask." remediation: "Perform the following to implement the recommended state: # cd /etc # if [ \"`grep '^Umask' proftpd.conf`\" ]; then awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo \"Umask 027\" >> proftpd.conf fi" compliance: - - cis: "7.4" + - cis: ["7.4"] condition: none rules: - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' @@ -591,7 +591,7 @@ checks: rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality." remediation: "Perform the following to implement the recommended state: # cd /etc # for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done" compliance: - - cis: "7.5" + - cis: ["7.5"] condition: none rules: - 'f:/etc/.login -> !r:^mesg\s*n' @@ -604,7 +604,7 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only." remediation: "Perform the following to implement the recommended state: # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/motd # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/issue # chown root:root /etc/issue # chmod 644 /etc/issue" compliance: - - cis: "8.1" + - cis: ["8.1"] condition: all rules: - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' @@ -615,7 +615,7 @@ checks: description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "8.2" + - cis: ["8.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' @@ -626,7 +626,7 @@ checks: rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=\"Security Message\" --filename=/etc/issue" compliance: - - cis: "8.3" + - cis: ["8.3"] condition: all rules: - 'f:/etc/gdm/Init/Default' @@ -638,7 +638,7 @@ checks: rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording." remediation: "Perform the following to implement the recommended state: # echo \"DisplayConnect /etc/issue\" >> /etc/proftpd.conf # svcadm restart ftp" compliance: - - cis: "8.4" + - cis: ["8.4"] condition: all rules: - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' @@ -649,7 +649,7 @@ checks: rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS # mv telnetd.CIS telnetd" compliance: - - cis: "8.5" + - cis: ["8.5"] condition: all rules: - 'f:/etc/default/telnetd -> r:BANNER=$' @@ -661,7 +661,7 @@ checks: rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled." remediation: "To lock a single account, use the command: # passwd -d [username] # passwd -l [username] To configure a single account to be non-login, use the command: # passwd -d [username] # passwd -N [username]" compliance: - - cis: "9.3" + - cis: ["9.3"] condition: none rules: - 'f:/etc/shadow -> r:daemon && !r::NL:|:NP:' @@ -699,7 +699,7 @@ checks: rationale: "All accounts must have passwords, be configured as \"Non-login,\" or be locked." remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-logini." compliance: - - cis: "9.4" + - cis: ["9.4"] condition: none rules: - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' @@ -710,7 +710,7 @@ checks: rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC." remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately." compliance: - - cis: "9.5" + - cis: ["9.5"] condition: none rules: - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' @@ -721,7 +721,7 @@ checks: rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program." remediation: "Correct or justify any items discovered in the Audit step." compliance: - - cis: "9.6" + - cis: ["9.6"] condition: none rules: - 'f:/etc/profile -> r:.' @@ -746,7 +746,7 @@ checks: rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." remediation: "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy." compliance: - - cis: "9.10" + - cis: ["9.10"] condition: none rules: - 'd:/home -> ^.rhosts$' @@ -757,7 +757,7 @@ checks: rationale: "All users must be assigned a home directory in passwd(4)." remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy." compliance: - - cis: "9.12" + - cis: ["9.12"] condition: none rules: - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' @@ -768,7 +768,7 @@ checks: rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form." remediation: "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - - cis: "9.20" + - cis: ["9.20"] condition: none rules: - 'd:/home -> ^.netrc$' @@ -779,7 +779,7 @@ checks: rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions." remediation: "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - - cis: "9.21" + - cis: ["9.21"] condition: none rules: - 'd:/home -> ^.forward$' diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml index a8fc522f6..83b99b90a 100644 --- a/sca/windows/acsc_office2016.yml +++ b/sca/windows/acsc_office2016.yml @@ -343,7 +343,7 @@ checks: rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Office 2016 Converters\\Block Opening of Pre-Release Versions of File Formats New to PowerPoint 2016 Through the Compatibility Pack for Office 2013 and PowerPoint 2016 Converter" compliance: - - cis: "2.22.1" + - cis: ["2.22.1"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' @@ -660,7 +660,7 @@ checks: rationale: "By default, the Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Disable Opt-in Wizard on First Run" compliance: - - cis: "2.24.1.1" + - cis: ["2.24.1.1"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' @@ -672,7 +672,7 @@ checks: rationale: "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Enable Customer Experience Improvement Program" compliance: - - cis: "2.24.1.2" + - cis: ["2.24.1.2"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' @@ -684,7 +684,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Allow including screenshot with Office Feedback" compliance: - - cis: "2.24.1.3" + - cis: ["2.24.1.3"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' @@ -696,7 +696,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send Office Feedback" compliance: - - cis: "2.24.1.4" + - cis: ["2.24.1.4"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' @@ -708,7 +708,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send personal information" compliance: - - cis: "2.24.1.5" + - cis: ["2.24.1.5"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' @@ -720,7 +720,7 @@ checks: rationale: "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" compliance: - - cis: "2.24.1.6" + - cis: ["2.24.1.6"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata' diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 8da5a2c1b..6c7e25b19 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -33,8 +33,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -47,8 +47,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -61,8 +61,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2, 6.3" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -75,8 +75,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -89,8 +89,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -102,8 +102,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -116,8 +116,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -130,8 +130,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -144,8 +144,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -158,8 +158,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -172,8 +172,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.1" - - cis_csc: "8" + - cis: ["2.3.7.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -186,8 +186,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.4" - - cis_csc: "16.5" + - cis: ["2.3.7.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -201,8 +201,8 @@ checks: rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.8" - - cis_csc: "16" + - cis: ["2.3.7.8"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -215,8 +215,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -229,8 +229,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -243,8 +243,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -257,8 +257,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -271,8 +271,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -285,8 +285,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -299,8 +299,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -313,8 +313,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -327,8 +327,8 @@ checks: rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" compliance: - - cis: "2.3.9.5" - - cis_csc: "14" + - cis: ["2.3.9.5"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -341,8 +341,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" compliance: - - cis: "2.3.10.2" - - cis_csc: "16" + - cis: ["2.3.10.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -355,8 +355,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" compliance: - - cis: "2.3.10.3" - - cis_csc: "16" + - cis: ["2.3.10.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -369,8 +369,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -383,8 +383,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -397,8 +397,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 14.2" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -411,8 +411,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -425,8 +425,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -439,8 +439,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -453,8 +453,8 @@ checks: rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM" compliance: - - cis: "2.3.10.10" - - cis_csc: "5.1, 9.1, 9.2" + - cis: ["2.3.10.10"] + - cis_csc: ["5.1","9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -467,8 +467,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -481,8 +481,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.12" - - cis_csc: "14, 16" + - cis: ["2.3.10.12"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -495,8 +495,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -509,8 +509,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -523,8 +523,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -537,8 +537,8 @@ checks: rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -551,8 +551,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -565,8 +565,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' @@ -578,8 +578,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -592,8 +592,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -606,8 +606,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -620,8 +620,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -634,7 +634,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -647,8 +647,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4, 14.6" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -661,8 +661,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -675,8 +675,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -689,8 +689,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -703,8 +703,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -717,8 +717,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -731,8 +731,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -745,8 +745,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -759,8 +759,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -773,7 +773,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -787,8 +787,8 @@ checks: rationale: "This is a legacy service - its sole purpose is to maintain a list of computers and their network shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it generates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \"master browser\". This noisy traffic could also aid malicious attackers in discovering online machines, because the service also allows anyone to \"browse\" for shared resources without any authentication. This service used to be running by default in older Windows versions (e.g. Windows XP), but today it only remains for backward compatibility for very old software that requires it." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Computer Browser" compliance: - - cis: "5.3" - - cis_csc: "9.1, 9.2" + - cis: ["5.3"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' @@ -800,8 +800,8 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service" compliance: - - cis: "5.6" - - cis_csc: "9.1, 9.2" + - cis: ["5.6"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' @@ -813,8 +813,8 @@ checks: rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" compliance: - - cis: "5.7" - - cis_csc: "9.1, 9.2" + - cis: ["5.7"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon' @@ -827,8 +827,8 @@ checks: rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)" compliance: - - cis: "5.8" - - cis_csc: "9.1, 9.2" + - cis: ["5.8"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess' @@ -841,8 +841,8 @@ checks: rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" compliance: - - cis: "5.10" - - cis_csc: "9.1, 9.2" + - cis: ["5.10"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' @@ -854,8 +854,8 @@ checks: rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service" compliance: - - cis: "5.11" - - cis_csc: "9.1, 9.2" + - cis: ["5.11"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' @@ -867,8 +867,8 @@ checks: rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator" compliance: - - cis: "5.24" - - cis_csc: "9.1, 9.2" + - cis: ["5.24"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator' @@ -881,8 +881,8 @@ checks: rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" compliance: - - cis: "5.26" - - cis_csc: "9.1, 9.2" + - cis: ["5.26"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess' @@ -895,8 +895,8 @@ checks: rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services" compliance: - - cis: "5.28" - - cis_csc: "9.1, 9.2" + - cis: ["5.28"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' @@ -908,8 +908,8 @@ checks: rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery" compliance: - - cis: "5.30" - - cis_csc: "9.1, 9.2" + - cis: ["5.30"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV' @@ -922,8 +922,8 @@ checks: rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host" compliance: - - cis: "5.31" - - cis_csc: "9.1, 9.2" + - cis: ["5.31"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost' @@ -936,8 +936,8 @@ checks: rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service" compliance: - - cis: "5.32" - - cis_csc: "9.1, 9.2" + - cis: ["5.32"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' @@ -949,8 +949,8 @@ checks: rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service" compliance: - - cis: "5.35" - - cis_csc: "9.1, 9.2" + - cis: ["5.35"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' @@ -962,8 +962,8 @@ checks: rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service" compliance: - - cis: "5.36" - - cis_csc: "9.1, 9.2" + - cis: ["5.36"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc' @@ -976,8 +976,8 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service" compliance: - - cis: "5.40" - - cis_csc: "9.1, 9.2" + - cis: ["5.40"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' @@ -989,8 +989,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service" compliance: - - cis: "5.41" - - cis_csc: "9.1, 9.2" + - cis: ["5.41"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc' @@ -1003,8 +1003,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Game Monitoring" compliance: - - cis: "5.42" - - cis_csc: "9.1, 9.2" + - cis: ["5.42"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm' @@ -1017,8 +1017,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager" compliance: - - cis: "5.43" - - cis_csc: "9.1, 9.2" + - cis: ["5.43"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager' @@ -1031,8 +1031,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save" compliance: - - cis: "5.44" - - cis_csc: "9.1, 9.2" + - cis: ["5.44"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave' @@ -1045,8 +1045,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" compliance: - - cis: "5.45" - - cis_csc: "9.1, 9.2" + - cis: ["5.45"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce' @@ -1060,8 +1060,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1074,8 +1074,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1088,8 +1088,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1102,7 +1102,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1115,8 +1115,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.5"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1129,8 +1129,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3, 6.4" + - cis: ["9.1.6"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1143,8 +1143,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1157,8 +1157,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.8"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1171,8 +1171,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1185,8 +1185,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1199,8 +1199,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1213,7 +1213,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1226,8 +1226,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.5"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1240,8 +1240,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3, 6.4" + - cis: ["9.2.6"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1254,8 +1254,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1268,8 +1268,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.8"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1282,8 +1282,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service" remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1296,8 +1296,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1310,8 +1310,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1324,7 +1324,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1337,8 +1337,8 @@ checks: rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1351,8 +1351,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1365,8 +1365,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1379,8 +1379,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3, 6.4" + - cis: ["9.3.8"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1393,8 +1393,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.9"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1407,8 +1407,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.10"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1422,7 +1422,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera" compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1435,7 +1435,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1448,8 +1448,8 @@ checks: rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow input personalization" compliance: - - cis: "18.1.2.2" - - cis_csc: "13" + - cis: ["18.1.2.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' @@ -1462,8 +1462,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" compliance: - - cis: "18.2.1" - - cis_csc: "16.9" + - cis: ["18.2.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' @@ -1476,8 +1476,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy" compliance: - - cis: "18.2.2" - - cis_csc: "16.2, 16.10" + - cis: ["18.2.2"] + - cis_csc: ["16.2","16.10"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1490,8 +1490,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management" compliance: - - cis: "18.2.3" - - cis_csc: "16.9" + - cis: ["18.2.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1504,8 +1504,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.4" - - cis_csc: "5.7" + - cis: ["18.2.4"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1518,8 +1518,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.5" - - cis_csc: "5.7" + - cis: ["18.2.5"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1532,8 +1532,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.6" - - cis_csc: "16.5" + - cis: ["18.2.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1546,8 +1546,8 @@ checks: rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons" compliance: - - cis: "18.3.1" - - cis_csc: "5.8, 4.3" + - cis: ["18.3.1"] + - cis_csc: ["5.8","4.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1560,8 +1560,8 @@ checks: rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver" compliance: - - cis: "18.3.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.3.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' @@ -1574,8 +1574,8 @@ checks: rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server" compliance: - - cis: "18.3.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.3.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' @@ -1588,8 +1588,8 @@ checks: rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP)" compliance: - - cis: "18.3.4" - - cis_csc: "8.4, 8.3" + - cis: ["18.3.4"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' @@ -1602,8 +1602,8 @@ checks: rationale: "This opt-in feature is free and could prevent malicious software from being installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications" compliance: - - cis: "18.3.5" - - cis_csc: "8.4, 8.3" + - cis: ["18.3.5"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine' @@ -1616,8 +1616,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997)" compliance: - - cis: "18.3.6" - - cis_csc: "16.14" + - cis: ["18.3.6"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' @@ -1630,8 +1630,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1644,8 +1644,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' @@ -1658,8 +1658,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1672,8 +1672,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1686,8 +1686,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' @@ -1700,8 +1700,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" compliance: - - cis: "18.4.9" - - cis_csc: "8" + - cis: ["18.4.9"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' @@ -1714,8 +1714,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" compliance: - - cis: "18.4.10" - - cis_csc: "16.5" + - cis: ["18.4.10"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1728,8 +1728,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" compliance: - - cis: "18.4.13" - - cis_csc: "6.3, 6.4" + - cis: ["18.4.13"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' @@ -1742,8 +1742,8 @@ checks: rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeTyp e" compliance: - - cis: "18.5.4.1" - - cis_csc: "9" + - cis: ["18.5.4.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters' @@ -1756,8 +1756,8 @@ checks: rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution" compliance: - - cis: "18.5.4.2" - - cis_csc: "9" + - cis: ["18.5.4.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' @@ -1770,8 +1770,8 @@ checks: rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons" compliance: - - cis: "18.5.8.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.8.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' @@ -1784,8 +1784,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network" compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1798,8 +1798,8 @@ checks: rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network" compliance: - - cis: "18.5.11.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.11.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1812,8 +1812,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location" compliance: - - cis: "18.5.11.4" - - cis_csc: "5.1" + - cis: ["18.5.11.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1826,8 +1826,8 @@ checks: rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths" compliance: - - cis: "18.5.14.1" - - cis_csc: "3" + - cis: ["18.5.14.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' @@ -1842,8 +1842,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain" compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1856,8 +1856,8 @@ checks: rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" compliance: - - cis: "18.5.21.2" - - cis_csc: "12" + - cis: ["18.5.21.2"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1870,8 +1870,8 @@ checks: rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" compliance: - - cis: "18.5.23.2.1" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.23.2.1"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' @@ -1884,8 +1884,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1898,8 +1898,8 @@ checks: rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials" compliance: - - cis: "18.8.4.2" - - cis_csc: "16" + - cis: ["18.8.4.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' @@ -1912,8 +1912,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy" compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1926,8 +1926,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1940,8 +1940,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1954,8 +1954,8 @@ checks: rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device" compliance: - - cis: "18.8.21.4" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.21.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1968,8 +1968,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy" compliance: - - cis: "18.8.21.5" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.5"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1982,8 +1982,8 @@ checks: rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "2" + - cis: ["18.8.22.1.2"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1996,8 +1996,8 @@ checks: rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP" compliance: - - cis: "18.8.22.1.7" - - cis_csc: "13.1" + - cis: ["18.8.22.1.7"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -2010,8 +2010,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in" compliance: - - cis: "18.8.27.1" - - cis_csc: "16.5" + - cis: ["18.8.27.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2024,8 +2024,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI" compliance: - - cis: "18.8.27.2" - - cis_csc: "5" + - cis: ["18.8.27.2"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2038,8 +2038,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers" compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2052,8 +2052,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers" compliance: - - cis: "18.8.27.4" - - cis_csc: "16.9" + - cis: ["18.8.27.4"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2066,8 +2066,8 @@ checks: rationale: "App notifications might display sensitive business or personal data" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen" compliance: - - cis: "18.8.27.5" - - cis_csc: "16.5" + - cis: ["18.8.27.5"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2080,8 +2080,8 @@ checks: rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in" compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2094,8 +2094,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in" compliance: - - cis: "18.8.27.7" - - cis_csc: "16.5" + - cis: ["18.8.27.7"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2108,8 +2108,8 @@ checks: rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery)" compliance: - - cis: "18.8.33.6.1" - - cis_csc: "9" + - cis: ["18.8.33.6.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' @@ -2122,8 +2122,8 @@ checks: rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in)" compliance: - - cis: "18.8.33.6.2" - - cis_csc: "9" + - cis: ["18.8.33.6.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' @@ -2136,8 +2136,8 @@ checks: rationale: "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA)." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on battery)" compliance: - - cis: "18.8.33.6.5" - - cis_csc: "13.2, 13.6" + - cis: ["18.8.33.6.5"] + - cis_csc: ["13.2","13.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2150,8 +2150,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in)" compliance: - - cis: "18.8.33.6.6" - - cis_csc: "16.5" + - cis: ["18.8.33.6.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2164,8 +2164,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance" compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2178,8 +2178,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance" compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2192,8 +2192,8 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.36.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2206,8 +2206,8 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis: "18.8.36.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.36.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2220,8 +2220,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional" compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2234,8 +2234,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices" compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2248,8 +2248,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun" compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2262,8 +2262,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay" compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' @@ -2275,8 +2275,8 @@ checks: rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing" compliance: - - cis: "18.9.10.1.1" - - cis_csc: "16" + - cis: ["18.9.10.1.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' @@ -2289,8 +2289,8 @@ checks: rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences" compliance: - - cis: "18.9.13.1" - - cis_csc: "13" + - cis: ["18.9.13.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' @@ -2303,8 +2303,8 @@ checks: rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing" compliance: - - cis: "18.9.14.1" - - cis_csc: "15.8, 15.9" + - cis: ["18.9.14.1"] + - cis_csc: ["15.8","15.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' @@ -2317,8 +2317,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button" compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -2331,8 +2331,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation" compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -2345,8 +2345,8 @@ checks: rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry" compliance: - - cis: "18.9.16.1" - - cis_csc: "13" + - cis: ["18.9.16.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -2359,8 +2359,8 @@ checks: rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications" compliance: - - cis: "18.9.16.3" - - cis_csc: "13" + - cis: ["18.9.16.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -2373,8 +2373,8 @@ checks: rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds" compliance: - - cis: "18.9.16.4" - - cis_csc: "3" + - cis: ["18.9.16.4"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' @@ -2387,8 +2387,8 @@ checks: rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode" compliance: - - cis: "18.9.17.1" - - cis_csc: "4.5, 3.4, 3.5" + - cis: ["18.9.17.1"] + - cis_csc: ["4.5","3.4","3.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' @@ -2401,8 +2401,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2415,8 +2415,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2429,8 +2429,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2443,8 +2443,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2457,8 +2457,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2471,8 +2471,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2485,8 +2485,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2499,8 +2499,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2513,8 +2513,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer" compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2527,8 +2527,8 @@ checks: rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption" compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2541,8 +2541,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode" compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2555,8 +2555,8 @@ checks: rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup" compliance: - - cis: "18.9.35.1" - - cis_csc: "14.1, 14.2" + - cis: ["18.9.35.1"] + - cis_csc: ["14.1","14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' @@ -2569,8 +2569,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication" compliance: - - cis: "18.9.44.1" - - cis_csc: "16" + - cis: ["18.9.44.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount' @@ -2583,8 +2583,8 @@ checks: rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block only 3rd-party cookies (or, if applicable for your environment, Enabled: Block all cookies): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure cookies" compliance: - - cis: "18.9.45.4" - - cis_csc: "13" + - cis: ["18.9.45.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -2597,8 +2597,8 @@ checks: rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Password Manager" compliance: - - cis: "18.9.45.5" - - cis_csc: "16" + - cis: ["18.9.45.5"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -2611,8 +2611,8 @@ checks: rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content \"opt-in\", so the user has to choose to click on each specific piece of Flash content before it will run." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Adobe Flash Click-to-Run setting" compliance: - - cis: "18.9.45.8" - - cis_csc: "7.2" + - cis: ["18.9.45.8"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security' @@ -2625,8 +2625,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -2639,8 +2639,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved" compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2653,8 +2653,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection" compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2667,8 +2667,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection" compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2681,8 +2681,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication" compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2695,8 +2695,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level" compliance: - - cis: "18.9.58.3.9.5" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.5"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2709,8 +2709,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit" compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2723,8 +2723,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session" compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2737,8 +2737,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures" compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2751,8 +2751,8 @@ checks: rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana" compliance: - - cis: "18.9.60.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2765,8 +2765,8 @@ checks: rationale: "Access to any computer resource should not be allowed when the device is locked." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana above lock screen" compliance: - - cis: "18.9.60.4" - - cis_csc: "16.5" + - cis: ["18.9.60.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2779,8 +2779,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files" compliance: - - cis: "18.9.60.5" - - cis_csc: "13.1" + - cis: ["18.9.60.5"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2793,8 +2793,8 @@ checks: rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out" remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location" compliance: - - cis: "18.9.60.6" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.6"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2807,8 +2807,8 @@ checks: rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates" compliance: - - cis: "18.9.68.3" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + - cis: ["18.9.68.3"] + - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2821,8 +2821,8 @@ checks: rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows" compliance: - - cis: "18.9.68.4" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + - cis: ["18.9.68.4"] + - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2835,8 +2835,8 @@ checks: rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS" compliance: - - cis: "18.9.76.3.1" - - cis_csc: "8" + - cis: ["18.9.76.3.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -2849,8 +2849,8 @@ checks: rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring" compliance: - - cis: "18.9.76.7.1" - - cis_csc: "8.1, 8.6" + - cis: ["18.9.76.7.1"] + - cis_csc: ["8.1","8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' @@ -2863,8 +2863,8 @@ checks: rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable drives" compliance: - - cis: "18.9.76.10.1" - - cis_csc: "13" + - cis: ["18.9.76.10.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2877,8 +2877,8 @@ checks: rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail scanning" compliance: - - cis: "18.9.76.10.2" - - cis_csc: "13" + - cis: ["18.9.76.10.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2891,8 +2891,8 @@ checks: rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules" compliance: - - cis: "18.9.76.13.1.1" - - cis_csc: "8.4" + - cis: ["18.9.76.13.1.1"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' @@ -2905,8 +2905,8 @@ checks: rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" compliance: - - cis: "18.9.76.13.1.2" - - cis_csc: "8.4" + - cis: ["18.9.76.13.1.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' @@ -2939,8 +2939,8 @@ checks: rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites" compliance: - - cis: "18.9.76.13.3.1" - - cis_csc: "7" + - cis: ["18.9.76.13.3.1"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' @@ -2953,8 +2953,8 @@ checks: rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus" compliance: - - cis: "18.9.76.14" - - cis_csc: "8.1, 8.6" + - cis: ["18.9.76.14"] + - cis_csc: ["8.1","8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' @@ -2967,8 +2967,8 @@ checks: rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Security Center\\App and browser protection\\Prevent users from modifying settings" compliance: - - cis: "18.9.79.2.1" - - cis_csc: "8.4" + - cis: ["18.9.79.2.1"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' @@ -2981,8 +2981,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen" compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2997,8 +2997,8 @@ checks: rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Configure Windows Defender SmartScreen" compliance: - - cis: "18.9.80.2.1" - - cis_csc: "2" + - cis: ["18.9.80.2.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3011,8 +3011,8 @@ checks: rationale: "SmartScreen will warn an employee if a file is potentially malicious. Enabling this setting prevents these warnings from being bypassed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: In the Windows 10 Release 1703 Administrative Templates the setting was in the following location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files In the Windows 10 Release 1709 Administrative Templates the setting was removed from the new location above and left in the old location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files" compliance: - - cis: "18.9.80.2.2" - - cis_csc: "7" + - cis: ["18.9.80.2.2"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3025,8 +3025,8 @@ checks: rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for sites" compliance: - - cis: "18.9.80.2.3" - - cis_csc: "7" + - cis: ["18.9.80.2.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3039,8 +3039,8 @@ checks: rationale: "If this setting is allowed users could record and broadcast session info to external sites which is a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Game Recording and Broadcasting\\Enables or disables Windows Game Recording and Broadcasting" compliance: - - cis: "18.9.82.1" - - cis_csc: "13" + - cis: ["18.9.82.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR' @@ -3053,8 +3053,8 @@ checks: rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace" compliance: - - cis: "18.9.84.2" - - cis_csc: "16.5" + - cis: ["18.9.84.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' @@ -3067,8 +3067,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs" compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3081,8 +3081,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges" compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3095,8 +3095,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart" compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -3109,8 +3109,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging" compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -3123,8 +3123,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription" compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -3137,8 +3137,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication" compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13, 16.5" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13","16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3151,8 +3151,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic" compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3165,8 +3165,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication" compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3179,8 +3179,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication" compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3193,8 +3193,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" compliance: - - cis: "18.9.97.2.3" - - cis_csc: "3.4" + - cis: ["18.9.97.2.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3207,8 +3207,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic" compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3221,8 +3221,8 @@ checks: rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable preview builds: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Manage preview builds" compliance: - - cis: "18.9.101.1.1" - - cis_csc: "3" + - cis: ["18.9.101.1.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3237,8 +3237,8 @@ checks: rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received" compliance: - - cis: "18.9.101.1.2" - - cis_csc: "3" + - cis: ["18.9.101.1.2"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3255,8 +3255,8 @@ checks: rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received" compliance: - - cis: "18.9.101.1.3" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.1.3"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3271,8 +3271,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates" compliance: - - cis: "18.9.101.2" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3285,8 +3285,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day" compliance: - - cis: "18.9.101.3" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3299,8 +3299,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations" compliance: - - cis: "18.9.101.4" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 64e91932f..391e4dbda 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -33,8 +33,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -47,8 +47,8 @@ checks: rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -61,8 +61,8 @@ checks: rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer" compliance: - - cis: "2.3.14.1" - - cis_csc: "16.14" + - cis: ["2.3.14.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' @@ -76,8 +76,8 @@ checks: rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" compliance: - - cis: "5.2" - - cis_csc: "9.1, 9.2" + - cis: ["5.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' @@ -90,8 +90,8 @@ checks: rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" compliance: - - cis: "5.4" - - cis_csc: "9.1, 9.2" + - cis: ["5.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker' @@ -104,8 +104,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" compliance: - - cis: "5.5" - - cis_csc: "9.1, 9.2" + - cis: ["5.5"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc' @@ -118,8 +118,8 @@ checks: rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" compliance: - - cis: "5.9" - - cis_csc: "9.1, 9.2" + - cis: ["5.9"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc' @@ -132,8 +132,8 @@ checks: rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" compliance: - - cis: "5.12" - - cis_csc: "9.1, 9.2" + - cis: ["5.12"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI' @@ -146,8 +146,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" compliance: - - cis: "5.15" - - cis_csc: "9.1, 9.2" + - cis: ["5.15"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc' @@ -160,8 +160,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" compliance: - - cis: "5.16" - - cis_csc: "9.1, 9.2" + - cis: ["5.16"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc' @@ -174,8 +174,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" compliance: - - cis: "5.17" - - cis_csc: "9.1, 9.2" + - cis: ["5.17"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc' @@ -188,8 +188,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" compliance: - - cis: "5.18" - - cis_csc: "9.1, 9.2" + - cis: ["5.18"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg' @@ -202,8 +202,8 @@ checks: rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" compliance: - - cis: "5.19" - - cis_csc: "9.1, 9.2" + - cis: ["5.19"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport' @@ -216,8 +216,8 @@ checks: rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" compliance: - - cis: "5.20" - - cis_csc: "9.1, 9.2" + - cis: ["5.20"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto' @@ -230,8 +230,8 @@ checks: rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" compliance: - - cis: "5.21" - - cis_csc: "9.1, 9.2" + - cis: ["5.21"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv' @@ -244,8 +244,8 @@ checks: rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" compliance: - - cis: "5.22" - - cis_csc: "9.1, 9.2" + - cis: ["5.22"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService' @@ -258,8 +258,8 @@ checks: rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" compliance: - - cis: "5.23" - - cis_csc: "9.1, 9.2" + - cis: ["5.23"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService' @@ -272,8 +272,8 @@ checks: rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" compliance: - - cis: "5.25" - - cis_csc: "9.1, 9.2" + - cis: ["5.25"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry' @@ -286,8 +286,8 @@ checks: rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" compliance: - - cis: "5.27" - - cis_csc: "9.1, 9.2" + - cis: ["5.27"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer' @@ -300,8 +300,8 @@ checks: rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" compliance: - - cis: "5.29" - - cis_csc: "9.1, 9.2" + - cis: ["5.29"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' @@ -314,8 +314,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" compliance: - - cis: "5.33" - - cis_csc: "9.1, 9.2" + - cis: ["5.33"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc' @@ -328,8 +328,8 @@ checks: rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" compliance: - - cis: "5.34" - - cis_csc: "9.1, 9.2" + - cis: ["5.34"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc' @@ -342,8 +342,8 @@ checks: rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" compliance: - - cis: "5.37" - - cis_csc: "9.1, 9.2" + - cis: ["5.37"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService' @@ -356,8 +356,8 @@ checks: rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" compliance: - - cis: "5.38" - - cis_csc: "9.1, 9.2" + - cis: ["5.38"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall' @@ -370,8 +370,8 @@ checks: rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" compliance: - - cis: "5.39" - - cis_csc: "9.1, 9.2" + - cis: ["5.39"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM' @@ -385,8 +385,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.1.3" - - cis_csc: "9.1" + - cis: ["18.1.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -400,8 +400,8 @@ checks: rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -416,8 +416,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -432,8 +432,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "9" + - cis: ["18.4.8"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -448,8 +448,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.11" - - cis_csc: "9" + - cis: ["18.4.11"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -464,8 +464,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "9" + - cis: ["18.4.12"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -481,8 +481,8 @@ checks: rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.5.5.1" - - cis_csc: "3, 13" + - cis: ["18.5.5.1"] + - cis_csc: ["3","13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -495,8 +495,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -515,8 +515,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -535,8 +535,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -549,8 +549,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -563,8 +563,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -585,8 +585,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -600,8 +600,8 @@ checks: rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" + - cis: ["18.8.22.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -614,8 +614,8 @@ checks: rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "7" + - cis: ["18.8.22.1.2"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -628,8 +628,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -642,8 +642,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -656,8 +656,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.5" - - cis_csc: "13" + - cis: ["18.8.22.1.5"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -670,7 +670,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.8" + - cis: ["18.8.22.1.8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -683,8 +683,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" + - cis: ["18.8.22.1.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -697,8 +697,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -711,8 +711,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -725,8 +725,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -739,8 +739,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -753,8 +753,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.14" - - cis_csc: "13" + - cis: ["18.8.22.1.14"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -770,8 +770,8 @@ checks: rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.8.25.1" - - cis_csc: "1.6" + - cis: ["18.8.25.1"] + - cis_csc: ["1.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' @@ -786,8 +786,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -800,8 +800,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -814,8 +814,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -828,8 +828,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -842,8 +842,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -856,8 +856,8 @@ checks: rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.49.1.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -871,8 +871,8 @@ checks: rationale: "Users of a system could accidentally share sensitive data with other users on the same system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.4.1" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.4.1"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' @@ -885,8 +885,8 @@ checks: rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.12.1" - - cis_csc: "13" + - cis: ["18.9.12.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' @@ -899,8 +899,8 @@ checks: rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.16.2" - - cis_csc: "13" + - cis: ["18.9.16.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -913,8 +913,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -927,8 +927,8 @@ checks: rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.43.1" - - cis_csc: "9.1, 9.2, 13" + - cis: ["18.9.43.1"] + - cis_csc: ["9.1","9.2","13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' @@ -941,8 +941,8 @@ checks: rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.1" - - cis_csc: "13" + - cis: ["18.9.45.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' @@ -955,8 +955,8 @@ checks: rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Adobe Flash Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.2" - - cis_csc: "7.2" + - cis: ["18.9.45.2"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons' @@ -969,8 +969,8 @@ checks: rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow InPrivate Browsing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off InPrivate browsing, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.3" - - cis_csc: "7" + - cis: ["18.9.45.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -983,8 +983,8 @@ checks: rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Pop-up Blocker Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off Pop-up Blocker, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.6" - - cis_csc: "7" + - cis: ["18.9.45.6"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -997,8 +997,8 @@ checks: rationale: "Having search suggestions sent out to be processed is considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1507 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1507 Administrative Templates, this setting was named Stops address bar from showing search suggestions. In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was renamed to Turn off address bar search suggestions, but it was finally renamed to Configure search suggestions in Address bar starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.7" - - cis_csc: "13" + - cis: ["18.9.45.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' @@ -1011,8 +1011,8 @@ checks: rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.9" - - cis_csc: "3" + - cis: ["18.9.45.9"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -1025,8 +1025,8 @@ checks: rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Don't allow WebRTC to share the LocalHost IP address, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.10" - - cis_csc: "7.2" + - cis: ["18.9.45.10"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -1039,8 +1039,8 @@ checks: rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.57.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.57.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' @@ -1053,7 +1053,7 @@ checks: rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1066,8 +1066,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1080,8 +1080,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1094,8 +1094,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1108,8 +1108,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] references: - https://workbench.cisecurity.org/benchmarks/766 condition: all @@ -1124,8 +1124,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1138,8 +1138,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.60.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -1152,7 +1152,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -1165,8 +1165,8 @@ checks: rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." compliance: - - cis: "18.9.68.5" - - cis_csc: "2" + - cis: ["18.9.68.5"] + - cis_csc: ["2"] references: - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy @@ -1182,7 +1182,7 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.3.2" + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -1195,8 +1195,8 @@ checks: rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.9.1" - - cis_csc: "13" + - cis: ["18.9.76.9.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -1209,8 +1209,8 @@ checks: rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.84.1" - - cis_csc: "13" + - cis: ["18.9.84.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' @@ -1223,8 +1223,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -1237,8 +1237,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -1251,8 +1251,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index f0f08703f..705020360 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -35,8 +35,8 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2" - - cis_csc: "16.5" + - cis: ["1.1.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -51,8 +51,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -65,8 +65,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -79,8 +79,8 @@ checks: rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -93,8 +93,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -107,8 +107,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -121,8 +121,8 @@ checks: rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks" compliance: - - cis: "2.3.5.1" - - cis_csc: "5.1" + - cis: ["2.3.5.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -135,8 +135,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements" compliance: - - cis: "2.3.5.2" - - cis_csc: "3" + - cis: ["2.3.5.2"] + - cis_csc: ["3"] references: - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ condition: all @@ -151,8 +151,8 @@ checks: rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes" compliance: - - cis: "2.3.5.3" - - cis_csc: "16" + - cis: ["2.3.5.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -165,8 +165,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -179,8 +179,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -193,8 +193,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -207,8 +207,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -221,8 +221,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -235,8 +235,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis: "2.3.7.1" - - cis_csc: "13" + - cis: ["2.3.7.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -249,8 +249,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" - - cis_csc: "8" + - cis: ["2.3.7.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -263,8 +263,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" + - cis: ["2.3.7.3"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -278,8 +278,8 @@ checks: rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -292,8 +292,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -306,8 +306,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -320,8 +320,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -334,8 +334,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -348,8 +348,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -363,8 +363,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -377,8 +377,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -391,8 +391,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -406,8 +406,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -420,8 +420,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -434,8 +434,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -448,8 +448,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -462,8 +462,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -476,8 +476,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -490,8 +490,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" + - cis: ["2.3.10.10"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -504,8 +504,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -518,8 +518,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -532,8 +532,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -546,8 +546,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -560,8 +560,8 @@ checks: rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -574,8 +574,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -588,8 +588,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -602,8 +602,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -616,8 +616,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -630,8 +630,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -644,8 +644,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 condition: all @@ -660,8 +660,8 @@ checks: rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" + - cis: ["2.3.13.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -674,7 +674,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -687,8 +687,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -701,8 +701,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -715,8 +715,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -729,8 +729,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -743,8 +743,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -757,8 +757,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -771,8 +771,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -785,8 +785,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -799,8 +799,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -813,7 +813,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -827,8 +827,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2" + - cis: ["9.1.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -841,8 +841,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2" + - cis: ["9.1.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -855,8 +855,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2" + - cis: ["9.1.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -869,7 +869,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -882,8 +882,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2" + - cis: ["9.1.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -896,8 +896,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3" + - cis: ["9.1.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -910,8 +910,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2" + - cis: ["9.1.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -924,8 +924,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2" + - cis: ["9.1.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -939,8 +939,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2" + - cis: ["9.2.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -953,8 +953,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2" + - cis: ["9.2.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -967,8 +967,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2" + - cis: ["9.2.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -981,7 +981,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -994,8 +994,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2" + - cis: ["9.2.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1008,8 +1008,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3" + - cis: ["9.2.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1022,8 +1022,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2" + - cis: ["9.2.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1036,8 +1036,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2" + - cis: ["9.2.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1051,8 +1051,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2" + - cis: ["9.3.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1065,8 +1065,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2" + - cis: ["9.3.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1079,8 +1079,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2" + - cis: ["9.3.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1093,7 +1093,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1107,8 +1107,8 @@ checks: rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1121,8 +1121,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1135,8 +1135,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2" + - cis: ["9.3.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1149,8 +1149,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3" + - cis: ["9.3.8"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1163,8 +1163,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2" + - cis: ["9.3.9"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1177,8 +1177,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2" + - cis: ["9.3.10"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1192,7 +1192,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1205,7 +1205,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1219,8 +1219,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.5" - - cis_csc: "16.14" + - cis: ["18.3.5"] + - cis_csc: ["16.14"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a @@ -1238,8 +1238,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -1255,8 +1255,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1271,8 +1271,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1287,8 +1287,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1303,8 +1303,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1319,8 +1319,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "8" + - cis: ["18.4.8"] + - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1335,8 +1335,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.9" - - cis_csc: "16.5" + - cis: ["18.4.9"] + - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1351,8 +1351,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "6.3" + - cis: ["18.4.12"] + - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1368,8 +1368,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1382,8 +1382,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" + - cis: ["18.5.11.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1396,8 +1396,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1411,8 +1411,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1425,8 +1425,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1439,8 +1439,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1453,8 +1453,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1467,8 +1467,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" + - cis: ["18.8.21.4"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1482,8 +1482,8 @@ checks: rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" + - cis: ["18.8.22.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1496,8 +1496,8 @@ checks: rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.5" - - cis_csc: "7" + - cis: ["18.8.22.1.5"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1510,8 +1510,8 @@ checks: rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.6" - - cis_csc: "13.1" + - cis: ["18.8.22.1.6"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1524,8 +1524,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.27.1" - - cis_csc: "5" + - cis: ["18.8.27.1"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1538,8 +1538,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" + - cis: ["18.8.27.2"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1552,8 +1552,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1566,8 +1566,8 @@ checks: rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" + - cis: ["18.8.27.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1580,8 +1580,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1594,8 +1594,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.33.6.1" - - cis_csc: "16.5" + - cis: ["18.8.33.6.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1608,8 +1608,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.33.6.2" - - cis_csc: "16.5" + - cis: ["18.8.33.6.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1622,8 +1622,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1636,8 +1636,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1651,8 +1651,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1665,8 +1665,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1679,8 +1679,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1693,8 +1693,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1707,8 +1707,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1721,8 +1721,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1735,8 +1735,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1749,8 +1749,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1763,8 +1763,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1777,8 +1777,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1791,8 +1791,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1805,8 +1805,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1819,8 +1819,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1833,8 +1833,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1847,8 +1847,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1861,8 +1861,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1875,8 +1875,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1889,8 +1889,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1903,8 +1903,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1917,8 +1917,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1931,8 +1931,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1945,8 +1945,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1959,8 +1959,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1973,8 +1973,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1987,8 +1987,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2001,8 +2001,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2015,8 +2015,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" + - cis: ["18.9.60.2"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2029,8 +2029,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2043,8 +2043,8 @@ checks: rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" + - cis: ["18.9.81.2.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2057,8 +2057,8 @@ checks: rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.81.3" - - cis_csc: "13" + - cis: ["18.9.81.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2071,8 +2071,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2085,8 +2085,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2099,8 +2099,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2113,8 +2113,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -2127,8 +2127,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -2141,8 +2141,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2155,8 +2155,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2169,8 +2169,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2183,8 +2183,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2197,8 +2197,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" + - cis: ["18.9.97.2.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2211,8 +2211,8 @@ checks: rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2225,8 +2225,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2239,8 +2239,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2253,8 +2253,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 6f4565287..3ef206482 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -34,8 +34,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -49,8 +49,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -65,8 +65,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -81,8 +81,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.10" - - cis_csc: "9" + - cis: ["18.4.10"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -97,8 +97,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.11" - - cis_csc: "9" + - cis: ["18.4.11"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -114,8 +114,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -134,8 +134,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -154,8 +154,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -168,8 +168,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -182,8 +182,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -204,8 +204,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -218,8 +218,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.2" - - cis_csc: "13" + - cis: ["18.8.22.1.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -232,8 +232,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -246,8 +246,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -260,7 +260,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.7" + - cis: ["18.8.22.1.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -273,8 +273,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.8" - - cis_csc: "13" + - cis: ["18.8.22.1.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -287,8 +287,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" + - cis: ["18.8.22.1.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -301,8 +301,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -315,8 +315,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -329,8 +329,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -343,8 +343,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -357,8 +357,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -371,8 +371,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -385,8 +385,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -399,8 +399,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -413,8 +413,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -428,8 +428,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -442,7 +442,7 @@ checks: rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -455,8 +455,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -469,8 +469,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -483,8 +483,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -497,8 +497,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] references: - https://workbench.cisecurity.org/benchmarks/766 condition: all @@ -513,8 +513,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -527,8 +527,8 @@ checks: rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.60.3" - - cis_csc: "13" + - cis: ["18.9.60.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -541,7 +541,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -554,7 +554,7 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.3.2" + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -567,8 +567,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -581,8 +581,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -595,8 +595,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index 0a510094d..e29afd959 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -36,8 +36,8 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2" - - cis_csc: "16.5" + - cis: ["1.1.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -52,8 +52,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -66,8 +66,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -80,8 +80,8 @@ checks: rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -95,8 +95,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" default_value: "Disabled." compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -109,8 +109,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' @@ -122,8 +122,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -136,8 +136,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -150,8 +150,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -164,8 +164,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -178,8 +178,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -192,8 +192,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -206,8 +206,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis: "2.3.7.1" - - cis_csc: "13" + - cis: ["2.3.7.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -220,8 +220,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" - - cis_csc: "8" + - cis: ["2.3.7.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -234,8 +234,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" + - cis: ["2.3.7.3"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' @@ -248,8 +248,8 @@ checks: rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' @@ -262,8 +262,8 @@ checks: rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer." remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation" compliance: - - cis: "2.3.7.8" - - cis_csc: "16.9" + - cis: ["2.3.7.8"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -276,8 +276,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -290,8 +290,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -304,8 +304,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -318,8 +318,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -332,8 +332,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -347,8 +347,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -361,8 +361,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -375,8 +375,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -389,8 +389,8 @@ checks: rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" compliance: - - cis: "2.3.9.5" - - cis_csc: "14" + - cis: ["2.3.9.5"] + - cis_csc: ["14"] references: - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n condition: all @@ -405,8 +405,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" compliance: - - cis: "2.3.10.2" - - cis_csc: "16" + - cis: ["2.3.10.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -419,8 +419,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" compliance: - - cis: "2.3.10.3" - - cis_csc: "16" + - cis: ["2.3.10.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -433,8 +433,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -447,8 +447,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -461,8 +461,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -475,8 +475,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -489,8 +489,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -503,8 +503,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" + - cis: ["2.3.10.10"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -517,8 +517,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -531,8 +531,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -545,8 +545,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -559,8 +559,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -573,8 +573,8 @@ checks: rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -587,8 +587,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -601,8 +601,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -615,8 +615,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -628,8 +628,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -642,8 +642,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -656,8 +656,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 condition: all @@ -672,8 +672,8 @@ checks: rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" + - cis: ["2.3.13.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -686,7 +686,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -699,8 +699,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -713,8 +713,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -727,8 +727,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -741,8 +741,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -755,8 +755,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -769,8 +769,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -783,8 +783,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -797,8 +797,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -811,8 +811,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -825,7 +825,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -839,8 +839,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2" + - cis: ["9.1.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -853,8 +853,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2" + - cis: ["9.1.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -867,8 +867,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2" + - cis: ["9.1.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -881,7 +881,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -894,8 +894,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2" + - cis: ["9.1.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -908,8 +908,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3" + - cis: ["9.1.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -922,8 +922,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2" + - cis: ["9.1.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -936,8 +936,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2" + - cis: ["9.1.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -951,8 +951,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2" + - cis: ["9.2.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -965,8 +965,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2" + - cis: ["9.2.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -979,8 +979,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2" + - cis: ["9.2.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -993,7 +993,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1006,8 +1006,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2" + - cis: ["9.2.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1020,8 +1020,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3" + - cis: ["9.2.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1034,8 +1034,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2" + - cis: ["9.2.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1048,8 +1048,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2" + - cis: ["9.2.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1063,8 +1063,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2" + - cis: ["9.3.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1077,8 +1077,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2" + - cis: ["9.3.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1091,8 +1091,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2" + - cis: ["9.3.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1105,7 +1105,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1118,8 +1118,8 @@ checks: rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1132,8 +1132,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1146,8 +1146,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2" + - cis: ["9.3.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1160,8 +1160,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3" + - cis: ["9.3.8"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1174,8 +1174,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2" + - cis: ["9.3.9"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1188,8 +1188,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2" + - cis: ["9.3.10"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1203,7 +1203,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1216,7 +1216,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1230,8 +1230,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" compliance: - - cis: "18.2.1" - - cis_csc: "16.9" + - cis: ["18.2.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' @@ -1243,8 +1243,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.2" - - cis_csc: "16.2" + - cis: ["18.2.2"] + - cis_csc: ["16.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1257,8 +1257,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.3" - - cis_csc: "16.9" + - cis: ["18.2.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1271,8 +1271,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.4" - - cis_csc: "5.7" + - cis: ["18.2.4"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1285,8 +1285,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.5" - - cis_csc: "5.7" + - cis: ["18.2.5"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1299,8 +1299,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.6" - - cis_csc: "16.5" + - cis: ["18.2.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1314,8 +1314,8 @@ checks: rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.1" - - cis_csc: "5.8" + - cis: ["18.3.1"] + - cis_csc: ["5.8"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows @@ -1332,8 +1332,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.5" - - cis_csc: "16.14" + - cis: ["18.3.5"] + - cis_csc: ["16.14"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a @@ -1351,8 +1351,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -1368,8 +1368,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1384,8 +1384,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1400,8 +1400,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1416,8 +1416,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1432,8 +1432,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "8" + - cis: ["18.4.8"] + - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1448,8 +1448,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.9" - - cis_csc: "16.5" + - cis: ["18.4.9"] + - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1464,8 +1464,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "6.3" + - cis: ["18.4.12"] + - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1481,8 +1481,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1495,8 +1495,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" + - cis: ["18.5.11.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1509,8 +1509,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1524,8 +1524,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1538,8 +1538,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1552,8 +1552,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1566,8 +1566,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1580,8 +1580,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" + - cis: ["18.8.21.4"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1594,8 +1594,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.27.1" - - cis_csc: "5" + - cis: ["18.8.27.1"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1608,8 +1608,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" + - cis: ["18.8.27.2"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1622,8 +1622,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1636,8 +1636,8 @@ checks: rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" + - cis: ["18.8.27.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1650,8 +1650,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1664,8 +1664,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1678,8 +1678,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1692,8 +1692,8 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1" + - cis: ["18.8.36.1"] + - cis_csc: ["9.1"] references: - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr condition: all @@ -1709,8 +1709,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1723,8 +1723,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1737,8 +1737,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1751,8 +1751,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1765,8 +1765,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1779,8 +1779,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1793,8 +1793,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1807,8 +1807,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1821,8 +1821,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1835,8 +1835,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1849,8 +1849,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1863,8 +1863,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1877,8 +1877,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1891,8 +1891,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1905,8 +1905,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1919,8 +1919,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1933,8 +1933,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1947,8 +1947,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1961,8 +1961,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." compliance: - - cis: "18.9.52.2" - - cis_csc: "13" + - cis: ["18.9.52.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive' @@ -1975,8 +1975,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1989,8 +1989,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2003,8 +2003,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2017,8 +2017,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2031,8 +2031,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2045,8 +2045,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2059,8 +2059,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2073,8 +2073,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2087,8 +2087,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" + - cis: ["18.9.60.2"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2101,8 +2101,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2115,8 +2115,8 @@ checks: rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" + - cis: ["18.9.81.2.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2129,8 +2129,8 @@ checks: rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.81.3" - - cis_csc: "13" + - cis: ["18.9.81.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2143,8 +2143,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2157,8 +2157,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2171,8 +2171,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2185,8 +2185,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -2199,8 +2199,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -2213,8 +2213,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2227,8 +2227,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2241,8 +2241,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2255,8 +2255,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2269,8 +2269,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" + - cis: ["18.9.97.2.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2283,8 +2283,8 @@ checks: rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2297,8 +2297,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2311,8 +2311,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2325,8 +2325,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index b1a7d4e94..bdaf0fe88 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -32,8 +32,8 @@ checks: rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" compliance: - - cis: "2.3.7.6" - - cis_csc: "16" + - cis: ["2.3.7.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -47,8 +47,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -62,8 +62,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -76,8 +76,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -90,8 +90,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remedtiation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted" compliance: - - cis: "18.4.10" - - cis_csc: "5" + - cis: ["18.4.10"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -104,8 +104,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted" compliance: - - cis: "18.4.11" - - cis_csc: "5" + - cis: ["18.4.11"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -119,8 +119,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver" compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -139,8 +139,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver" compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -160,8 +160,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services" compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -174,8 +174,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents" compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -189,8 +189,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now" compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -211,8 +211,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards" compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -226,8 +226,8 @@ checks: rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" compliance: - - cis: "18.5.21.2" - - cis_csc: "12" + - cis: ["18.5.21.2"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -241,8 +241,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "13" + - cis: ["18.8.22.1.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -255,8 +255,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting" compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -269,8 +269,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com" compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -283,7 +283,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com" compliance: - - cis: "18.8.22.1.7" + - cis: ["18.8.22.1.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -296,8 +296,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates" compliance: - - cis: "18.8.22.1.8" - - cis_csc: "13" + - cis: ["18.8.22.1.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -311,7 +311,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task" compliance: - cis: 18.8.22.1.9" - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -324,8 +324,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders" compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -338,8 +338,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program" compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -352,8 +352,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program" compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -366,8 +366,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting" compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -384,8 +384,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in" compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -399,8 +399,8 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis: "18.8.36.2" - - cis_csc: "9.1" + - cis: ["18.8.36.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -414,8 +414,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -429,8 +429,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack" compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -444,8 +444,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID" compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -459,8 +459,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client" compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -473,8 +473,8 @@ checks: rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server" compliance: - - cis: "18.8.49.1.2" - - cis_csc: "9.1" + - cis: ["18.8.49.1.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -488,7 +488,7 @@ checks: rationale: "This setting affects the Windows Location Provider feature (e.g. GPS or other location tracking)." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Windows Location Provider\\Turn off Windows Location Provider" compliance: - - cis: "18.9.39.1.1" + - cis: ["18.9.39.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -501,8 +501,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking)." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location" compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -516,7 +516,7 @@ checks: rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session" compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -530,8 +530,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection" compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -544,8 +544,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection" compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -558,8 +558,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection" compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -573,8 +573,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions" compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -587,8 +587,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions" compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -602,8 +602,8 @@ checks: rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search" compliance: - - cis: "18.9.60.3" - - cis_csc: "13" + - cis: ["18.9.60.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -617,7 +617,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation" compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -631,8 +631,8 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS" compliance: - - cis: "18.9.76.3.2" - - cis_csc: "8" + - cis: ["18.9.76.3.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -646,8 +646,8 @@ checks: rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events" compliance: - - cis: "18.9.76.9.1" - - cis_csc: "13" + - cis: ["18.9.76.9.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -661,8 +661,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts" compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -676,8 +676,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -691,8 +691,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access" compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml new file mode 100644 index 000000000..c36628c92 --- /dev/null +++ b/sca/windows/win_audit_rcl.yml @@ -0,0 +1,146 @@ +# Security Configuration assessment +# Checks for Windows audit +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# + +policy: + id: "win_audit" + file: "win_audit_rcl.yml" + name: "Benchmark for Windows audit" + description: "This document provides a way of ensuring the security of the Windows systems." + +requirements: + title: "Check for Windows platform" + description: "Requirements for running the audit policy under a Windows platform" + condition: "any" + rules: + - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' + +checks: + - id: 2500 + title: "Ensure Registry tools set is enabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: all + rules: + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' + + - id: 2501 + title: "Ensure DCOM is enabled" + description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + references: + - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' + + - id: 2502 + title: "LM authentication not allowed (disable weak passwords)" + compliance: + - pci_dss: ["10.6.1","11.4"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6","IA.10"] + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^5$' + +# Disabled by some Malwares (sometimes by McAfee and Symantec +# security center too). + - id: 2503 + title: "Ensure Firewall/Anti Virus notifications are enabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' + +# Checking for the microsoft firewall. + - id: 2504 + title: "Ensure Microsoft Firewall is enabled" + compliance: + - pci_dss: ["10.6.1","1.4"] + - hipaa: ["164.312.b","164.312.a.1"] + - nist_800_53: ["AU.6","SC.7"] + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' + + - id: 2505 + title: "Ensure Null sessions are not allowed" + compliance: + - pci_dss: ["11.4"] + - nist_800_53: ["IA.10"] + condition: all + rules: + - 'r:HKLM\System\CurrentControlSet\Control\Lsa' + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + + - id: 2506 + title: "Ensure Turn off Windows Error reporting is enabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + references: + - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' + + - id: 2507 + title: "Ensure Automatic Logon is disabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: any + rules: + - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + + - id: 2508 + title: "Ensure Winpcap packet filter driver is not present" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: none + rules: + - 'f:%WINDIR%\System32\drivers\npf.sys' + - 'f:%WINDIR%\Sysnative\drivers\npf.sys' From b5ed81aed1b47dfddcb8ce0ce5077f707c6def81 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 11:15:38 +0200 Subject: [PATCH 180/247] Fix some typos --- sca/rhel/6/cis_rhel6_linux.yml | 2 +- sca/windows/cis_win2012r2_memberL2.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index 42ee98a30..257d5598b 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -829,7 +829,7 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: ["5].2.7" + - cis: ["5.2.7"] - cis_csc: ["9"] - pci_dss: ["4.1"] - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index bdaf0fe88..93960b46d 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -310,7 +310,7 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task" compliance: - - cis: 18.8.22.1.9" + - cis: ["18.8.22.1.9"] - cis_csc: ["13"] condition: all rules: From f98057e258f2d548f8ab69a6fc016a1db1ca3cd6 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Fri, 28 Jun 2019 12:25:19 +0200 Subject: [PATCH 181/247] Change compliance format --- sca/applications/cis_apache2224.yml | 144 +-- sca/applications/cis_mysql5-6_community.yml | 38 +- sca/applications/cis_mysql5-6_enterprise.yml | 52 +- sca/applications/web_vulnerabilities.yml | 48 +- sca/darwin/15/cis_apple_macOS_10.11.yml | 66 +- sca/darwin/16/cis_apple_macOS_10.12.yml | 60 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 60 +- sca/darwin/web_vulnerabilities.yml | 145 +++ sca/debian/cis_debian7_L1.yml | 235 +++-- sca/debian/cis_debian7_L2.yml | 58 +- sca/debian/cis_debian8_L1.yml | 392 ++++---- sca/debian/cis_debian8_L2.yml | 114 +-- sca/debian/cis_debian_linux_rcl.yml | 517 +++++++++++ sca/generic/system_audit_pw.yml | 160 ++++ sca/generic/system_audit_ssh.yml | 137 +++ sca/rhel/5/cis_rhel5_linux.yml | 272 +++--- sca/rhel/6/cis_rhel6_linux.yml | 330 +++---- sca/rhel/7/cis_rhel7_linux.yml | 392 ++++---- sca/sles/11/cis_sles11_linux.yml | 346 +++---- sca/sles/12/cis_sles12_linux.yml | 384 ++++---- sca/sunos/cis_solaris11.yml | 110 +-- sca/windows/acsc_office2016.yml | 14 +- sca/windows/cis_win10_enterprise_L1.yml | 918 +++++++++---------- sca/windows/cis_win10_enterprise_L2.yml | 332 +++---- sca/windows/cis_win2012r2_domainL1.yml | 614 ++++++------- sca/windows/cis_win2012r2_domainL2.yml | 148 +-- sca/windows/cis_win2012r2_memberL1.yml | 634 ++++++------- sca/windows/cis_win2012r2_memberL2.yml | 170 ++-- sca/windows/win_audit_rcl.yml | 146 +++ 29 files changed, 4107 insertions(+), 2929 deletions(-) create mode 100644 sca/darwin/web_vulnerabilities.yml create mode 100644 sca/debian/cis_debian_linux_rcl.yml create mode 100644 sca/generic/system_audit_pw.yml create mode 100644 sca/generic/system_audit_ssh.yml create mode 100644 sca/windows/win_audit_rcl.yml diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache2224.yml index 7f9107681..261513ed5 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache2224.yml @@ -51,8 +51,8 @@ checks: rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls." remediation: "For source builds with static modules run the Apache ./configure script without including the mod_dav , and mod_dav_fs in the --enable-modules=configure script options. For dynamically loaded modules comment out the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file." compliance: - - cis: "2.3" - - cis_csc: "9.1" + - cis: ["2.3"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_dav.html - https://httpd.apache.org/docs/2.4/mod/mod_dav.html @@ -67,8 +67,8 @@ checks: rationale: "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files." remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file." compliance: - - cis: "2.4" - - cis_csc: "9.1" + - cis: ["2.4"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_status.html - https://httpd.apache.org/docs/2.4/mod/mod_status.html @@ -83,8 +83,8 @@ checks: rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed." remediation: "For source builds with static modules, run the Apache ./configure script with the - -disable-autoindex configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_autoindex module from the httpd.conf file." compliance: - - cis: "2.5" - - cis_csc: "18" + - cis: ["2.5"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html @@ -99,8 +99,8 @@ checks: rationale: "A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended." remediation: "For source builds with static modules, run the Apache ./configure script without including the mod_proxy and all other proxy modules in the --enable- modules=configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_proxy module and all other proxy modules from the httpd.conf file." compliance: - - cis: "2.6" - - cis_csc: "9.1" + - cis: ["2.6"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html @@ -115,8 +115,8 @@ checks: rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network." remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script option. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_userdir module from the httpd.conf file." compliance: - - cis: "2.7" - - cis_csc: "18" + - cis: ["2.7"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html @@ -131,8 +131,8 @@ checks: rationale: "Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory .htaccess files. This can leak sensitive information from the configuration directives of other Apache modules." remediation: "For source builds with static modules, run the Apache ./configure script without including mod_info in the --enable-modules= configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file." compliance: - - cis: "2.8" - - cis_csc: "9.1" + - cis: ["2.8"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_info.html - https://httpd.apache.org/docs/2.4/mod/mod_info.html @@ -147,8 +147,8 @@ checks: rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system." remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" compliance: - - cis: "3.2" - - cis_csc: "16" + - cis: ["3.2"] + - cis_csc: ["16"] condition: none rules: - 'f:/etc/passwd -> r:apache' @@ -160,8 +160,8 @@ checks: rationale: "As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from su-ing to apache using the password." remediation: "Use the passwd command to lock the apache account: # passwd -l apache" compliance: - - cis: "3.3" - - cis_csc: "16" + - cis: ["3.3"] + - cis_csc: ["16"] condition: all rules: - 'c:passwd -S apache -> r:Password locked' @@ -173,8 +173,8 @@ checks: rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." compliance: - - cis: "4.4" - - cis_csc: "14.4" + - cis: ["4.4"] + - cis_csc: ["14.4"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride @@ -193,8 +193,8 @@ checks: rationale: "The options for other directories and hosts should be restricted to the minimal options required. A setting of None is recommended; however, other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, Indexes." remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." compliance: - - cis: "5.3" - - cis_csc: "18" + - cis: ["5.3"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_include.html - https://httpd.apache.org/docs/2.2/mod/core.html#options @@ -212,8 +212,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:/var/www -> index.html' @@ -226,8 +226,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$confdirs -> r:manual.conf|apache2-doc.conf' @@ -239,8 +239,8 @@ checks: rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - - cis: "5.4" - - cis_csc: "18.9" + - cis: ["5.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' @@ -253,8 +253,8 @@ checks: rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The printenv script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via the Script , ScriptAlias , ScriptAliasMatch , or ScriptInterpreterSource directives. Remove the printenv default CGI in the cgi-bin directory if it is installed." compliance: - - cis: "5.5" - - cis_csc: "18" + - cis: ["5.5"] + - cis_csc: ["18"] condition: none rules: - 'd:/var/www/cgi-bin -> printenv' @@ -267,8 +267,8 @@ checks: rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The test-cgi script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. Remove the test-cgi default CGI in the cgi-bin directory if it is installed." compliance: - - cis: "5.6" - - cis_csc: "18.9" + - cis: ["5.6"] + - cis_csc: ["18.9"] condition: none rules: - 'd:/var/www/cgi-bin -> test-cgi' @@ -281,8 +281,8 @@ checks: rationale: "The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods." remediation: "Search for the directive on the document root directory, ensure that the access control order within the directive is deny, allow. Add a directive within the group of document root directives and search in other Apache configuration files in places other than de root directory." compliance: - - cis: "5.7" - - cis_csc: "9.1" + - cis: ["5.7"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept - https://www.ietf.org/rfc/rfc2616.txt @@ -299,8 +299,8 @@ checks: rationale: "The HTTP 1.1 protocol requires support for the TRACE request method, which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled." remediation: "Locate the main Apache configuration file such as httpd.conf. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or ." compliance: - - cis: "5.8" - - cis_csc: "9.1" + - cis: ["5.8"] + - cis_csc: ["9.1"] references: - https://www.ietf.org/rfc/rfc2616.txt - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable @@ -316,8 +316,8 @@ checks: rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an IP address or interface that was not intended for the web server." remediation: "Find any Listen directives in the Apache configuration file with no IP address specified or with an IP address of all zeroes similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address and port." compliance: - - cis: "5.13" - - cis_csc: "9.1" + - cis: ["5.13"] + - cis_csc: ["9.1"] references: - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen @@ -337,8 +337,8 @@ checks: rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site." remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frame-Options header in the Apache configuration to have the condition always , an action of append , and a value of SAMEORIGIN , as shown: Header always append X-Frame-Options SAMEORIGIN" compliance: - - cis: "5.14" - - cis_csc: "18" + - cis: ["5.14"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header @@ -355,8 +355,8 @@ checks: rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." compliance: - - cis: "6.1" - - cis_csc: "6.2" + - cis: ["6.1"] + - cis_csc: ["6.2"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -376,8 +376,8 @@ checks: rationale: "It is easy for web server error logs to be overlooked in the log monitoring process, yet application-level attacks have become the most common and are extremely important for detecting attacks early, as well as detecting non-malicious problems such as a broken link or internal errors." remediation: "Add an ErrorLog directive if not already configured. Any appropriate syslog facility may be used in place of local1. Add a similar ErrorLog directive for each virtual host if necessary." compliance: - - cis: "6.2" - - cis_csc: "6.6" + - cis: ["6.2"] + - cis_csc: ["6.6"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -396,8 +396,8 @@ checks: rationale: "The seriousness and ramification of this attack warrants that servers and clients be upgraded to support the improved SSL/TLS protocols. Therefore, the recommendation is to not enable the insecure renegotiation." remediation: "Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present, modify the value to be off. If the directive is not present, no action is required: SSLInsecureRenegotiation off" compliance: - - cis: "7.6" - - cis_csc: "14.2" + - cis: ["7.6"] + - cis_csc: ["14.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation @@ -414,8 +414,8 @@ checks: rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator that can be used to impersonate the account associated with the authenticator." remediation: "Verify the Apache version is 2.2.24 or later with httpd -v. Search the Apache configuration files for the SSLCompression directive. Update the directive to have a value of off." compliance: - - cis: "7.7" - - cis_csc: "14.2" + - cis: ["7.7"] + - cis_csc: ["14.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression @@ -432,8 +432,8 @@ checks: rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." remediation: "Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" compliance: - - cis: "8.1" - - cis_csc: "18.9" + - cis: ["8.1"] + - cis_csc: ["18.9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens condition: any @@ -448,8 +448,8 @@ checks: rationale: "Server signatures are helpful when the server is acting as a proxy because they help the user distinguish errors from the proxy rather than the destination server. However, in this context there is no need for the additional information." remediation: "Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" compliance: - - cis: "8.2" - - cis_csc: "18" + - cis: ["8.2"] + - cis_csc: ["18"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature @@ -465,8 +465,8 @@ checks: rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." remediation: "The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conf file. Alternatively, the icon alias directive and the directory access control configuration can be commented out." compliance: - - cis: "8.4" - - cis_csc: "18.9" + - cis: ["8.4"] + - cis_csc: ["18.9"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' @@ -479,8 +479,8 @@ checks: rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." remediation: "Add or modify the Timeout directive in the Apache configuration files to have a value of 10 seconds or less." compliance: - - cis: "9.1" - - cis_csc: "9" + - cis: ["9.1"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#timeout - https://httpd.apache.org/docs/2.4/mod/core.html#timeout @@ -495,8 +495,8 @@ checks: rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks." remediation: "Add or modify the KeepAlive directive in the Apache configuration to have a value of On." compliance: - - cis: "9.2" - - cis_csc: "9" + - cis: ["9.2"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive @@ -511,8 +511,8 @@ checks: rationale: "Limiting the number of requests per connection may improve a server's resiliency to DoS attacks." remediation: "Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more." compliance: - - cis: "9.3" - - cis_csc: "9" + - cis: ["9.3"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests @@ -527,8 +527,8 @@ checks: rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." remediation: "Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less." compliance: - - cis: "9.4" - - cis_csc: "9" + - cis: ["9.4"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout @@ -543,8 +543,8 @@ checks: rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." remediation: "Load the mod_requesttimeout module in the Apache configuration. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less." compliance: - - cis: "9.5" - - cis_csc: "9" + - cis: ["9.5"] + - cis_csc: ["9"] references: - https://ha.ckers.org/slowloris/ - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t @@ -562,8 +562,8 @@ checks: rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." remediation: "Load the mod_requesttimeout module in the Apache configuration and add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less." compliance: - - cis: "9.6" - - cis_csc: "9" + - cis: ["9.6"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html @@ -579,8 +579,8 @@ checks: rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestLine directive in the Apache configuration to have a value of 512 or less." compliance: - - cis: "10.1" - - cis_csc: "9" + - cis: ["10.1"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline @@ -595,8 +595,8 @@ checks: rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of 100." compliance: - - cis: "10.2" - - cis_csc: "9" + - cis: ["10.2"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields @@ -611,8 +611,8 @@ checks: rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFieldSize directive in the Apache configuration to have a value of 1024 or less." compliance: - - cis: "10.3" - - cis_csc: "9" + - cis: ["10.3"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize @@ -627,8 +627,8 @@ checks: rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server." compliance: - - cis: "10.4" - - cis_csc: "9" + - cis: ["10.4"] + - cis_csc: ["9"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index cae172d81..459a7e5e9 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -33,7 +33,7 @@ checks: rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - - cis: "1.3" + - cis: ["1.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 @@ -47,7 +47,7 @@ checks: rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: none rules: - 'c:getent passwd mysql -> r:^\s$' @@ -58,7 +58,7 @@ checks: rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." compliance: - - cis: "1.6" + - cis: ["1.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none @@ -72,7 +72,7 @@ checks: rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." compliance: - - cis: "4.3" + - cis: ["4.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs @@ -86,7 +86,7 @@ checks: rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.4" + - cis: ["4.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html @@ -100,7 +100,7 @@ checks: rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" compliance: - - cis: "4.5" + - cis: ["4.5"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all @@ -113,7 +113,7 @@ checks: rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." compliance: - - cis: "4.6" + - cis: ["4.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links @@ -127,7 +127,7 @@ checks: rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.8" + - cis: ["4.8"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all @@ -140,7 +140,7 @@ checks: rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - - cis: "4.9" + - cis: ["4.9"] condition: all rules: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' @@ -152,7 +152,7 @@ checks: rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." compliance: - - cis: "6.1" + - cis: ["6.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all @@ -165,7 +165,7 @@ checks: rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." compliance: - - cis: "6.2" + - cis: ["6.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html @@ -179,7 +179,7 @@ checks: rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.3" + - cis: ["6.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all @@ -192,7 +192,7 @@ checks: rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" compliance: - - cis: "6.4" + - cis: ["6.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw @@ -207,7 +207,7 @@ checks: rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." compliance: - - cis: "7.1" + - cis: ["7.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html @@ -224,7 +224,7 @@ checks: rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." compliance: - - cis: "7.2" + - cis: ["7.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all @@ -237,7 +237,7 @@ checks: rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " compliance: - - cis: "7.3" + - cis: ["7.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none @@ -250,7 +250,7 @@ checks: rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - - cis: "7.4" + - cis: ["7.4"] condition: all rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' @@ -261,7 +261,7 @@ checks: rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." compliance: - - cis: "7.6" + - cis: ["7.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all @@ -281,7 +281,7 @@ checks: rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." compliance: - - cis: "9.2" + - cis: ["9.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index e3bf9be80..f87edcff1 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -33,7 +33,7 @@ checks: rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - - cis: "1.3" + - cis: ["1.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-logging.html - https://bugs.mysql.com/bug.php?id=72158 @@ -47,7 +47,7 @@ checks: rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: none rules: - 'c:getent passwd mysql -> r:^\s$' @@ -58,7 +58,7 @@ checks: rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." remediation: "Check which users and/or scripts are setting MYSQL_PWD and change them to use a more secure method." compliance: - - cis: "1.6" + - cis: ["1.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none @@ -72,7 +72,7 @@ checks: rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." remediation: "Remove '--allow-suspicious-udfs' from the 'mysqld' start up command line. Or Remove 'allow-suspicious-udfs' from the MySQL option file." compliance: - - cis: "4.3" + - cis: ["4.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/udf-security.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_allow-suspicious-udfs @@ -86,7 +86,7 @@ checks: rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." remediation: "Add a line local-infile=0 in the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.4" + - cis: ["4.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/string-functions.html#function_load-file - https://dev.mysql.com/doc/refman/5.6/en/load-data.html @@ -100,7 +100,7 @@ checks: rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." remediation: "Open the MySQL configuration (e.g. my.cnf) file and set: skip-grant-tables = FALSE" compliance: - - cis: "4.5" + - cis: ["4.5"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-grant-tables condition: all @@ -113,7 +113,7 @@ checks: rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." remediation: "Open the MySQL configuration file (my.cnf), locate 'skip_symbolic_links' and set it to YES. If the option does not existe, create it in the 'mysqld' section." compliance: - - cis: "4.6" + - cis: ["4.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/symbolic-links.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_symbolic-links @@ -127,7 +127,7 @@ checks: rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " remediation: "Add the line secure_file_priv= to the [mysqld] section of the MySQL configuration file and restart the MySQL service." compliance: - - cis: "4.8" + - cis: ["4.8"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_secure_file_priv condition: all @@ -140,7 +140,7 @@ checks: rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " remediation: "Add STRICT_ALL_TABLES to the sql_mode in the server's configuration file." compliance: - - cis: "4.9" + - cis: ["4.9"] condition: all rules: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' @@ -152,7 +152,7 @@ checks: rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." remediation: "Set the log-error option to the path for the error log in the MySQL configuration file (my.cnf or my.ini)." compliance: - - cis: "6.1" + - cis: ["6.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/error-log.html condition: all @@ -165,7 +165,7 @@ checks: rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." remediation: "In the MySQL configuration file (my.cnf), locate the log-bin entry and set it to a file not on root ('/'), /var, or /usr." compliance: - - cis: "6.2" + - cis: ["6.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/binary-log.html - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html @@ -179,7 +179,7 @@ checks: rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." remediation: "Ensure a line containing log-warnings = 2 is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.3" + - cis: ["6.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-warnings condition: all @@ -192,7 +192,7 @@ checks: rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." remediation: "IN the MySQL configuration file (my.cnf), locate and set the value of this option: log-raw = OFF" compliance: - - cis: "6.4" + - cis: ["6.4"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-logging.html - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw @@ -207,7 +207,7 @@ checks: rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." remediation: "Configure mysql to leverage the mysql_native_password or sha256_password plugin." compliance: - - cis: "7.1" + - cis: ["7.1"] references: - https://dev.mysql.com/doc/refman/5.6/en/password-hashing.html - https://dev.mysql.com/doc/refman/5.6/en/sha256-authentication-plugin.html @@ -224,7 +224,7 @@ checks: rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." remediation: "Add a line secure_auth=ON to the [mysqld] section of the MySQL option file." compliance: - - cis: "7.2" + - cis: ["7.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_secure-auth condition: all @@ -237,7 +237,7 @@ checks: rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." remediation: "Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. " compliance: - - cis: "7.3" + - cis: ["7.3"] references: - https://dev.mysql.com/doc/refman/5.6/en/mysql-config-editor.html condition: none @@ -250,7 +250,7 @@ checks: rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." remediation: "In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the sql_mode setting." compliance: - - cis: "7.4" + - cis: ["7.4"] condition: all rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' @@ -261,7 +261,7 @@ checks: rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." remediation: "Add to the global configuration: plugin-load=validate_password.so validate-password=FORCE_PLUS_PERMANENT validate_password_length=14 validate_password_mixed_case_count=1 validate_password_number_count=1 validate_password_special_char_count=1 validate_password_policy=MEDIUM. And change passwords for users which have passwords which are identical to their username. Restarting the server is required." compliance: - - cis: "7.6" + - cis: ["7.6"] references: - https://dev.mysql.com/doc/refman/5.6/en/validate-password-plugin.html condition: all @@ -281,7 +281,7 @@ checks: rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." remediation: "Open the MySQL configuration file (my.cnf); locate master_info_repository; set the master_info_repository value to TABLE. Add the option if it does not exist." compliance: - - cis: "9.2" + - cis: ["9.2"] references: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-slave.html#sysvar_master_info_repository condition: all @@ -295,7 +295,7 @@ checks: rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." remediation: "Set the audit_log_connection_policy option to ERRORS or ALL in the MySQL configuration file." compliance: - - cis: "6.5" + - cis: ["6.5"] condition: none rules: - 'c:grep -Rh audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE' @@ -306,7 +306,7 @@ checks: rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." remediation: "Set audit_log_exclude_accounts=NULL in my.cnf." compliance: - - cis: "6.6" + - cis: ["6.6"] condition: all rules: - 'c:grep -Rh audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' @@ -317,7 +317,7 @@ checks: rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." remediation: "Set audit_log_include_accounts=NULL in my.cnf." compliance: - - cis: "6.7" + - cis: ["6.7"] condition: all rules: - 'c:grep -Rh audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' @@ -328,7 +328,7 @@ checks: rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." remediation: "Set audit_log_policy='ALL' in the MySQL configuration file and activate the setting by restarting the server or executing SET GLOBAL audit_log_policy='ALL';" compliance: - - cis: "6.9" + - cis: ["6.9"] condition: all rules: - 'c:grep -Rh audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins' @@ -339,7 +339,7 @@ checks: rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." remediation: "Add the option audit_log_statement_policy='ALL' to the mysqld section of the MySQL configuration file and restart the server." compliance: - - cis: "6.10" + - cis: ["6.10"] condition: all rules: - 'c:grep -Rh audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$' @@ -350,7 +350,7 @@ checks: rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." remediation: "Set audit_log_strategy='SEMISYNCHRONOUS' (or SYNCHRONOUS) in the mysqld section of the configuration file (my.cnf)." compliance: - - cis: "6.11" + - cis: ["6.11"] condition: all rules: - 'c:grep -Rh audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' @@ -361,7 +361,7 @@ checks: rationale: "This makes disables unloading on the plugin." remediation: "Ensure a line audit_log = 'FORCE_PLUS_PERMANENT' is found in the mysqld section of the MySQL configuration file (my.cnf)." compliance: - - cis: "6.12" + - cis: ["6.12"] condition: all rules: - 'c:grep -Rh force_plus_permanent /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:^audit_log\s*=\s*force_plus_permanent|^audit_log\s*=\s*FORCE_PLUS_PERMANENT' diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 156801d8d..25cd7902b 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -55,8 +55,8 @@ checks: - id: 1004 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.yop$' @@ -64,8 +64,8 @@ checks: - id: 1005 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^id$' @@ -73,8 +73,8 @@ checks: - id: 1006 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.ssh$' @@ -82,8 +82,8 @@ checks: - id: 1007 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^...$' @@ -91,8 +91,8 @@ checks: - id: 1008 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^.shell$' @@ -101,8 +101,8 @@ checks: - id: 1009 title: "Web vulnerability - Outdated WordPress installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' @@ -110,8 +110,8 @@ checks: - id: 1010 title: "Web vulnerability - Outdated Joomla installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' @@ -119,8 +119,8 @@ checks: - id: 1011 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' @@ -129,8 +129,8 @@ checks: - id: 1012 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' @@ -138,8 +138,8 @@ checks: - id: 1013 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' @@ -147,8 +147,8 @@ checks: - id: 1014 title: "Web vulnerability - .htaccess file compromised" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none @@ -158,8 +158,8 @@ checks: - id: 1015 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: - - pci_dss: "6.5, 6.6, 11.4" - - nist_800_53: "SA.11, IA.10" + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 93ab41f4e..0ba3fc8ab 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -102,7 +102,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -114,7 +114,7 @@ checks: rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." remediation: "1. Run the following command in Terminal: sudo vim /etc/ntp-restrict.conf 2. Add the following lines to the file: restrict lo interface ignore wildcard interface listen lo" compliance: - - cis: "2.2.3" + - cis: ["2.2.3"] condition: all rules: - 'f:/etc/ntp-restrict.conf -> r:restrict lo' @@ -126,7 +126,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -138,7 +138,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -150,7 +150,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -162,7 +162,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -175,7 +175,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -c -g -> r:womp && !r:\s0$' @@ -188,7 +188,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1" + - cis: ["2.6.1"] condition: all rules: - 'c:diskutil cs list -> r:^Encryption Status && r:Unlocked' @@ -201,7 +201,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -213,7 +213,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -227,7 +227,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -241,7 +241,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -253,7 +253,7 @@ checks: rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if necessary Java applications will only work with Java 6, a custom path can be used." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -265,7 +265,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -277,7 +277,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -289,7 +289,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: any rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -301,7 +301,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot: sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -314,7 +314,7 @@ checks: rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the FTP Server is not running and is not set to start at boot. Stop the ftp Server: sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'c:launchctl list -> r:com.apple.ftpd' @@ -326,7 +326,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - - cis: "4.6" + - cis: ["4.6"] condition: none rules: - 'p:nfsd' @@ -340,7 +340,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.7" + - cis: ["5.7"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -352,7 +352,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.8" + - cis: ["5.8"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -364,7 +364,7 @@ checks: rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." remediation: "1. Run the following command in Terminal: The current user will need to log off and on for changes to take effect. defaults write com.apple.screensaver askForPassword -int 1 2. The current user will need to log off and on for changes to take effect." compliance: - - cis: "5.9" + - cis: ["5.9"] condition: all rules: - 'c:defaults read com.apple.screensaver askForPassword -> 1' @@ -376,7 +376,7 @@ checks: rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." remediation: "1. Run the following command in Terminal: sudo vi /etc/pam.d/screensaver 2. Locate \"account required pam_group.so no_warn group=admin,wheel fail_safe\" 3. Remove \"admin,\" 4. Save" compliance: - - cis: "5.11" + - cis: ["5.11"] condition: none rules: - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel && r:fail_safe' @@ -388,7 +388,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in OS X Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.18" + - cis: ["5.18"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -400,7 +400,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -412,7 +412,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -424,7 +424,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -436,7 +436,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: any rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index dbd8f9e4a..bcf991d9a 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -102,7 +102,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -114,7 +114,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -126,7 +126,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -138,7 +138,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -150,7 +150,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -163,7 +163,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -g -> r:womp && !r:\s0$' @@ -175,7 +175,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1.1" + - cis: ["2.6.1.1"] condition: all rules: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' @@ -187,7 +187,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -199,7 +199,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services" compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -213,7 +213,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -227,7 +227,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -239,7 +239,7 @@ checks: rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming macOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -251,7 +251,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -263,7 +263,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -275,7 +275,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -287,7 +287,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the Web Server sudo apachectl stop Ensure that the web server will not auto-start at boot sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -300,7 +300,7 @@ checks: rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Stop the ftp Server sudo -s launchctl unload -w /System/Library/LaunchDaemons/ftp.plist" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'c:launchctl list -> r:com.apple.ftpd' @@ -312,7 +312,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Stop the NFS Server sudo nfsd disable Remove the exported Directory listing rm /etc/export" compliance: - - cis: "4.6" + - cis: ["4.6"] condition: none rules: - 'p:nfsd' @@ -326,7 +326,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.8" + - cis: ["5.8"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -338,7 +338,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.9" + - cis: ["5.9"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -351,7 +351,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.20" + - cis: ["5.20"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -363,7 +363,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -375,7 +375,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -387,7 +387,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -399,7 +399,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: any rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index c98b175f8..b3560768f 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -35,7 +35,7 @@ checks: rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." remediation: "1. In Terminal, run the following: softwareupdate -l 2. In Terminal, run the following for any packages that show up in step 1: sudo softwareupdate -i packagename" compliance: - - cis: "1.1" + - cis: ["1.1"] condition: all rules: - 'c:softwareupdate -l -> r:No new software available' @@ -47,7 +47,7 @@ checks: rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -int 1" compliance: - - cis: "1.2" + - cis: ["1.2"] references: - https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/ - https://derflounder.wordpress.com/2014/12/17/forcing-xprotect-blacklist-updates-on-mavericks-and-yosemite/ @@ -62,7 +62,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable the auto update feature: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdate -bool TRUE The remediation requires a log out and log in to show in the GUI. Please note that." compliance: - - cis: "1.3" + - cis: ["1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' @@ -74,7 +74,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true && sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true" compliance: - - cis: "1.4" + - cis: ["1.4"] references: - https://www.thesafemac.com/tag/xprotect/ - https://support.apple.com/en-us/HT202491 @@ -90,7 +90,7 @@ checks: rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" remediation: "Open a terminal session and enter the following command to enable install system data files and security updates: sudo defaults write /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -bool TRUE" compliance: - - cis: "1.5" + - cis: ["1.5"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' @@ -103,7 +103,7 @@ checks: rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." remediation: "Run the following commands: sudo systemsetup -setnetworktimeserver sudo systemsetup -setusingnetworktime on" compliance: - - cis: "2.2.1" + - cis: ["2.2.1"] condition: all rules: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' @@ -115,7 +115,7 @@ checks: rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." remediation: "Run the following command in Terminal: sudo systemsetup -setremoteappleevents off" compliance: - - cis: "2.4.1" + - cis: ["2.4.1"] condition: all rules: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' @@ -127,7 +127,7 @@ checks: rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." remediation: "Perform the following to implement the prescribed state: 1. Open System Preferences 2. Select Sharing 3. Uncheck Printer Sharing" compliance: - - cis: "2.4.4" + - cis: ["2.4.4"] condition: none rules: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' @@ -139,7 +139,7 @@ checks: rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." remediation: "Run the following command in Terminal: sudo systemsetup -setremotelogin off" compliance: - - cis: "2.4.5" + - cis: ["2.4.5"] condition: all rules: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' @@ -151,7 +151,7 @@ checks: rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." remediation: "Run the following command in Terminal to turn off AFP from the command line: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist - Run the following command in Terminal to turn off SMB sharing from the CLI: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist" compliance: - - cis: "2.4.8" + - cis: ["2.4.8"] condition: none rules: - 'c:launchctl list -> r:AppleFileServer' @@ -164,7 +164,7 @@ checks: rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0" compliance: - - cis: "2.5.1" + - cis: ["2.5.1"] condition: none rules: - 'c:pmset -g -> r:womp && !r:\s0$' @@ -176,7 +176,7 @@ checks: rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." remediation: "1. Open System Preferences 2. Select Security & Privacy 3. Select FileVault 4. Select Turn on FileVault" compliance: - - cis: "2.6.1.1" + - cis: ["2.6.1.1"] condition: all rules: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' @@ -188,7 +188,7 @@ checks: rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." remediation: "Run the following command in Terminal: sudo spctl --master-enable" compliance: - - cis: "2.6.2" + - cis: ["2.6.2"] condition: all rules: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' @@ -200,7 +200,7 @@ checks: rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.alf globalstate - int Where is: - 1 = on for specific services - 2 = on for essential services " compliance: - - cis: "2.6.3" + - cis: ["2.6.3"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -214,7 +214,7 @@ checks: rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." remediation: "Run the following command in Terminal: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on" compliance: - - cis: "2.6.4" + - cis: ["2.6.4"] references: - https://support.apple.com/en-us/HT201642 condition: all @@ -228,7 +228,7 @@ checks: rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." remediation: "Perform the following to implement the prescribed state: 1. Open Terminal 2. Select Terminal 3. Select Secure Keyboard Entry" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' @@ -240,7 +240,7 @@ checks: rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." remediation: "Java 6 can be removed completely or, if required Java applications will only work with Java 6, a custom path can be used. Apple is likely to finally pull the plug on Java 6 in upcoming MacOS versions so any applications that still require Java 6 will likely soon be unavailable." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'c:java -version -> r:1.6.0' @@ -252,7 +252,7 @@ checks: rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." remediation: "If EFI does not pass the integrity check you may send a report to Apple. Backing up files and clean installing a known good Operating System and Firmware is recommended." compliance: - - cis: "2.13" + - cis: ["2.13"] condition: all rules: - 'c:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check -> r:Primary allowlist version match found. No changes detected in primary hashes' @@ -265,7 +265,7 @@ checks: rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." remediation: "Run the following command in Terminal: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'c:launchctl list -> r:com.apple.auditd' @@ -277,7 +277,7 @@ checks: rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." remediation: "1. Open a terminal session and edit the /etc/security/audit_control file 2. Find the line beginning with \"flags\" 3. Add the following flags: lo, ad, fd, fm, -all. 4. Save the file." compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' @@ -289,7 +289,7 @@ checks: rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -301,7 +301,7 @@ checks: rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the Web Server is not running and is not set to start at boot Stop the Web Server: sudo apachectl stop Ensure that the web server will not auto-start at boot sudo: defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled - bool true" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: none rules: - 'p:httpd' @@ -314,7 +314,7 @@ checks: rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." remediation: "Ensure that the NFS Server is not running and is not set to start at boot Stop the NFS Server: sudo nfsd disable Remove the exported Directory listing: rm /etc/export" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: none rules: - 'p:nfsd' @@ -328,7 +328,7 @@ checks: rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." remediation: "Open System Preferences, Uses & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User." compliance: - - cis: "5.11" + - cis: ["5.11"] condition: all rules: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' @@ -340,7 +340,7 @@ checks: rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." remediation: "Run the following command in Terminal: sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser" compliance: - - cis: "5.12" + - cis: ["5.12"] condition: none rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' @@ -352,7 +352,7 @@ checks: rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." remediation: "Perform the following while booted in macOS Recovery Partition. 1. Select Terminal from the Utilities menu 2. Run the following command in Terminal: /usr/bin/csrutil enable 3. The output should be: Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect. 4. Reboot." compliance: - - cis: "5.23" + - cis: ["5.23"] condition: all rules: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' @@ -364,7 +364,7 @@ checks: rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." remediation: "Run the following command in Terminal: sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled - bool NO" compliance: - - cis: "6.1.3" + - cis: ["6.1.3"] condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' @@ -376,7 +376,7 @@ checks: rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." remediation: "1. Run the following command in Terminal: rm -R /Users/Guest 2. Make sure there is no output" compliance: - - cis: "6.1.5" + - cis: ["6.1.5"] condition: none rules: - 'd:/Users/Guest' @@ -388,7 +388,7 @@ checks: rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." remediation: "Perform the following to implement the prescribed state: 1. Select Finder 2. Select Preferences 3. Check Show all filename extensions Alternatively, use the following command: defaults write NSGlobalDomain AppleShowAllExtensions -bool true" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' @@ -400,7 +400,7 @@ checks: rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: all rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml new file mode 100644 index 000000000..ff23ba5d7 --- /dev/null +++ b/sca/darwin/web_vulnerabilities.yml @@ -0,0 +1,145 @@ +# Security Configuration assessment +# Checks for auditing Mac systems +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation + +policy: + id: "web_vulnerabilities_mac" + file: "web_vulnerabilities.yml" + name: "System audit for web-related vulnerabilities" + description: "Guidance for establishing a secure configuration for web-related vulnerabilities." + +variables: + $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini + $web_dirs: /Library/WebServer/Documents,/usr/htdocs,/usr/local/var/htdocs,/usr/local/var/www + + +# PHP checks +checks: + - id: 2000 + title: "PHP - Register globals are enabled" + condition: any + rules: + - 'f:$php.ini -> r:^register_globals = On' + - id: 2001 + title: "PHP - Expose PHP is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^expose_php = On' + - id: 2002 + title: "PHP - Allow URL fopen is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^allow_url_fopen = On' + - id: 2003 + title: "PHP - Displaying of errors is enabled" + condition: any + rules: + - 'f:$php.ini -> r:^display_errors = On' +# WEB checks + - id: 2004 + title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^.yop$' + - id: 2005 + title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^id$' + - id: 2006 + title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^.ssh$' + - id: 2007 + title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^...$' + - id: 2008 + title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^.shell$' +# Outdated Web applications + - id: 2009 + title: "Web vulnerability - Outdated WordPress installation" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' + - id: 2010 + title: "Web vulnerability - Outdated Joomla installation" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' + - id: 2011 + title: "Web vulnerability - Outdated osCommerce (v2.2) installation" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" +# Known backdoors + - id: 2012 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' + - id: 2013 + title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + condition: any + rules: + - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' + - id: 2014 + title: "Web vulnerability - .htaccess file compromised" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' + - id: 2015 + title: "Web vulnerability - .htaccess file compromised - auto append" + compliance: + - pci_dss: ["6.5","6.6","11.4"] + - nist_800_53: ["SA.11","IA.10"] + references: + - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html + condition: any + rules: + - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index faff7db87..020b0f3e3 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -36,7 +36,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "2.1" + - cis: ["2.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -49,7 +49,7 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - - cis: "2.2" + - cis: ["2.2"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -61,7 +61,7 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - - cis: "2.3" + - cis: ["2.3"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -73,7 +73,7 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp" compliance: - - cis: "2.4" + - cis: ["2.4"] condition: all rules: - 'not c:mount -> r:\s/tmp\s' @@ -85,7 +85,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.5" + - cis: ["2.5"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -98,7 +98,7 @@ checks: rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" compliance: - - cis: "2.6" + - cis: ["2.6"] condition: all rules: - 'c:findmnt -> r:/var/tmp && r:[/tmp]' @@ -110,7 +110,7 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.7" + - cis: ["2.7"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -123,7 +123,7 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.8" + - cis: ["2.8"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -136,7 +136,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "2.9" + - cis: ["2.9"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -149,7 +149,7 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "2.10" + - cis: ["2.10"] condition: all rules: - 'not c:mount -> r:\s/home\s' @@ -161,7 +161,7 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" compliance: - - cis: "2.14" + - cis: ["2.14"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -173,7 +173,7 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm" compliance: - - cis: "2.15" + - cis: ["2.15"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -185,7 +185,7 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm. See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm" compliance: - - cis: "2.16" + - cis: ["2.16"] condition: all rules: - 'not c:mount -> r:\s/run/shm\s' @@ -197,7 +197,7 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "2.25" + - cis: ["2.25"] condition: none rules: - 'c:find /etc/rc* -name *autofsc* -> r:S\.' @@ -210,7 +210,7 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following to update the grub configuration: # update-grub" compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' @@ -222,7 +222,7 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "3.4" + - cis: ["3.4"] condition: none rules: - 'f:/etc/shadow -> r:^root:*:|^root:!:' @@ -234,7 +234,7 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' @@ -246,7 +246,7 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" compliance: - - cis: "4.3" + - cis: ["4.3"] condition: all rules: - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' @@ -259,7 +259,7 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get purge nis" compliance: - - cis: "5.1.1" + - cis: ["5.1.1"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -270,7 +270,7 @@ checks: rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Remove or comment out any shell, login, or exec lines in /etc/inetd.conf: #shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd #login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind #exec stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rexecd" compliance: - - cis: "5.1.2" + - cis: ["5.1.2"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:^shell|^login|^exec' @@ -281,7 +281,7 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Remove or comment out any talk or ntalk lines in /etc/inetd.conf: #talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd #ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd" compliance: - - cis: "5.1.4" + - cis: ["5.1.4"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:^talk|^ntalk' @@ -292,7 +292,7 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Remove or comment out any telnet lines in /etc/inetd.conf: #telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" compliance: - - cis: "5.1.6" + - cis: ["5.1.6"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:telnet' @@ -303,7 +303,7 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Remove or comment out any tftp lines in /etc/inetd.conf: #tftp stream tcp nowait root internal" compliance: - - cis: "5.1.7" + - cis: ["5.1.7"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:tftp' @@ -314,7 +314,7 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Disable xinetd: # update-rc.d xinetd disable" compliance: - - cis: "5.1.8" + - cis: ["5.1.8"] condition: none rules: - 'c:find /etc/rc* -name *xinetd* -> r:S\.' @@ -325,7 +325,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any chargen lines in /etc/inetd.conf: #chargen stream tcp nowait root internal" compliance: - - cis: "5.2" + - cis: ["5.2"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:chargen' @@ -336,7 +336,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any daytime lines in /etc/inetd.conf: #daytime stream tcp nowait root internal" compliance: - - cis: "5.3" + - cis: ["5.3"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:daytime' @@ -347,7 +347,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any echo lines in /etc/inetd.conf: #echo stream tcp nowait root internal" compliance: - - cis: "5.4" + - cis: ["5.4"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:echo' @@ -358,7 +358,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any discard lines in /etc/inetd.conf: #discard stream tcp nowait root internal" compliance: - - cis: "5.5" + - cis: ["5.5"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:discard' @@ -369,7 +369,7 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Remove or comment out any time lines in /etc/inetd.conf: #time stream tcp nowait root internal" compliance: - - cis: "5.6" + - cis: ["5.6"] condition: none rules: - 'f:/etc/inetd.conf -> !r:^# && r:time' @@ -382,7 +382,7 @@ checks: rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." remediation: "Disable avahi-daemon: # update-rc.d avahi-daemon disable" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: none rules: - 'c:find /etc/rc* -name *avahi-daemon* -> r:S\.' @@ -393,7 +393,7 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Disable cups: # update-rc.d cups disable" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: none rules: - 'c:find /etc/rc* -name *cups* -> r:S\.' @@ -406,7 +406,7 @@ checks: references: - "https://www.isc.org/dhcp/" compliance: - - cis: "6.4" + - cis: ["6.4"] condition: none rules: - 'c:find /etc/rc* -name *isc-dhcp-server* -> r:S\.' @@ -417,7 +417,7 @@ checks: rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." remediation: "Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." compliance: - - cis: "6.5" + - cis: ["6.5"] references: - http://www.ntp.org/ condition: all @@ -434,7 +434,7 @@ checks: rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Uninstall the slapd package: # apt-get purge slapd" compliance: - - cis: "6.6" + - cis: ["6.6"] references: - http://www.openldap.org condition: none @@ -447,7 +447,7 @@ checks: rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Disable rpcbind: # update-rc.d rpcbind disable Disable nfs-kernel-server: # update-rc.d nfs-kernel-server disable" compliance: - - cis: "6.7" + - cis: ["6.7"] condition: none rules: - 'c:find /etc/rc* -name *rpcbind* -> r:S\.' @@ -459,7 +459,7 @@ checks: rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable bind9: # update-rc.d bind9 disable" compliance: - - cis: "6.8" + - cis: ["6.8"] condition: none rules: - 'c:find /etc/rc* -name *bind9* -> r:S\.' @@ -470,7 +470,7 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable vsftpd: # update-rc.d vsftpd disable" compliance: - - cis: "6.9" + - cis: ["6.9"] condition: none rules: - 'c:find /etc/rc* -name *vsftpd* -> r:S\.' @@ -481,7 +481,7 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Disable apache2: # update-rc.d apache2 disable" compliance: - - cis: "6.10" + - cis: ["6.10"] condition: none rules: - 'c:find /etc/rc* -name *apache2* -> r:S\.' @@ -492,7 +492,7 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "Disable dovecot: # update-rc.d dovecot disable" compliance: - - cis: "6.11" + - cis: ["6.11"] condition: none rules: - 'c:find /etc/rc* -name *dovecot* -> r:S\.' @@ -503,7 +503,7 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Disable samba: # update-rc.d samba disable" compliance: - - cis: "6.12" + - cis: ["6.12"] condition: none rules: - 'c:find /etc/rc* -name *smb* -> r:S\.' @@ -514,7 +514,7 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Disable squid3: # update-rc.d squid3 disable" compliance: - - cis: "6.13" + - cis: ["6.13"] condition: none rules: - 'c:find /etc/rc* -name *squid3* -> r:S\.' @@ -525,7 +525,7 @@ checks: rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Disable snmpd: # update-rc.d snmpd disable" compliance: - - cis: "6.14" + - cis: ["6.14"] condition: none rules: - 'c:find /etc/rc* -name *snmpd* -> r:S\.' @@ -536,7 +536,7 @@ checks: rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." remediation: "Edit /etc/exim4/update-exim4.conf.conf and edit the dc_local_interfaces line to remove non loopback addresses: dc_local_interfaces='127.0.0.1 ; ::1' Run update-exim4.conf: # update-exim4.conf Reload exim4 configuration: # service exim4 reload" compliance: - - cis: "6.15" + - cis: ["6.15"] condition: all rules: - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:\p127.0.0.1\s*\p\s*::1\p$|\p::1\s*\p\s*127.0.0.1\p$|\p127.0.0.1\p$|\p::1\p$' @@ -547,7 +547,7 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Set RSYNC_ENABLE to false in /etc/default/rsync: RSYNC_ENABLE=false" compliance: - - cis: "6.16" + - cis: ["6.16"] condition: none rules: - 'c:dpkg -s rsync -> install ok installed' @@ -561,7 +561,7 @@ checks: rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf: net.ipv4.ip_forward=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.ip_forward=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.1.1" + - cis: ["7.1.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -572,7 +572,7 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.1.2" + - cis: ["7.1.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -584,7 +584,7 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.1" + - cis: ["7.2.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -596,7 +596,7 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.2" + - cis: ["7.2.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -608,7 +608,7 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0 # /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.3" + - cis: ["7.2.3"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -620,7 +620,7 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.log_martians=1 # /sbin/sysctl -w net.ipv4.conf.default.log_martians=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.4" + - cis: ["7.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -632,7 +632,7 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.5" + - cis: ["7.2.5"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -643,7 +643,7 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.6" + - cis: ["7.2.6"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -654,7 +654,7 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1 # /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.7" + - cis: ["7.2.7"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -666,7 +666,7 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv4.tcp_syncookies=1 # /sbin/sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "7.2.8" + - cis: ["7.2.8"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -677,7 +677,7 @@ checks: rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.3.1" + - cis: ["7.3.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -689,7 +689,7 @@ checks: rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf: net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 Modify active kernel parameters to match: # /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0 # /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0 # /sbin/sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "7.3.2" + - cis: ["7.3.2"] condition: all rules: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -701,7 +701,7 @@ checks: rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." remediation: "Create or edit the file /etc/sysctl.conf and add the following lines: net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 Run the following command or reboot to apply the changes: # sysctl -p" compliance: - - cis: "7.3.3" + - cis: ["7.3.3"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.disable_ipv6 -> r:=\s*\t*1$' @@ -717,7 +717,7 @@ checks: rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." remediation: "Create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "7.4.2" + - cis: ["7.4.2"] condition: all rules: - 'f:/etc/hosts.allow' @@ -728,7 +728,7 @@ checks: rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." remediation: "Create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "7.4.4" + - cis: ["7.4.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -740,7 +740,7 @@ checks: rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." remediation: "# echo \"install dccp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.1" + - cis: ["7.5.1"] condition: none rules: - 'c:lsmod -> r:dccp' @@ -751,7 +751,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install sctp /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.2" + - cis: ["7.5.2"] condition: none rules: - 'c:lsmod -> r:sctp' @@ -762,7 +762,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install rds /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.3" + - cis: ["7.5.3"] condition: none rules: - 'c:lsmod -> r:rds' @@ -773,7 +773,7 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "# echo \"install tipc /bin/true\" >> /etc/modprobe.d/CIS.conf" compliance: - - cis: "7.5.4" + - cis: ["7.5.4"] condition: none rules: - 'c:lsmod -> r:tipc' @@ -784,7 +784,7 @@ checks: rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." remediation: "Install the iptables and iptables-persistent packages: # apt-get install iptables iptables-persistent Enable the iptables-persistent service: # update-rc.d iptables-persistent enable" compliance: - - cis: "7.7" + - cis: ["7.7"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -799,7 +799,7 @@ checks: rationale: "If the rsyslog service is not activated the system will not have a syslog service running." remediation: "Enable rsyslog: # update-rc.d rsyslog enable" compliance: - - cis: "8.2.2" + - cis: ["8.2.2"] condition: all rules: - 'c:find /etc/rc* -name *rsyslog* -> r:S\.' @@ -810,7 +810,7 @@ checks: rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" remediation: "Edit the /etc/rsyslog.conf file and add the following line (where logfile.example.com is the name of your central log host). *.* @@loghost.example.com # Execute the following command to restart rsyslogd # pkill -HUP rsyslogd Note: The double \"at\" sign (@@) directs rsyslog to use TCP to send log messages to the server, which is a more reliable transport mechanism than the default UDP protocol." compliance: - - cis: "8.2.5" + - cis: ["8.2.5"] references: - rsyslog.conf(5) man page condition: all @@ -823,7 +823,7 @@ checks: rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the following lines: $ModLoad imtcp.so $InputTCPServerRun 514 Execute the following command to restart rsyslogd: # pkill -HUP rsyslogd" compliance: - - cis: "8.2.6" + - cis: ["8.2.6"] references: - rsyslog.conf(8) man page condition: all @@ -839,7 +839,7 @@ checks: rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." remediation: "Enable cron: # update-rc.d cron enable Enable anacron: # update-rc.d anacron enable" compliance: - - cis: "9.1.1" + - cis: ["9.1.1"] condition: all rules: - 'c:find /etc/rc* -name *cron* -> r:S\.' @@ -851,7 +851,7 @@ checks: rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "# /bin/rm /etc/cron.deny # /bin/rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "9.1.8" + - cis: ["9.1.8"] condition: all rules: - 'f:/etc/cron.allow' @@ -867,7 +867,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "1) Install the libpam-cracklib package: # apt-get install libpam-cracklib 2) Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" compliance: - - cis: "9.2.1" + - cis: ["9.2.1"] condition: all rules: - 'c:dpkg -s libpam-cracklib -> install ok installed' @@ -879,7 +879,7 @@ checks: rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/login file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user." compliance: - - cis: "9.2.2" + - cis: ["9.2.2"] condition: all rules: - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny=\d && r:unlock_time=\d\d\d+' @@ -890,7 +890,7 @@ checks: rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." remediation: "Set the pam_unix.so remember parameter to 5 in /etc/pam.d/common-password: password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5 Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site's password policy." compliance: - - cis: "9.2.3" + - cis: ["9.2.3"] condition: all rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password && r:pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' @@ -901,7 +901,7 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "9.3.1" + - cis: ["9.3.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -912,7 +912,7 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "9.3.2" + - cis: ["9.3.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' @@ -923,7 +923,7 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: X11Forwarding no" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' @@ -934,7 +934,7 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "9.3.5" + - cis: ["9.3.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -945,7 +945,7 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "9.3.6" + - cis: ["9.3.6"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -956,7 +956,7 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "9.3.7" + - cis: ["9.3.7"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -967,7 +967,7 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "9.3.8" + - cis: ["9.3.8"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -978,7 +978,7 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "9.3.9" + - cis: ["9.3.9"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -989,7 +989,7 @@ checks: rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "9.3.10" + - cis: ["9.3.10"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1000,7 +1000,7 @@ checks: rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "9.3.12" + - cis: ["9.3.12"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' @@ -1012,7 +1012,7 @@ checks: rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "9.3.13" + - cis: ["9.3.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' @@ -1023,7 +1023,7 @@ checks: rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "9.3.14" + - cis: ["9.3.14"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' @@ -1034,7 +1034,7 @@ checks: rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid 2) Once this is done, create a comma separated list of users in the wheel statement in the /etc/group file." compliance: - - cis: "9.5" + - cis: ["9.5"] condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth && r:required && r:pam_wheel.so && r:use_uid' @@ -1048,7 +1048,7 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs: PASS_MAX_DAYS 90 Modify user parameters for all users with a password set to match: # chage --maxdays 90 " compliance: - - cis: "10.1.1" + - cis: ["10.1.1"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' @@ -1059,7 +1059,7 @@ checks: rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7 Modify user parameters for all users with a password set to match: # chage --mindays 7 " compliance: - - cis: "10.1.2" + - cis: ["10.1.2"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' @@ -1070,7 +1070,7 @@ checks: rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7 Modify user parameters for all users with a password set to match: # chage --warndays 7 " compliance: - - cis: "10.1.3" + - cis: ["10.1.3"] condition: all rules: - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare >= 7' @@ -1081,7 +1081,7 @@ checks: rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." remediation: "# usermod -g 0 root" compliance: - - cis: "10.3" + - cis: ["10.3"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1092,7 +1092,7 @@ checks: rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." remediation: "Edit the /etc/bash.bashrc and /etc/profile.d/cis.sh files (and the appropriate files for any other shell supported on your system) and add the following the UMASK parameter as shown: umask 077" compliance: - - cis: "10.4" + - cis: ["10.4"] condition: all rules: - 'c:grep -Rh ^umask[[:space:]][[:space:]]*077 /etc/profile.d/ -> !r:^# && r:umask\s*\t*077' @@ -1104,7 +1104,7 @@ checks: rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." remediation: "# useradd -D -f 35" compliance: - - cis: "10.5" + - cis: ["10.5"] condition: all rules: - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' @@ -1116,7 +1116,7 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." remediation: "# touch /etc/motd # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue.net # chown root:root /etc/motd # chmod 644 /etc/motd # chown root:root /etc/issue # chmod 644 /etc/issue # chown root:root /etc/issue.net # chmod 644 /etc/issue.net" compliance: - - cis: "11.1" + - cis: ["11.1"] condition: all rules: - 'f:/etc/motd' @@ -1132,7 +1132,7 @@ checks: rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." remediation: "Edit the /etc/motd, /etc/issue and /etc/issue.net files and remove any lines containing \\m, \\r, \\s or \\v." compliance: - - cis: "11.2" + - cis: ["11.2"] condition: none rules: - 'f:/etc/issue -> r:\v|\r|\m|\s' @@ -1147,7 +1147,7 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # /usr/bin/passwd -l Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "13.1" + - cis: ["13.1"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1158,7 +1158,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.2" + - cis: ["13.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1169,7 +1169,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.3" + - cis: ["13.3"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1179,7 +1179,7 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Delete these entries if they exist." compliance: - - cis: "13.4" + - cis: ["13.4"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' @@ -1190,18 +1190,51 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." remediation: "Delete any other entries that are displayed." compliance: - - cis: "13.5" + - cis: ["13.5"] condition: none rules: - - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 10598 + - id: 10600 + title: "Check for Presence of User .rhosts Files" + description: "While no .rhosts files are shipped by default, users can easily create them." + rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." + remediation: "If any users have .rhosts files determine why they have them." + compliance: + - cis: ["13.10"] + condition: none + rules: + - 'd:/home -> r:^.rhosts$' + + - id: 10601 + title: "Check for Presence of User .netrc Files" + description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." + rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." + compliance: + - cis: ["13.18"] + condition: none + rules: + - 'd:/home -> r:^.netrc$' + + - id: 10602 + title: "Check for Presence of User .forward Files" + description: "The .forward file specifies an email address to forward the user's mail to." + rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." + remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." + compliance: + - cis: ["13.19"] + condition: none + rules: + - 'd:/home -> r:^.forward$' + + - id: 10603 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "13.20" + - cis: ["13.20"] condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index 40872af96..de64b8610 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -36,7 +36,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs /bin/true" compliance: - - cis: "2.18" + - cis: ["2.18"] condition: all rules: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' @@ -48,7 +48,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install freevxfs /bin/true" compliance: - - cis: "2.19" + - cis: ["2.19"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -60,7 +60,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install jffs2 /bin/true" compliance: - - cis: "2.20" + - cis: ["2.20"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -72,7 +72,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfs /bin/true" compliance: - - cis: "2.21" + - cis: ["2.21"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -84,7 +84,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install hfsplus /bin/true" compliance: - - cis: "2.22" + - cis: ["2.22"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -96,7 +96,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install squashfs /bin/true" compliance: - - cis: "2.23" + - cis: ["2.23"] condition: all rules: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' @@ -108,7 +108,7 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "Edit or create the file /etc/modprobe.d/CIS.conf and add the following line: install udf /bin/true" compliance: - - cis: "2.24" + - cis: ["2.24"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -122,7 +122,7 @@ checks: rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." remediation: "Install apparmor and apparmor-utils if missing (additional profiles can be found in the apparmor-profiles package): # apt-get install apparmor apparmor-profiles apparmor-utils Add apparmor=1 and security=apparmor to GRUB_CMDLINE_LINUX in /etc/default/grub: GRUB_CMDLINE_LINUX=\"apparmor=1 security=apparmor\"Update grub configuration (reboot will be required to apply changes): # update-grub Set all profiles to enforce mode: # aa-enforce /etc/apparmor.d/* Any unconfined processes may need to have a profile created or activated for them and then be restarted." compliance: - - cis: "4.5" + - cis: ["4.5"] condition: all rules: - 'c:apparmor_status -> n:^(\d+)\s*profiles are loaded compare > 0' @@ -136,7 +136,7 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the max_log_file parameter in /etc/audit/auditd.conf max_log_file = Note: MB is the number of MegaBytes the file can be." compliance: - - cis: "8.1.1.1" + - cis: ["8.1.1.1"] condition: all rules: - 'd:/etc/audit' @@ -149,7 +149,7 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Add the following lines to the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "8.1.1.2" + - cis: ["8.1.1.2"] condition: all rules: - 'd:/etc/audit' @@ -164,7 +164,7 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Add the following line to the /etc/audit/auditd.conf file. max_log_file_action = keep_logs" compliance: - - cis: "8.1.1.3" + - cis: ["8.1.1.3"] condition: all rules: - 'd:/etc/audit' @@ -177,7 +177,7 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Install auditd: # apt-get install auditd If needed enable auditd in /etc/rc*.d: # update-rc.d auditd enable" compliance: - - cis: "8.1.2" + - cis: ["8.1.2"] condition: all rules: - 'c:dpkg -s auditd -> r:install ok installed' @@ -189,7 +189,7 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "Edit /etc/default/grub to include audit=1 as part of GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\"And run the following command to update the grub configuration: # update-grub" compliance: - - cis: "8.1.3" + - cis: ["8.1.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\p*audit\s*=\s*1\p*' @@ -200,7 +200,7 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.4" + - cis: ["8.1.4"] condition: all rules: - 'd:/etc/audit' @@ -217,7 +217,7 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.5" + - cis: ["8.1.5"] condition: all rules: - 'd:/etc/audit' @@ -234,7 +234,7 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.6" + - cis: ["8.1.6"] condition: all rules: - 'f:/etc/audit' @@ -252,7 +252,7 @@ checks: rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "Add the following lines to the /etc/audit/audit.rules file. Add the following lines to /etc/audit/audit.rules -w /etc/selinux/ -p wa -k MAC-policy # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.7" + - cis: ["8.1.7"] condition: all rules: - 'd:/etc/audit' @@ -265,7 +265,7 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.&& r:rules file. -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.8" + - cis: ["8.1.8"] condition: all rules: - 'd:/etc/audit' @@ -280,7 +280,7 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)" compliance: - - cis: "8.1.9" + - cis: ["8.1.9"] condition: all rules: - 'd:/etc/audit' @@ -295,7 +295,7 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 \\ -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \\ lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.10" + - cis: ["8.1.10"] condition: all rules: - 'd:/etc/audit' @@ -313,7 +313,7 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate \\ -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.11" + - cis: ["8.1.11"] condition: all rules: - 'd:/etc/audit' @@ -329,7 +329,7 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 64 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following lines to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.13" + - cis: ["8.1.13"] condition: all rules: - 'd:/etc/audit' @@ -343,7 +343,7 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "At a minimum, configure the audit system to collect file deletion events for all users and root. For 64 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -HUP -P 1 auditd For 32 bit systems, add the following to the /etc/audit/audit.rules file. -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 \\ -F auid!=4294967295 -k delete # Execute the following command to restart auditd # pkill -P 1-HUP auditd" compliance: - - cis: "8.1.14" + - cis: ["8.1.14"] condition: all rules: - 'd:/etc/audit' @@ -357,7 +357,7 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /etc/sudoers -p wa -k scope # Execute the following command to restart auditd # pkill -HUP -P 1 auditd" compliance: - - cis: "8.1.15" + - cis: ["8.1.15"] condition: all rules: - 'd:/etc/audit' @@ -370,7 +370,7 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /var/log/sudo.log -p wa -k actions # Execute the following command to restart auditd # pkill -HUP -P 1 auditd Note: The system must be configured with su disabled (See Item 9.5 Restrict Access to the su Command) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root" compliance: - - cis: "8.1.16" + - cis: ["8.1.16"] condition: all rules: - 'd:/etc/audit' @@ -383,7 +383,7 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "Add the following lines to the /etc/audit/audit.rules file. -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules For 32 bit systems, add -a always,exit -F arch=b32 -S init_module -S delete_module -k modules For 64 bit systems, add -a always,exit -F arch=b64 -S init_module -S delete_module -k modules" compliance: - - cis: "8.1.17" + - cis: ["8.1.17"] condition: all rules: - 'd:/etc/audit' @@ -399,7 +399,7 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following lines to the /etc/audit/audit.rules file. -e 2 Note: This must be the last line in the /etc/audit/audit.rules file" compliance: - - cis: "8.1.18" + - cis: ["8.1.18"] condition: all rules: - 'd:/etc/audit' @@ -413,7 +413,7 @@ checks: rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." remediation: "Install AIDE: # apt-get install aide Initialize AIDE: # aideinit # cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db Note: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times. Run /usr/sbin/prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE." compliance: - - cis: "8.3.1" + - cis: ["8.3.1"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -424,7 +424,7 @@ checks: rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - - cis: "8.3.2" + - cis: ["8.3.2"] condition: all rules: - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*--check' diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index bad2e62a3..d658bf4c9 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -34,8 +34,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs" compliance: - - cis: "1.1.1.1" - - cis_csc: "13" + - cis: ["1.1.1.1"] + - cis_csc: ["13"] condition: all rules: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' @@ -47,8 +47,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install freevxfs /bin/true. 2) Run the following command to unload the freevxfs module: # rmmod freevxfs" compliance: - - cis: "1.1.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.2"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -60,8 +60,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install jffs2 /bin/true. 2) Run the following command to unload the jffs2 module: # rmmod jffs2" compliance: - - cis: "1.1.1.3" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.3"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -73,8 +73,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfs /bin/true. 2) Run the following command to unload the hfs module: # rmmod hfs" compliance: - - cis: "1.1.1.4" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.4"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -86,8 +86,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfsplus /bin/true. 2) Run the following command to unload the hfsplus module: # rmmod hfsplus" compliance: - - cis: "1.1.1.5" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.5"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -99,8 +99,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install squashfs /bin/true. 2) Run the following command to unload the squashfs module: # rmmod squashfs" compliance: - - cis: "1.1.1.6" - - cis_csc: "13" + - cis: ["1.1.1.6"] + - cis_csc: ["13"] condition: all rules: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' @@ -112,8 +112,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install udf /bin/true. 2) Run the following command to unload the udf module: # rmmod udf" compliance: - - cis: "1.1.1.7" - - cis_csc: "13, 5.1" + - cis: ["1.1.1.7"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -126,8 +126,8 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - - cis: "1.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.1.2"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ @@ -141,8 +141,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - cis_csc: "13, 5.1" + - cis: ["1.1.3"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -153,8 +153,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - cis_csc: "13, 5.1" + - cis: ["1.1.4"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -165,8 +165,8 @@ checks: rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" compliance: - - cis: "1.1.7" - - cis_csc: "13, 5.1" + - cis: ["1.1.7"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' @@ -177,8 +177,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp" compliance: - - cis: "1.1.8" - - cis_csc: "13, 5.1" + - cis: ["1.1.8"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' @@ -189,8 +189,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp" compliance: - - cis: "1.1.9" - - cis_csc: "2, 2.6" + - cis: ["1.1.9"] + - cis_csc: ["2","2.6"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' @@ -201,8 +201,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "1.1.13" - - cis_csc: "13, 15.1, 5.1" + - cis: ["1.1.13"] + - cis_csc: ["13","15.1","5.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -213,8 +213,8 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.14" - - cis_csc: "13, 5.1" + - cis: ["1.1.14"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -225,8 +225,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.15" - - cis_csc: "13, 5.1" + - cis: ["1.1.15"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -237,8 +237,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm" compliance: - - cis: "1.1.16" - - cis_csc: "13, 5.1" + - cis: ["1.1.16"] + - cis_csc: ["13","5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -249,8 +249,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "1.1.21" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["1.1.21"] + - cis_csc: ["8.3","8.4","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -262,8 +262,8 @@ checks: rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" compliance: - - cis: "1.3.1" - - cis_csc: "3.5, 14.9" + - cis: ["1.3.1"] + - cis_csc: ["3.5","14.9"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -274,8 +274,8 @@ checks: rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - - cis: "1.3.2" - - cis_csc: "3.5, 14.9" + - cis: ["1.3.2"] + - cis_csc: ["3.5","14.9"] condition: all rules: - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+' @@ -287,8 +287,8 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "1) Create an encrypted password with grub-md5-crypt: # grub-mkpasswd-pbkdf2 Enter password: Reenter password: Your PBKDF2 is 2) Add the following into /etc/grub.d/00_header or a custom /etc/grub.d configuration file: cat <\" password_pbkdf2 EOF Unless the --unrestricted option is added to CLASS in /etc/grub.d/10_linux a password will be required to boot in addition to editing boot parameters: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" 3) Run the following to update the grub configuration: # update-grub" compliance: - - cis: "1.4.2" - - cis_csc: "5.1" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' @@ -300,8 +300,8 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "1.4.3" - - cis_csc: "5.1" + - cis: ["1.4.3"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/shadow -> r:^root:*:|^root:!:' @@ -313,8 +313,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file. * hard core 0 Add the following line to the /etc/sysctl.conf file: fs.suid_dumpable = 0 and set the active kernel parameter." compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' @@ -327,8 +327,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.3, 8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.3","8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$' @@ -341,8 +341,8 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" compliance: - - cis: "1.7.1.2" - - cis_csc: "13, 5.1" + - cis: ["1.7.1.2"] + - cis_csc: ["13","5.1"] condition: none rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' @@ -369,8 +369,8 @@ checks: rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # apt-get remove xinetd" compliance: - - cis: "2.1.1" - - cis_csc: "9.1, 9.2" + - cis: ["2.1.1"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:dpkg -s xinetd -> r:install ok installed' @@ -381,8 +381,8 @@ checks: rationale: "If there are no inetd services required, it is recommended that the daemon be removed." remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd" compliance: - - cis: "2.1.2" - - cis_csc: "9.1, 9.2" + - cis: ["2.1.2"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' @@ -394,8 +394,8 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Remediation: Install ntp: # apt-get install ntp Ensure the following lines are in /etc/ntp.conf: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Also, make sure /etc/ntp.conf has at least one NTP server specified: server Note: is the IP address or hostname of a trusted time server. Configuring an NTP server is outside the scope of this benchmark." compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] references: - http://www.ntp.org/ condition: all @@ -412,8 +412,8 @@ checks: rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server " compliance: - - cis: "2.2.1.3" - - cis_csc: "6.1" + - cis: ["2.2.1.3"] + - cis_csc: ["6.1"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -424,8 +424,8 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -436,8 +436,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.1","9.2"] references: - https://www.cups.org condition: none @@ -452,8 +452,8 @@ checks: references: - https://www.isc.org/dhcp/ compliance: - - cis: "2.2.5" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.5"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' @@ -465,8 +465,8 @@ checks: rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Run the following command to disable slapd: # systemctl disable slapd" compliance: - - cis: "2.2.6" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.6"] + - cis_csc: ["9.1","9.2"] references: - https://www.openldap.org condition: none @@ -479,8 +479,8 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled nfs-server -> r:^enabled' @@ -492,8 +492,8 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable named: # systemctl disable bind9" compliance: - - cis: "2.2.8" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' @@ -504,8 +504,8 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "2.2.9" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -516,8 +516,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable apache2: # systemctl disable apache2" compliance: - - cis: "2.2.10" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.10"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' @@ -541,8 +541,8 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Run the following command to disable smbd: # systemctl disable smbd" compliance: - - cis: "2.2.12" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled smbd -> r:^enabled' @@ -553,8 +553,8 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "2.2.13" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -565,8 +565,8 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "2.2.14" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -577,8 +577,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsync: # systemctl disable rsync" compliance: - - cis: "2.2.16" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.16"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'c:systemctl is-enabled rsync -> r:^enabled' @@ -602,8 +602,8 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get remove nis" compliance: - - cis: "2.3.1" - - cis_csc: "2, 2.6" + - cis: ["2.3.1"] + - cis_csc: ["2","2.6"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -614,8 +614,8 @@ checks: rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" compliance: - - cis: "2.3.2" - - cis_csc: "3.4, 4.5" + - cis: ["2.3.2"] + - cis_csc: ["3.4","4.5"] condition: none rules: - 'c:dpkg -s rsh-client -> r:install ok installed' @@ -627,8 +627,8 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to uninstall talk: apt-get remove talk" compliance: - - cis: "2.3.3" - - cis_csc: "2, 2.6" + - cis: ["2.3.3"] + - cis_csc: ["2","2.6"] condition: none rules: - 'c:dpkg -s talk -> r:install ok installed' @@ -639,8 +639,8 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - - cis: "2.3.4" - - cis_csc: "3.4, 4.5" + - cis: ["2.3.4"] + - cis_csc: ["3.4","4.5"] condition: none rules: - 'c:dpkg -s telnet -> r:install ok installed' @@ -652,8 +652,8 @@ checks: rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11, 5.1" + - cis: ["3.1.1"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -667,8 +667,8 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11, 5.1" + - cis: ["3.1.2"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -682,8 +682,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.1"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -701,8 +701,8 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.2" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.2"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -720,8 +720,8 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.3" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.3"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -735,8 +735,8 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.4" - - cis_csc: "6, 6.2, 6.3" + - cis: ["3.2.4"] + - cis_csc: ["6","6.2","6.3"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -750,8 +750,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.5" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.5"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -763,8 +763,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.6" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.6"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -776,8 +776,8 @@ checks: rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.7"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -791,8 +791,8 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.8"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -804,8 +804,8 @@ checks: rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.9" - - cis_csc: "3, 11, 5.1" + - cis: ["3.2.9"] + - cis_csc: ["3","11","5.1"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -819,8 +819,8 @@ checks: rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." remediation: "Run the following command to create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow. Where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "3.3.2" - - cis_csc: "9.2, 9.4" + - cis: ["3.3.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'f:/etc/hosts.allow' @@ -831,8 +831,8 @@ checks: rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." remediation: "Run the following command to create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "3.3.3" - - cis_csc: "9.2, 9.4" + - cis: ["3.3.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -844,8 +844,8 @@ checks: rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true" compliance: - - cis: "3.4.1" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.1"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v dccp -> r:install /bin/true' @@ -857,8 +857,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true" compliance: - - cis: "3.4.2" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.2"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v sctp -> r:install /bin/true' @@ -870,8 +870,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true" compliance: - - cis: "3.4.3" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.3"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v rds -> r:install /bin/true' @@ -883,8 +883,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true" compliance: - - cis: "3.4.4" - - cis_csc: "9.1, 9.2" + - cis: ["3.4.4"] + - cis_csc: ["9.1","9.2"] condition: none rules: - 'not c:modprobe -n -v tipc -> r:install /bin/true' @@ -898,8 +898,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.1.1" - - cis_csc: "9.1, 9.4" + - cis: ["3.5.1.1"] + - cis_csc: ["9.1","9.4"] condition: all rules: - 'c:iptables -L -> r:^Chain INPUT && r:policy DROP' @@ -912,8 +912,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.2.1" - - cis_csc: "9.1, 9.4" + - cis: ["3.5.2.1"] + - cis_csc: ["9.1","9.4"] condition: all rules: - 'c:ip6tables -L -> r:^Chain INPUT && r:policy DROP' @@ -926,8 +926,8 @@ checks: rationale: "iptables is required for firewall management and configuration." remediation: "Run the following command to install iptables: # apt-get install iptables" compliance: - - cis: "3.5.3" - - cis_csc: "9.2, 9.4" + - cis: ["3.5.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -939,8 +939,8 @@ checks: rationale: "If the rsyslog service is not activated the system will not have a syslog service running." remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" compliance: - - cis: "4.2.1.1" - - cis_csc: "6.2, 6.3" + - cis: ["4.2.1.1"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' @@ -951,8 +951,8 @@ checks: rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.4" - - cis_csc: "6.6, 6.8" + - cis: ["4.2.1.4"] + - cis_csc: ["6.6","6.8"] references: - rsyslog.conf(5) man page condition: all @@ -965,8 +965,8 @@ checks: rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.5" - - cis_csc: "9.1, 9.2" + - cis: ["4.2.1.5"] + - cis_csc: ["9.1","9.2"] references: - rsyslog.conf(8) man page condition: all @@ -981,8 +981,8 @@ checks: rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." remediation: "Run the following command to enable cron: systemctl enable cron" compliance: - - cis: "5.1.1" - - cis_csc: "6, 5.1" + - cis: ["5.1.1"] + - cis_csc: ["6","5.1"] condition: all rules: - 'c:systemctl is-enabled cron -> r:^enabled$' @@ -993,8 +993,8 @@ checks: rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "5.1.8" - - cis_csc: "16" + - cis: ["5.1.8"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/cron.allow' @@ -1010,8 +1010,8 @@ checks: rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config" compliance: - - cis: "5.2.1" - - cis_csc: "5.1" + - cis: ["5.2.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' @@ -1022,8 +1022,8 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.4" - - cis_csc: "3.4, 4.5" + - cis: ["5.2.4"] + - cis_csc: ["3.4","4.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -1036,8 +1036,8 @@ checks: references: - https://www.ssh.com/ssh/sshd_config/ compliance: - - cis: "5.2.5" - - cis_csc: "16, 6.2, 6.3" + - cis: ["5.2.5"] + - cis_csc: ["16","6.2","6.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' @@ -1048,8 +1048,8 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - - cis: "5.2.6" - - cis_csc: "16, 9.2" + - cis: ["5.2.6"] + - cis_csc: ["16","9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' @@ -1060,8 +1060,8 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.7" - - cis_csc: "16, 16.13" + - cis: ["5.2.7"] + - cis_csc: ["16","16.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -1072,8 +1072,8 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.8" - - cis_csc: "9, 9.2" + - cis: ["5.2.8"] + - cis_csc: ["9","9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -1084,8 +1084,8 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.9" - - cis_csc: "9, 16.3" + - cis: ["5.2.9"] + - cis_csc: ["9","16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -1096,8 +1096,8 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.10" - - cis_csc: "5.8, 4.3" + - cis: ["5.2.10"] + - cis_csc: ["5.8","4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -1110,8 +1110,8 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.11" - - cis_csc: "16, 16.3" + - cis: ["5.2.11"] + - cis_csc: ["16","16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -1122,8 +1122,8 @@ checks: rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "5.2.12" - - cis_csc: "16, 5.1" + - cis: ["5.2.12"] + - cis_csc: ["16","5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1134,8 +1134,8 @@ checks: rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "5.2.16" - - cis_csc: "16.4, 16.11" + - cis: ["5.2.16"] + - cis_csc: ["16.4","16.11"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' @@ -1147,8 +1147,8 @@ checks: rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "5.2.18" - - cis_csc: "5.1, 5.8, 4.3" + - cis: ["5.2.18"] + - cis_csc: ["5.1","5.8","4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' @@ -1159,8 +1159,8 @@ checks: rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "5.2.19" - - cis_csc: "5.1" + - cis: ["5.2.19"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|Banner\s\t*/etc/issue' @@ -1173,8 +1173,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol." compliance: - - cis: "5.3.1" - - cis_csc: "5.7, 16.12, 4.4" + - cis: ["5.3.1"] + - cis_csc: ["5.7","16.12","4.4"] condition: all rules: - 'c:dpkg -s libpam-pwquality -> r:install ok installed' @@ -1191,8 +1191,8 @@ checks: rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the \"audit\" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." compliance: - - cis: "5.3.2" - - cis_csc: "16.7" + - cis: ["5.3.2"] + - cis_csc: ["16.7"] condition: all rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' @@ -1203,8 +1203,8 @@ checks: rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here." compliance: - - cis: "5.3.3" - - cis_csc: "16" + - cis: ["5.3.3"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' @@ -1217,8 +1217,8 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' @@ -1229,8 +1229,8 @@ checks: rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.2" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.2"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' @@ -1241,8 +1241,8 @@ checks: rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.3" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.3"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' @@ -1253,8 +1253,8 @@ checks: rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." compliance: - - cis: "5.4.1.4" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.4"] + - cis_csc: ["4.4","16"] condition: all rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' @@ -1265,8 +1265,8 @@ checks: rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root" compliance: - - cis: "5.4.3" - - cis_csc: "5, 5.1" + - cis: ["5.4.3"] + - cis_csc: ["5","5.1"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1277,8 +1277,8 @@ checks: rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." remediation: "1) Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so 2) Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root, Notes: The use_uid option to pam_wheel.so is a no-op on debian based systems. It is acceptable but not required as these systems use its behavior as default." compliance: - - cis: "5.6" - - cis_csc: "5.1" + - cis: ["5.6"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so' @@ -1292,8 +1292,8 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16, 4.4" + - cis: ["6.2.1"] + - cis_csc: ["16","4.4"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1304,8 +1304,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/passwd if they exist." compliance: - - cis: "6.2.2" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.2"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1316,8 +1316,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/shadow if they exist." compliance: - - cis: "6.2.3" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.3"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1328,8 +1328,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/group if they exist." compliance: - - cis: "6.2.4" - - cis_csc: "16.9, 16.2" + - cis: ["6.2.4"] + - cis_csc: ["16.9","16.2"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' @@ -1340,8 +1340,8 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' @@ -1352,8 +1352,8 @@ checks: rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "6.2.20" - - cis_csc: "5.1" + - cis: ["6.2.20"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 6e2fd9789..72f6ff664 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -34,8 +34,8 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.5" - - cis_csc: "13, 5.1" + - cis: ["1.1.5"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -48,8 +48,8 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" - - cis_csc: "13, 5.1" + - cis: ["1.1.6"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -62,8 +62,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.10" - - cis_csc: "6.3, 6.4" + - cis: ["1.1.10"] + - cis_csc: ["6.3","6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -76,8 +76,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.11" - - cis_csc: "6.3, 6.4" + - cis: ["1.1.11"] + - cis_csc: ["6.3","6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -90,8 +90,8 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.12" - - cis_csc: "13, 5.1" + - cis: ["1.1.12"] + - cis_csc: ["13","5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -104,8 +104,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - - cis: "1.1.21" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["1.1.21"] + - cis_csc: ["8.3","8.4","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -117,8 +117,8 @@ checks: rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis: "1.6.3" - - cis_csc: "14.4, 14.6" + - cis: ["1.6.3"] + - cis_csc: ["14.4","14.6"] condition: any rules: - 'c:dpkg -s selinux-basics -> r:install ok installed' @@ -132,8 +132,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.1, 9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.1","9.2"] references: - 'https://www.cups.org' condition: none @@ -148,8 +148,8 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." compliance: - - cis: "4.1.1.1" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -162,8 +162,8 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "4.1.1.2" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -178,8 +178,8 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" compliance: - - cis: "4.1.1.3" - - cis_csc: "6.3, 6.4" + - cis: ["4.1.1.3"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'd:/etc/audit' @@ -192,8 +192,8 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Run the following command to enable auditd: # systemctl enable auditd" compliance: - - cis: "4.1.2" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.2"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled auditd -> r:^enabled' @@ -204,8 +204,8 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "4.1.3" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.3"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' @@ -216,8 +216,8 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" compliance: - - cis: "4.1.4" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.4"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -234,8 +234,8 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.5" - - cis_csc: "5.4, 4.8" + - cis: ["4.1.5"] + - cis_csc: ["5.4","4.8"] condition: all rules: - 'd:/etc/audit' @@ -252,8 +252,8 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.6" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.6"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -271,8 +271,8 @@ checks: rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.7"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -286,8 +286,8 @@ checks: rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.7"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -301,9 +301,9 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.8" - - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" - condition: all + - cis: ["4.1.8"] + - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] + condition: all&& r: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' @@ -317,8 +317,8 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.9" - - cis_csc: "5.5, 16.10, 16.4, 4.9, 16.11, 16.13" + - cis: ["4.1.9"] + - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] condition: all rules: - 'd:/etc/audit' @@ -333,8 +333,8 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.10" - - cis_csc: "3.6, 5.5" + - cis: ["4.1.10"] + - cis_csc: ["3.6","5.5"] condition: all rules: - 'd:/etc/audit' @@ -352,8 +352,8 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.11" - - cis_csc: "14.6, 14.9" + - cis: ["4.1.11"] + - cis_csc: ["14.6","14.9"] condition: all rules: - 'd:/etc/audit' @@ -369,8 +369,8 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.13" - - cis_csc: "13, 5.1" + - cis: ["4.1.13"] + - cis_csc: ["13","5.1"] condition: all rules: - 'd:/etc/audit' @@ -384,8 +384,8 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.14" - - cis_csc: "13" + - cis: ["4.1.14"] + - cis_csc: ["13"] condition: all rules: - 'd:/etc/audit' @@ -399,8 +399,8 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.15" - - cis_csc: "5.4, 4.8" + - cis: ["4.1.15"] + - cis_csc: ["5.4","4.8"] condition: all rules: - 'd:/etc/audit' @@ -414,8 +414,8 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.16" - - cis_csc: "5.1, 5.5, 4.9" + - cis: ["4.1.16"] + - cis_csc: ["5.1","5.5","4.9"] condition: all rules: - 'd:/etc/audit' @@ -428,8 +428,8 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.17" - - cis_csc: "3, 5.1" + - cis: ["4.1.17"] + - cis_csc: ["3","5.1"] condition: all rules: - 'd:/etc/audit' @@ -445,8 +445,8 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." compliance: - - cis: "4.1.18" - - cis_csc: "3, 6, 6.2, 6.3" + - cis: ["4.1.18"] + - cis_csc: ["3","6","6.2","6.3"] condition: all rules: - 'd:/etc/audit' diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml new file mode 100644 index 000000000..36a02ba05 --- /dev/null +++ b/sca/debian/cis_debian_linux_rcl.yml @@ -0,0 +1,517 @@ +# Security Configuration assessment +# CIS Checks for Debian/Ubuntu +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Based on: +# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 +# Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 +# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 + +policy: + id: "cis_debian" + file: "cis_debian_linux_rcl.yml" + name: "CIS benchmark for Debian/Linux" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux systems running on x86 and x64 platforms. Many lists are included including filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check Debian version" + description: "Requirements for running the SCA scan against Debian/Ubuntu." + condition: all + rules: + - 'f:/etc/debian_version' + - 'f:/proc/sys/kernel/ostype -> Linux' + +checks: +# Section 1.1 - Filesystem Configuration + - id: 5000 + title: "Ensure /tmp is configured" + description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." + remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.2"] + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ + condition: all + rules: + - 'c:mount -> r:\s/tmp\s' + + - id: 5001 + title: "Ensure nodev option set on /tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." + remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/tmp\s && r:nodev' + + - id: 5002 + title: "Ensure separate partition exists for /var" + description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." + rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.6"] + references: + - https://tldp.org/HOWTO/LVM-HOWTO/ + condition: all + rules: + - 'c:mount -> r:\s/var\s' + + - id: 5003 + title: "Ensure separate partition exists for /var/tmp" + description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." + rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." + remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.7"] + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s' + + - id: 5004 + title: "Ensure nodev option set on /var/tmp partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.8"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/var/tmp\s && r:nodev' + + - id: 5005 + title: "Ensure nodev option set on /home partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/home\s && r:nodev' + + - id: 5006 + title: "Ensure nodev option set on /dev/shm partition" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.14"] + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:nodev' + + - id: 5007 + title: "Ensure nosuid option set on /dev/shm partition" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.15"] + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:nosuid' + + - id: 5008 + title: "Ensure noexec option set on /dev/shm partition" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["1.1.16"] + condition: all + rules: + - 'c:mount -> r:\s/dev/shm\s && r:noexec' + +# Section 1.7 - Warning banners + - id: 5009 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.7.2"] + - pci_dss: ["2.2.2"] + condition: all + rules: + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' + +# Section 2 - Filesystem Configuration - Debian 7 + - id: 5010 + title: "Add nodev option to /run/shm Partition" + description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." + rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" + compliance: + - cis_csc: ["5.1"] + - cis: ["2.14"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/run/shm\s && r:nodev' + + - id: 5011 + title: "Add nosuid option to /run/shm Partition" + description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["2.15"] + condition: all + rules: + - 'c:mount -> r:\s/run/shm\s && r:nosuid' + + - id: 5012 + title: "Add noexec option to /run/shm Partition" + description: "Set noexec on the shared memory partition to prevent programs from executing from there." + rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." + compliance: + - cis_csc: ["5.1"] + - cis: ["2.16"] + condition: all + rules: + - 'c:mount -> r:\s/run/shm\s && r:noexec' + +# Section 2.1 - Inetd services + - id: 5013 + title: "Ensure inetd is not installed" + description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." + rationale: "If there are no inetd services required, it is recommended that the daemon be removed." + remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.1.2"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s inetutils-inetd -> r:install ok installed' + - 'c:dpkg -s openbsd-inetd -> r:install ok installed' + +# Section 2.2 - Special purpose services + - id: 5014 + title: "Ensure FTP Server is not enabled" + description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." + rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.9"] + - pci_dss: ["2.2.3"] + condition: any + rules: + - 'c:systemctl is-enabled vsftpd -> r:disabled' + + - id: 5015 + title: "Ensure IMAP and POP3 server is not enabled" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.11"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s exim4 -> install ok installed' + + - id: 5017 + title: "Ensure Samba is not enabled" + description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." + rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable smbd: # systemctl disable smbd" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.12"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled smb -> r:^enabled' + + - id: 5018 + title: "Ensure NFS and RPC are not enabled" + description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." + rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." + remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.7"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled nfs-server -> r:^enabled' + - 'c:systemctl is-enabled rpcbind -> r:^enabled' + + - id: 5019 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.17"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled nis -> r:^enabled' + + - id: 5020 + title: "Ensure HTTP server is not enabled" + description: "HTTP or web servers provide the ability to host web site content." + rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable apache2: # systemctl disable apache2" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.10"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled apache2 -> r:^enabled' + + - id: 5021 + title: "Ensure DNS Server is not enabled" + description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." + rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable named: # systemctl disable bind9" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.8"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled bind9 -> r:^enabled' + + - id: 5022 + title: "Ensure HTTP Proxy Server is not enabled" + description: "Squid is a standard proxy server used in many distributions and environments." + rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." + remediation: "Run the following command to disable squid: # systemctl disable squid" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.13"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled squid -> r:^enabled' + +# Section 2.3 - Service clients + - id: 5023 + title: "Ensure rsh client is not installed" + description: "The rsh package contains the client commands for the rsh services." + rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." + remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" + compliance: + - cis_csc: ["2.6","4.5"] + - cis: ["2.3.2"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s rsh-client -> install ok installed' + - 'c:dpkg -s rsh-redone-client -> install ok installed' + + - id: 5024 + title: "Ensure telnet client is not installed" + description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." + remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" + compliance: + - cis_csc: ["2.6","4.5"] + - cis: ["2.3.4"] + - pci_dss: ["2.2.3"] + condition: none + rules: + - 'c:dpkg -s telnet -> install ok installed' + +# Section 3.1 - Network Parameters (Host Only) + - id: 5025 + title: "Ensure IPv4 forwarding is disabled" + description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.1.1"] + condition: all + rules: + - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' + + - id: 5026 + title: "Ensure IPv6 forwarding is disabled" + description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." + rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." + remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.1.1"] + condition: all + rules: + - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.ip_forward\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' + +# Section 3.2 - Network Parameters (Host and Router) + - id: 5027 + title: "Ensure source routed packets are not accepted" + description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." + rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.2.1"] + condition: all + rules: + - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' + - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' + + - id: 5028 + title: "Ensure broadcast ICMP requests are ignored" + description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." + rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." + remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" + compliance: + - cis_csc: ["5.1"] + - cis: ["3.2.5"] + condition: all + rules: + - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' + - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' + +# Section 5.2 - SSH Server Configuration + - id: 5029 + title: "Ensure SSH Protocol is set to 2" + description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." + rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" + compliance: + - cis_csc: ["14.4"] + - cis: ["5.2.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' + + - id: 5030 + title: "Ensure SSH IgnoreRhosts is enabled" + description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." + rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" + compliance: + - cis_csc: ["9.2"] + - cis: ["5.2.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+yes' + + - id: 5031 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - cis_csc: ["16.3"] + - cis: ["5.2.9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+no' + + - id: 5032 + title: "Ensure SSH root login is disabled" + description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." + rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" + compliance: + - cis_csc: ["4.3"] + - cis: ["5.2.10"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' + + - id: 5033 + title: "Ensure SSH PermitEmptyPasswords is disabled" + description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." + rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" + compliance: + - cis_csc: ["16.3"] + - cis: ["5.2.11"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' + +# Section 6.2 - User and Group Settings + - id: 5034 + title: "Ensure password fields are not empty" + description: "An account with an empty password field means that anybody may log in as that user without providing a password." + rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." + remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " + compliance: + - cis_csc: ["4.4"] + - cis: ["6.2.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+::' + + - id: 5035 + title: "Ensure root is the only UID 0 account" + description: "Any account with UID 0 has superuser privileges on the system." + rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." + remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." + compliance: + - cis_csc: ["5.1"] + - cis: ["6.2.5"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] + condition: none + rules: + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml new file mode 100644 index 000000000..d89930110 --- /dev/null +++ b/sca/generic/system_audit_pw.yml @@ -0,0 +1,160 @@ +# Security Configuration assessment +# Checks for Password Security on Linux Systems +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# +# Mostly based on +# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 +# Center for Internet Security Red Hat Enterprise Linux 7 v2.2.0 - 12-27-2017 +# Center for Internet Security SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017 +# OSSEC v3.2.0 + +policy: + id: "system_audit_pw" + file: "system_audit_pw.yml" + name: "System audit for password-related vulnerabilities" + description: "Guidance for establishing a secure configuration for password vulnerabilities." + references: + - https://www.cisecurity.org/cis-benchmarks/ + +requirements: + title: "Check that password-related files are present on the system" + description: "Requirements for running the SCA scan against the password-related policy." + condition: any + rules: + - 'f:/etc/passwd' + - 'f:/etc/shadow' + +variables: + $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd + +checks: +# 5.3 Configure PAM + - id: 13000 + title: "Ensure password creation requirements are configured" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: all + rules: + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' + - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + + - id: 13001 + title: "Ensure passwords are longer than 13 characters" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' + + - id: 13002 + title: "Ensure passwords contain at least one digit" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:dcredit=-1' + + - id: 13003 + title: "Ensure passwords contain at least one lowercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:lcredit=-1' + + - id: 13004 + title: "Ensure passwords contain at least one uppercase character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ucredit=-1' + + - id: 13005 + title: "Ensure passwords contain at least one special character" + description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." + rationale: "Strong passwords protect systems from being hacked through brute force methods." + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + compliance: + - cis: ["5.3.1"] + - cis_csc: ["4.4","5.7","16.12"] + references: + - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ocredit=-1' + + - id: 13006 + title: "Ensure password hashing algorithm is SHA-512" + description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." + remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" + compliance: + - cis: ["5.3.4"] + - cis_csc: ["16.14"] + condition: any + rules: + - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' + + - id: 13007 + title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" + description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." + rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." + remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256." + references: + - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ + - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html + condition: none + rules: + - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' + +# 5.4 User accounts and Environment + - id: 13008 + title: "Ensure password expiration is 365 days or less" + description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." + rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." + compliance: + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] + references: + - https://www.thegeekdiary.com/understanding-etclogin-defs-file + condition: any + rules: + - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' + - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml new file mode 100644 index 000000000..e57c4cb96 --- /dev/null +++ b/sca/generic/system_audit_ssh.yml @@ -0,0 +1,137 @@ +# Security Configuration assessment +# Checks for SSH hardening +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation + +policy: + id: "system_audit_ssh" + file: "system_audit_ssh.yml" + name: "System audit for SSH hardening" + description: "Guidance for establishing a secure configuration for SSH service vulnerabilities." + references: + - https://www.ssh.com/ssh/ + +requirements: + title: "Check that the SSH service is installed on the system" + description: "Requirements for running the SCA scan against the SSH policy." + condition: all + rules: + - 'f:/etc/ssh/sshd_config' + +variables: + $sshd_file: /etc/ssh/sshd_config + +checks: + - id: 1500 + title: "SSH Hardening - 1: Port should not be 22" + description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." + rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." + remediation: "Change the Port option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' + + - id: 1501 + title: "SSH Hardening - 2: Protocol should not be 1" + description: "The SSH protocol should not be 1." + rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." + remediation: "Change the Protocol option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' + + - id: 1502 + title: "SSH Hardening - 3: Root account should not be able to log in" + description: "The option PermitRootLogin should be set to no." + rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." + remediation: "Change the PermitRootLogin option value in the sshd_config file." + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' + + - id: 1503 + title: "SSH Hardening - 4: No Public Key authentication" + description: "The option PubkeyAuthentication should be set yes." + rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." + remediation: "Change the PubkeyAuthentication option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' + + - id: 1504 + title: "SSH Hardening - 5: Password Authentication should be disabled" + description: "The option PasswordAuthentication should be set to no." + rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." + remediation: "Change the PasswordAuthentication option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' + + - id: 1505 + title: "SSH Hardening - 6: Empty passwords should not be allowed" + description: "The option PermitEmptyPasswords should be set to no." + rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." + remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' + + - id: 1506 + title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" + description: "The option IgnoreRhosts should be set to yes." + rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." + remediation: "Change the IgnoreRhosts option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' + + - id: 1507 + title: "SSH Hardening - 8: Grace Time should be 30 or less." + description: "The option LoginGraceTime should be set to 30 or less." + rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." + remediation: "Change the LoginGraceTime option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 30' + + - id: 1508 + title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" + description: "The option MaxAuthTries should be set to 4 or less." + rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." + remediation: "Change the MaxAuthTries option value in the sshd_config file." + compliance: + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' + + - id: 1509 + title: "Ensure SSH HostbasedAuthentication is disabled" + description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." + rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." + remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" + compliance: + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] + condition: all + rules: + - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index 9745a648f..b1195ffdc 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -41,7 +41,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /tmp . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.1" + - cis: ["1.1.1"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14161-4 @@ -56,8 +56,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.2" - - pci_dss: "2.2.4" + - cis: ["1.1.2"] + - pci_dss: ["2.2.4"] references: - CCE-14412-1 condition: all @@ -71,8 +71,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp ." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options)." compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] references: - CCE-14940-1 condition: all @@ -86,8 +86,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] references: - CCE-14412-1 condition: all @@ -101,7 +101,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.5" + - cis: ["1.1.5"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14777-7 @@ -116,7 +116,7 @@ checks: rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." remediation: "# mount --bind /tmp /var/tmp and edit the /etc/fstab file to contain the following line: /tmp /var/tmp none bind 0 0" compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - CCE-14584-7 condition: all @@ -130,7 +130,7 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14011-1 @@ -145,7 +145,7 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /var/log/audit . For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.8" + - cis: ["1.1.8"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14171-3 @@ -160,7 +160,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, check the box to 'Review and modify partitioning' and create a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - - cis: "1.1.9" + - cis: ["1.1.9"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ - CCE-14559-9 @@ -175,8 +175,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). # mount -o remount,nodev /home" compliance: - - cis: "1.1.10" - - pci_dss: "2.2.4" + - cis: ["1.1.10"] + - pci_dss: ["2.2.4"] references: - CCE-4249-9 condition: all @@ -190,8 +190,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /dev/shm). # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] references: - CCE-15007-8 condition: all @@ -205,8 +205,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] references: - CCE-14306-5 condition: all @@ -220,8 +220,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] references: - CCE-14927-8 condition: all @@ -238,9 +238,9 @@ checks: rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly." remediation: "Disable the yum-updatesd daemon by running the following command: # chkconfig yum-updatesd off" compliance: - - cis: "1.2.5" - - pci_dss: "6.2" - - nist_800_53: "SI.2" + - cis: ["1.2.5"] + - pci_dss: ["6.2"] + - nist_800_53: ["SI.2"] references: - CCE-4218-4 condition: none @@ -257,8 +257,8 @@ checks: rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten." remediation: "Remove all instances of selinux=0 and enforcing=0 from /etc/grub.conf." compliance: - - cis: "1.4.1" - - pci_dss: "2.2.4" + - cis: ["1.4.1"] + - pci_dss: ["2.2.4"] references: - CCE-3977-6 condition: none @@ -272,8 +272,8 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.4.2" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - pci_dss: ["2.2.4"] references: - CCE-3999-0 condition: all @@ -287,8 +287,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.4.3" - - pci_dss: "2.2.4" + - cis: ["1.4.3"] + - pci_dss: ["2.2.4"] references: - CCE-3624-4 condition: all @@ -302,8 +302,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "rpm -qa setroubleshoot" compliance: - - cis: "1.4.4" - - pci_dss: "2.2.4" + - cis: ["1.4.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:setroubleshoot && r::on' @@ -315,8 +315,8 @@ checks: rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system." remediation: "# chkconfig mctrans off" compliance: - - cis: "1.4.5" - - pci_dss: "2.2.4" + - cis: ["1.4.5"] + - pci_dss: ["2.2.4"] references: - CCE-3668-1 condition: none @@ -333,8 +333,8 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Set a bootloader password" compliance: - - cis: "1.5.3" - - pci_dss: "2.2.4" + - cis: ["1.5.3"] + - pci_dss: ["2.2.4"] references: - CCE-3818-2 condition: all @@ -348,8 +348,8 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Add the following to /etc/inittab : ~:S:wait:/sbin/sulogin" compliance: - - cis: "1.5.4" - - pci_dss: "2.2.4" + - cis: ["1.5.4"] + - pci_dss: ["2.2.4"] references: - CCE-4241-6 condition: none @@ -363,8 +363,8 @@ checks: rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Set the PROMPT parameter in /etc/sysconfig/init to no ." compliance: - - cis: "1.5.5" - - pci_dss: "2.2.4" + - cis: ["1.5.5"] + - pci_dss: ["2.2.4"] references: - CCE-4245-7 condition: all @@ -381,8 +381,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf file. * hard core 0. Add the following line to the /etc/sysctl.conf file. fs.suid_dumpable = 0" compliance: - - cis: "1.6.1" - - pci_dss: "2.2.4" + - cis: ["1.6.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -396,8 +396,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.randomize_va_space = 2" compliance: - - cis: "1.6.3" - - pci_dss: "2.2.4" + - cis: ["1.6.3"] + - pci_dss: ["2.2.4"] references: - CCE-4146-7 condition: all @@ -412,8 +412,8 @@ checks: rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." remediation: "Add the following line to the /etc/sysctl.conf file. kernel.exec-shield = 1" compliance: - - cis: "1.6.2" - - pci_dss: "2.2.4" + - cis: ["1.6.2"] + - pci_dss: ["2.2.4"] references: - CCE-4168-1 condition: all @@ -429,7 +429,7 @@ checks: rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)." remediation: "Edit /etc/sysconfig/prelink and set PRELINKING=no" compliance: - - cis: "1.6.5" + - cis: ["1.6.5"] condition: all rules: - 'f:/etc/sysconfig/prelink -> r:^PRELINKING=no$' @@ -447,9 +447,9 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions." remediation: "# yum erase telnet-server" compliance: - - cis: "2.1.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3390-2 - CCE-4330-7 @@ -464,9 +464,9 @@ checks: rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "# yum erase rsh-server" compliance: - - cis: "2.1.3" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.3"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-4308-3 condition: none @@ -479,9 +479,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "# yum erase ypbind" compliance: - - cis: "2.1.5" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.5"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) @@ -496,9 +496,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." remediation: "# yum erase ypserv" compliance: - - cis: "2.1.6" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-3705-1 (disable) - CCE-4348-9 (uninstall) @@ -513,9 +513,9 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "# yum erase tftp-server" compliance: - - cis: "2.1.8" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] references: - CCE-4273-9 (disable) - CCE-3916-4 (uninstall) @@ -530,9 +530,9 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "# yum erase talk-server" compliance: - - cis: "2.1.10" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.10"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa talk-server -> r:\.' @@ -547,7 +547,7 @@ checks: rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." remediation: "Add the following line to the /etc/sysconfig/init file. umask 027" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/sysconfig/init -> umask 027' @@ -559,8 +559,8 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Edit /etc/inittab set default runlevel as follows: s/:5:/:3:/ Uninstall the X Windows System: # yum groupremove 'X Window System'" compliance: - - cis: "3.3" - - pci_dss: "2.2.2" + - cis: ["3.3"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/inittab -> r:^\s*id:3:initdefault' @@ -573,8 +573,8 @@ checks: rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." remediation: "# chkconfig avahi-daemon off In addition, edit the /etc/sysconfig/network file and remove zeroconf." compliance: - - cis: "3.1.1" - - pci_dss: "2.2.2" + - cis: ["3.1.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:avahi-daemon && r::on' @@ -586,8 +586,8 @@ checks: rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "# chkconfig nfslock off; #chkconfig rpcgssd off; #chkconfig rpcidmapd off; # chkconfig portmap off;" compliance: - - cis: "3.8" - - pci_dss: "2.2.2" + - cis: ["3.8"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on' @@ -599,9 +599,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "# yum erase vsftpd" compliance: - - cis: "3.10" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["3.10"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa vsftpd -> r:\.' @@ -613,8 +613,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "# yum erase httpd" compliance: - - cis: "3.11" - - pci_dss: "2.2.2" + - cis: ["3.11"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa httpd -> r:\.' @@ -626,8 +626,8 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." remediation: "# yum erase dovecot" compliance: - - cis: "3.12" - - pci_dss: "2.2.2" + - cis: ["3.12"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa dovecot -> r:\.' @@ -639,8 +639,8 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "# yum erase samba" compliance: - - cis: "3.13" - - pci_dss: "2.2.2" + - cis: ["3.13"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa samba -> r:\.' @@ -652,8 +652,8 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "# yum erase squid" compliance: - - cis: "3.14" - - pci_dss: "2.2.2" + - cis: ["3.14"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa squid -> r:\.' @@ -665,8 +665,8 @@ checks: rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "# yum erase net-snmp" compliance: - - cis: "3.15" - - pci_dss: "2.2.2" + - cis: ["3.15"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa net-snmp -> r:\.' @@ -684,8 +684,8 @@ checks: rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf and modify active kernel parameters to match:" compliance: - - cis: "4.1.1" - - pci_dss: "2.2.4" + - cis: ["4.1.1"] + - pci_dss: ["2.2.4"] references: - CCE-3561-8 condition: all @@ -700,8 +700,8 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf" compliance: - - cis: "4.1.2" - - pci_dss: "2.2.4" + - cis: ["4.1.2"] + - pci_dss: ["2.2.4"] references: - CCE-4151-7 - CCE-4155-8 @@ -722,8 +722,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." remediation: "Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.1" - - pci_dss: "2.2.4" + - cis: ["4.2.1"] + - pci_dss: ["2.2.4"] references: - CCE-4236-6 - CCE-4091-5 @@ -741,8 +741,8 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.2" - - pci_dss: "2.2.4" + - cis: ["4.2.2"] + - pci_dss: ["2.2.4"] references: - CCE-4217-6 - CCE-4186-3 @@ -760,8 +760,8 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.3" - - pci_dss: "2.2.4" + - cis: ["4.2.3"] + - pci_dss: ["2.2.4"] references: - CCE-3472-8 - CCE-3339-9 @@ -779,8 +779,8 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.4" - - pci_dss: "2.2.4" + - cis: ["4.2.4"] + - pci_dss: ["2.2.4"] references: - CCE-4320-8 condition: all @@ -797,8 +797,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.5" - - pci_dss: "2.2.4" + - cis: ["4.2.5"] + - pci_dss: ["2.2.4"] references: - CCE-3644-2 condition: all @@ -813,8 +813,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.6" - - pci_dss: "2.2.4" + - cis: ["4.2.6"] + - pci_dss: ["2.2.4"] references: - CCE-4133-5 condition: all @@ -829,8 +829,8 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf and modify active kernel parameters to match." compliance: - - cis: "4.2.7" - - pci_dss: "2.2.4" + - cis: ["4.2.7"] + - pci_dss: ["2.2.4"] references: - CCE-4080-8 - CCE-3840-6 @@ -848,8 +848,8 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding." remediation: "Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1 Modify active kernel parameters to match." compliance: - - cis: "4.2.8" - - pci_dss: "2.2.4" + - cis: ["4.2.8"] + - pci_dss: ["2.2.4"] references: - CCE-4265-5 condition: all @@ -870,10 +870,10 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "6.2.1" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.1"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4245-7 - https://www.ssh.com/ssh/ @@ -888,11 +888,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -904,9 +904,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -918,10 +918,10 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "6.2.6" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.6"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4250-7 condition: all @@ -935,10 +935,10 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "6.2.7" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.7"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4251-5 condition: all @@ -952,10 +952,10 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "6.2.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4252-3 condition: all @@ -969,10 +969,10 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "6.2.9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["6.2.9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] references: - CCE-4256-4 condition: all @@ -992,10 +992,10 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "9.2.5" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["9.2.5"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] references: - CCE-4009-7 condition: none diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index c58a45bb0..42ee98a30 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -42,7 +42,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -56,8 +56,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -69,8 +69,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp ." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -82,9 +82,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -96,7 +96,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -110,7 +110,7 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -122,8 +122,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -137,8 +137,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -152,7 +152,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -166,8 +166,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -179,8 +179,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -192,8 +192,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -205,9 +205,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -222,9 +222,9 @@ checks: rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." remediation: "Edit /boot/grub/grub.conf and remove all instances of selinux=0 and enforcing=0 on all kernel lines." compliance: - - cis: "1.6.1.1" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.1"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' @@ -236,9 +236,9 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.2"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' @@ -250,8 +250,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" + - cis: ["1.6.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' @@ -263,8 +263,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "Run the following command to uninstall setroubleshoot: # yum remove setroubleshoot" compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.4"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:rpm -qa setroubleshoot -> r:\.' @@ -276,8 +276,8 @@ checks: rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" + - cis: ["1.6.1.5"] + - pci_dss: ["2.2.4"] condition: none rules: - 'c:rpm -qa mcstrans -> r:\.' @@ -292,9 +292,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security." remediation: "Create an encrypted password with grub-md5-crypt, copy and paste the into the global section of /boot/grub/grub.conf." compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' @@ -306,9 +306,9 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Edit /etc/sysconfig/init and set SINGLE to ' /sbin/sulogin ': SINGLE=/sbin/sulogin" compliance: - - cis: "1.4.3" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.3"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' @@ -320,9 +320,9 @@ checks: rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." remediation: "Edit the /etc/sysconfig/init file and set PROMPT to ' no ': PROMPT=no" compliance: - - cis: "1.4.4" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.4"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/etc/sysconfig/init -> r:^PROMPT=no$' @@ -337,8 +337,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) )." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0; fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -352,8 +352,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -372,10 +372,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet-server && r::on' @@ -387,10 +387,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Disable rsh, rlogin, and rexec." compliance: - - cis: "2.1.6" - - cis_csc: "3.4" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rsh|rlogin|rsh && r::on' @@ -403,10 +403,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to uninstall ypbind : # yum remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -418,10 +418,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." remediation: "Run the following command to disable ypserv: # chkconfig ypserv off" compliance: - - cis: "2.2.16" - - cis_csc: "9.4" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.4"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:ypserv && r::on' @@ -433,10 +433,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp && r::on' @@ -448,10 +448,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk && r::on' @@ -467,9 +467,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -481,9 +481,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -495,9 +495,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # chkconfig nfs off # chkconfig rpcbind off" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -509,9 +509,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." remediation: "Run the following command to disable vsftpd: # chkconfig vsftpd off" compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -523,8 +523,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # chkconfig httpd off" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:httpd && r::on' @@ -536,9 +536,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # chkconfig dovecot off" compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:dovecot && r::on' @@ -550,9 +550,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # chkconfig smb off" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -564,9 +564,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -578,9 +578,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off" compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -598,9 +598,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and run # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -613,9 +613,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -633,9 +633,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -650,9 +650,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -667,9 +667,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -684,9 +684,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -701,9 +701,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -716,8 +716,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf: net.ipv4.icmp_ignore_bogus_error_responses=1" compliance: - - cis: "3.2.6" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -730,8 +730,8 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." remediation: "Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1" compliance: - - cis: "3.2.7" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -746,9 +746,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -767,11 +767,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' @@ -783,11 +783,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -799,9 +799,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -813,11 +813,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' @@ -829,11 +829,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5].2.7" + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' @@ -845,11 +845,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' @@ -861,11 +861,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' @@ -883,11 +883,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index 82eebedaa..4cd017c88 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -42,7 +42,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition for /tmp if not using tmpfs. Enable systemd /tmp mounting" compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -56,8 +56,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -69,8 +69,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -82,9 +82,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options: Options=mode=1777,strictatime,noexec,nodev,nosuid" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -96,7 +96,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -110,7 +110,7 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.7" + - cis: ["1.1.7"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -122,8 +122,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -137,8 +137,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -152,7 +152,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -166,8 +166,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. # mount -o remount,nodev /home" compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -179,8 +179,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -192,8 +192,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -205,9 +205,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -222,9 +222,9 @@ checks: rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." remediation: "Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing" compliance: - - cis: "1.6.1.2" - - cis_csc: "14.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.2"] + - cis_csc: ["14.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sestatus -> r:^SELinux status:\s+enabled$' @@ -239,8 +239,8 @@ checks: rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." remediation: "Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted" compliance: - - cis: "1.6.1.3" - - pci_dss: "2.2.4" + - cis: ["1.6.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sestatus -> r:^Loaded policy name:\s+targeted$' @@ -253,8 +253,8 @@ checks: rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." remediation: "Run the following command to uninstall s etroubleshoot: # yum remove setroubleshoot" compliance: - - cis: "1.6.1.4" - - pci_dss: "2.2.4" + - cis: ["1.6.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' @@ -266,8 +266,8 @@ checks: rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." remediation: "Run the following command to uninstall mcstrans: # yum remove mcstrans" compliance: - - cis: "1.6.1.5" - - pci_dss: "2.2.4" + - cis: ["1.6.1.5"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' @@ -282,9 +282,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub2-setpassword: # grub2-setpassword" compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub2/grub.cfg -> r:^GRUB2_PASSWORD=\.+' @@ -299,8 +299,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 and set the active kernel parameter" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -314,8 +314,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 and set the active kernel parameter" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -334,10 +334,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv: # systemctl disable ypserv" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ypserv -> r:^enabled' @@ -349,10 +349,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh, rlogin, and rexec: # systemctl disable rsh.socket # systemctl disable rlogin.socket # systemctl disable rexec.socket " compliance: - - cis: "2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.17"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled rsh.socket -> r:^enabled' @@ -366,10 +366,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # systemctl disable ntalk" compliance: - - cis: "2.2.18" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.18"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ntalk -> r:^enabled' @@ -381,10 +381,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # systemctl disable telnet.socket" compliance: - - cis: "2.2.19" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.19"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled telnet.socket -> r:^enabled' @@ -396,10 +396,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable tftp.socket" compliance: - - cis: "2.2.20" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.20"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled tftp.socket -> r:^enabled' @@ -411,10 +411,10 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsync: # systemctl disable rsyncd" compliance: - - cis: "2.2.21" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.21"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled rsyncd -> r:^enabled' @@ -426,10 +426,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind: # yum remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:rpm -q ypbind -> r:^package ypbind is not installed$' @@ -441,10 +441,10 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd: # systemctl disable xinetd" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled xinetd -> r:^enabled' @@ -456,10 +456,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen-dgram and chargen-stream: # chkconfig chargen-dgram off; # chkconfig chargen-stream off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*chargen-dgram:\s*\t*on' @@ -472,8 +472,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime-dgram and daytime-stream: # chkconfig daytime-dgram off; # chkconfig daytime-stream off" compliance: - - cis: "2.1.2" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*daytime-dgram:\s*\t*on' @@ -486,10 +486,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard-dgram and discard-stream: # chkconfig discard-dgram off; # chkconfig discard-stream off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*discard-dgram:\s*\t*on' @@ -502,10 +502,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo-dgram and echo-stream: # chkconfig echo-dgram off; # chkconfig echo-stream off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*echo-dgram:\s*\t*on' @@ -518,10 +518,10 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time-dgram and time-stream: # chkconfig time-dgram off; # chkconfig time-stream off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:^\s*\t*time-dgram:\s*\t*on' @@ -534,9 +534,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # yum remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' @@ -548,9 +548,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -562,9 +562,9 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd: # systemctl disable dhcpd" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] references: - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp condition: none @@ -578,9 +578,9 @@ checks: rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Run the following command to disable slapd: # systemctl disable dhcpd" compliance: - - cis: "2.2.6" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.6"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] references: - More detailed documentation on OpenLDAP is available at https://www.openldap.org condition: none @@ -594,9 +594,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "1) Add or edit restrict lines in /etc/ntp.conf to match the following: - restrict -4 default kod nomodify notrap nopeer noquery and - restrict -4 default kod nomodify notrap nopeer noquery. 2) Add or edit server or pool lines to /etc/ntp.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/ntpd to include ' -u ntp:ntp ': - OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' @@ -612,9 +612,9 @@ checks: rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "1) Add or edit restrict lines in /etc/chrony.conf to match the following: - 1) Add or edit server or pool lines to /etc/chrony.conf as appropriate: server . 3) Add or edit the OPTIONS in /etc/sysconfig/chronyd to include: - OPTIONS='-u chronyd'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -627,9 +627,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs, nfs-server and rpcbind: # systemctl disable nfs; # systemctl disable nfs-server; # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:^enabled' @@ -643,9 +643,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -657,8 +657,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable httpd: # systemctl disable httpd" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled httpd -> r:^enabled' @@ -670,9 +670,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot: # systemctl disable dovecot" compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:^enabled' @@ -684,9 +684,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb: # systemctl disable smb" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled smb -> r:^enabled' @@ -698,9 +698,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -712,9 +712,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -732,9 +732,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and set the active kernel parameters." compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -747,9 +747,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -767,9 +767,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters." compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -784,9 +784,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -801,9 +801,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0 and set the active kernel parameters." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -818,9 +818,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1; net.ipv4.conf.default.log_martians = 1 and set the active kernel parameters." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -835,9 +835,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -850,9 +850,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 and set the active kernel parameters." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -865,9 +865,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1 and set the active kernel parameters." compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -882,9 +882,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -903,11 +903,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' @@ -919,11 +919,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' @@ -935,9 +935,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -949,11 +949,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' @@ -965,11 +965,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' @@ -981,11 +981,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' @@ -997,11 +997,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\s*\t*no' @@ -1019,11 +1019,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 4359ad8e4..528deebd2 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -38,7 +38,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -51,8 +51,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -63,8 +63,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -76,9 +76,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -90,7 +90,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -103,8 +103,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -118,8 +118,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -133,7 +133,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -146,8 +146,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -159,8 +159,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -172,8 +172,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -185,9 +185,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -202,9 +202,9 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub-md5-crypt : # grub-md5-crypt. The result is an . Copy and paste the into the global section of /boot/grub/menu.lst: password --md5 Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "1.4.2" - - cis_csc: "5.1" - - pci_dss: "2.2.4" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:/boot/grub/menu.lst -> r:^password --md5' @@ -219,8 +219,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to the /etc/security/limits.conf file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0." compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -234,8 +234,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -254,8 +254,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' @@ -266,8 +266,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime - and daytime-udp: # chkconfig daytime-off # chkconfig daytime-udp off" compliance: - - cis: "2.1.2,3.1" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:daytime:|daytime-udp: && r::on' @@ -279,8 +279,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' @@ -291,8 +291,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' @@ -303,8 +303,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" compliance: - - cis: "2.1.5" - - cis_csc: "9.1" + - cis: ["2.1.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:time:|time-udp: && r::on' @@ -315,10 +315,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' @@ -329,10 +329,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk: && r::on' @@ -343,10 +343,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet: && r::on' @@ -357,10 +357,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # chkconfig tftp off" compliance: - - cis: "2.1.9" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp: && r::on' @@ -371,8 +371,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd : # chkconfig rsyncd off" compliance: - - cis: "2.1.10, 2.2.17" - - pci_dss: "2.2.2" + - cis: ["2.1.10","2.2.17"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -386,9 +386,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: any rules: - 'f:/etc/ntp.conf -> r:restrict -4 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' @@ -403,9 +403,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -417,9 +417,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # chkconfig avahi-daemon off" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -430,8 +430,8 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # chkconfig dhcpd off" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:dhcpd && r::on' @@ -443,9 +443,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind : # chkconfig nfs off # chkconfig rpcbind off" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -456,9 +456,9 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # chkconfig named off" compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:named && r::on' @@ -469,9 +469,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # chkconfig vsftpd off Notes: Additional FTP servers also exist and should be audited." compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -483,8 +483,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface. Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." remediation: "Run the following command to disable apache2 : # chkconfig apache2 off" compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:apache2 && r::on' @@ -495,9 +495,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cyrus : # chkconfig cyrus off Notes: Several IMAP/POP3 servers exist and can use other service names. dovecot is an example service that provides an IMAP/POP3 server. These and other services should also be audited." compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list cyrus -> r:cyrus && r::on' @@ -509,9 +509,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # chkconfig smb off" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -522,9 +522,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # chkconfig squid off" compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -535,9 +535,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # chkconfig snmpd off Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: node rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -548,10 +548,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." remediation: "Run the following command to disable ypserv : # chkconfig ypserv off" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:ypserv && r::on' @@ -563,10 +563,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -584,9 +584,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' @@ -599,9 +599,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' @@ -619,9 +619,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -636,9 +636,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -653,9 +653,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -669,9 +669,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -686,9 +686,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -701,9 +701,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -716,9 +716,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -733,9 +733,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -754,11 +754,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:^\s*\t*Protocol\s*\t*2' @@ -770,11 +770,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' @@ -786,9 +786,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' @@ -800,11 +800,11 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' @@ -816,11 +816,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' @@ -832,11 +832,11 @@ checks: rationale: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' @@ -848,11 +848,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*PermitEmptyPasswords\.+no' @@ -870,11 +870,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -885,11 +885,11 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.1"] + - cis_csc: ["16"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index 20156b0af..7b8a05d5b 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -36,7 +36,7 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /tmp. For systems that were previously installed, create a new partition and configure /etc/fstab or the systemd tmp.mount service as appropriate." compliance: - - cis: "1.1.2" + - cis: ["1.1.2"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -49,8 +49,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.3" - - pci_dss: "2.2.4" + - cis: ["1.1.3"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -61,8 +61,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,nosuid /tmp" compliance: - - cis: "1.1.4" - - pci_dss: "2.2.4" + - cis: ["1.1.4"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -74,9 +74,9 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /tmp : # mount -o remount,noexec /tmp" compliance: - - cis: "1.1.5" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.5"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -88,7 +88,7 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" + - cis: ["1.1.6"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -101,8 +101,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.3" + - cis: ["1.1.11"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -116,8 +116,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.3" + - cis: ["1.1.12"] + - cis_csc: ["6.3"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -131,7 +131,7 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" + - cis: ["1.1.13"] references: - AJ Lewis, "LVM HOWTO", https://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -145,12 +145,52 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home. Notes: The actions in this recommendation refer to the /home partition, which is the default user partition that is defined. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." compliance: - - cis: "1.1.14" - - pci_dss: "2.2.4" + - cis: ["1.1.14"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' +# 1.1.18 nodev on removable media partitions (not scored) + - id: 7512 + title: "Ensure nodev option set on removable media partitions" + description: "The nodev mount option specifies that the filesystem cannot contain special devices." + rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." + remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: ["1.1.18"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/media\s && r:nodev' + +# 1.1.19 nosuid on removable media partitions (not scored) + - id: 7513 + title: "Ensure nosuid option set on removable media partitions" + description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." + rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." + remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: ["1.1.19"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/media\s && r:nosuid' + +# 1.1.20 noexec on removable media partitions (not scored) + - id: 7514 + title: "Ensure noexec option set on removable media partitions" + description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." + rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." + remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." + compliance: + - cis: ["1.1.20"] + - cis_csc: ["8"] + - pci_dss: ["2.2.4"] + condition: all + rules: + - 'c:mount -> r:\s/media\s && r:noexec' + # 1.1.15 /dev/shm: nodev - id: 7509 title: "Ensure nodev option set on /dev/shm partition" @@ -158,8 +198,8 @@ checks: rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.15" - - pci_dss: "2.2.4" + - cis: ["1.1.15"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -171,8 +211,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nosuid /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.16" - - pci_dss: "2.2.4" + - cis: ["1.1.16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -184,9 +224,9 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,noexec /dev/shm Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0. Notes: /dev/shm is not specified in /etc/fstab despite being mounted by default. The following line will implement the recommended /dev/shm mount options in /etc/fstab: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0" compliance: - - cis: "1.1.17" - - cis_csc: "2" - - pci_dss: "2.2.4" + - cis: ["1.1.17"] + - cis_csc: ["2"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -201,8 +241,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0. Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:fs.suid_dumpable = 0. Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -216,8 +256,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2. Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.4" + - cis: ["1.5.3"] + - cis_csc: ["8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:^\s*kernel.randomize_va_space\s*=\s*2$' @@ -237,8 +277,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable chargen and chargen-udp : # chkconfig chargen off # chkconfig chargen-udp off" compliance: - - cis: "2.1.1" - - cis_csc: "9.1" + - cis: ["2.1.1"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' @@ -249,8 +289,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable daytime and daytime-udp: # chkconfig daytime off # chkconfig daytime-udp off" compliance: - - cis: "2.1.2" - - cis_csc: "9.1" + - cis: ["2.1.2"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:daytime:|daytime-udp && r::on' @@ -261,8 +301,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable discard and discard-udp: # chkconfig discard off # chkconfig discard-udp off" compliance: - - cis: "2.1.3" - - cis_csc: "9.1" + - cis: ["2.1.3"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' @@ -273,8 +313,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable echo and echo-udp: # chkconfig echo off # chkconfig echo-udp off" compliance: - - cis: "2.1.4" - - cis_csc: "9.1" + - cis: ["2.1.4"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' @@ -285,8 +325,8 @@ checks: rationale: "Disabling this service will reduce the remote attack surface of the system." remediation: "Run the following commands to disable time and time-udp: # chkconfig time off # chkconfig time-udp off" compliance: - - cis: "2.1.5" - - cis_csc: "9.1" + - cis: ["2.1.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:chkconfig --list -> r:time:|time-udp && r::on' @@ -297,10 +337,10 @@ checks: rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - - cis: "2.1.6" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.6"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' @@ -311,10 +351,10 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable talk: # chkconfig talk off" compliance: - - cis: "2.1.7" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:talk: && r::on' @@ -325,10 +365,10 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - - cis: "2.1.8" - - cis_csc: "3.4, 9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.8"] + - cis_csc: ["3.4","9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:telnet: && r::on' @@ -339,10 +379,10 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable atftpd" compliance: - - cis: "2.1.9, 2.2.17" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.1.9","2.2.17"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:tftp: && r::on' @@ -353,8 +393,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" compliance: - - cis: "2.1.10, 2.2.18" - - pci_dss: "2.2.2" + - cis: ["2.1.10","2.2.18"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -365,8 +405,8 @@ checks: rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." remediation: "Run the following command to disable xinetd : # systemctl disable xinetd" compliance: - - cis: "2.1.11" - - cis_csc: "9.1" + - cis: ["2.1.11"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled xinetd -> r:enabled' @@ -380,9 +420,9 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod limited nomodify notrap nopeer noquery restrict -6 default kod limited nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Add or edit the NTPD_OPTIONS in /etc/sysconfig/ntp to include '-u ntp:ntp': NTPD_OPTIONS='-u ntp:ntp'" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" - - pci_dss: "2.2.2" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery' @@ -397,9 +437,9 @@ checks: rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." remediation: "Run the following command to remove the X Windows System packages: # zypper remove xorg-x11*" compliance: - - cis: "2.2.2" - - cis_csc: "2" - - pci_dss: "2.2.2" + - cis: ["2.2.2"] + - cis_csc: ["2"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -411,9 +451,9 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." remediation: "Run the following command to disable avahi-daemon : # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.3"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:enabled' @@ -424,8 +464,8 @@ checks: rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dhcpd : # systemctl disable dhcpd" compliance: - - cis: "2.2.5" - - cis_csc: "9.1" + - cis: ["2.2.5"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled dhcpd -> r:enabled' @@ -437,9 +477,9 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.7"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:enabled' @@ -451,9 +491,9 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable named : # systemctl disable named" compliance: - - cis: "2.2.8" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.8"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled named -> r:enabled' @@ -464,9 +504,9 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd : # systemctl disable vsftpd Notes: Additional FTP servers also exist and should be audited." compliance: - - cis: "2.2.9" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.9"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:enabled' @@ -478,8 +518,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable apache2 : # systemctl disable apache2 Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." compliance: - - cis: "2.2.10" - - cis_csc: "9.1" + - cis: ["2.2.10"] + - cis_csc: ["9.1"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:enabled' @@ -490,9 +530,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." remediation: "Run the following command to disable dovecot : # systemctl disable dovecot Notes: Several IMAP/POP3 servers exist and can use other service names. cyrus-imap is an example service that provides an IMAP/POP3 server. These and other services should also be audited." compliance: - - cis: "2.2.11" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.11"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:enabled' @@ -504,9 +544,9 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." remediation: "Run the following command to disable smb : # systemctl disable smb" compliance: - - cis: "2.2.12" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.12"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled smb -> r:enabled' @@ -517,9 +557,9 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." remediation: "Run the following command to disable squid : # systemctl disable squid Notes: Several HTTP proxy servers exist. These and other services should be checked." compliance: - - cis: "2.2.13" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.13"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:enabled' @@ -530,9 +570,9 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd Notes: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods." compliance: - - cis: "2.2.14" - - cis_csc: "9.1" - - pci_dss: "2.2.2" + - cis: ["2.2.14"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:enabled' @@ -543,10 +583,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable ypserv : # systemctl disable ypserv" compliance: - - cis: "2.2.16" - - cis_csc: "9.1" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.2.16"] + - cis_csc: ["9.1"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled ypserv -> r:enabled' @@ -558,10 +598,10 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Run the following command to uninstall ypbind : # zypper remove ypbind" compliance: - - cis: "2.3.1" - - cis_csc: "2" - - pci_dss: "2.2.3" - - nist_800_53: "CM.1" + - cis: ["2.3.1"] + - cis_csc: ["2"] + - pci_dss: ["2.2.3"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa ypbind -> r:\.' @@ -579,9 +619,9 @@ checks: rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' @@ -594,9 +634,9 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.1.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -614,9 +654,9 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.1"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -631,9 +671,9 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.2" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.2"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -648,9 +688,9 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.3" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.3"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -664,9 +704,9 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.4" - - cis_csc: "6" - - pci_dss: "2.2.4" + - cis: ["3.2.4"] + - cis_csc: ["6"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -681,9 +721,9 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.5" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.5"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -696,9 +736,9 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - - cis: "3.2.6" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.6"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -711,9 +751,9 @@ checks: rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.7"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -728,9 +768,9 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "3, 11" - - pci_dss: "2.2.4" + - cis: ["3.2.8"] + - cis_csc: ["3","11"] + - pci_dss: ["2.2.4"] condition: all rules: - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -749,11 +789,11 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.2" - - cis_csc: "3.4" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.2"] + - cis_csc: ["3.4"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:Protocol\s*\t*2$' @@ -765,11 +805,11 @@ checks: rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: LogLevel INFO" compliance: - - cis: "5.2.3" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.3"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*INFO' @@ -781,9 +821,9 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.5" - - cis_csc: "16" - - pci_dss: "2.2.4" + - cis: ["5.2.5"] + - cis_csc: ["16"] + - pci_dss: ["2.2.4"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -795,11 +835,11 @@ checks: rationale: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.6" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.6"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:IgnoreRhosts\s*\t*yes' @@ -811,11 +851,11 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.7" - - cis_csc: "9" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.7"] + - cis_csc: ["9"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:HostbasedAuthentication\s*\t*no' @@ -827,11 +867,11 @@ checks: rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.8" - - cis_csc: "5.8" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.8"] + - cis_csc: ["5.8"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no' @@ -843,11 +883,11 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.9" - - cis_csc: "16" - - pci_dss: "4.1" - - hipaa: "164.312.a.2.IV, 164.312.e.1, 164.312.e.2.I, 164.312.e.2.II" - - nist_800_53: "SC.8" + - cis: ["5.2.9"] + - cis_csc: ["16"] + - pci_dss: ["4.1"] + - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - nist_800_53: ["SC.8"] condition: none rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitEmptyPasswords\s*\t*no' @@ -865,11 +905,11 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -880,11 +920,11 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "16" - - pci_dss: "10.2.5" - - hipaa: "164.312.b" - - nist_800_53: "IA.10, AC.7" + - cis: ["6.2.1"] + - cis_csc: ["16"] + - pci_dss: ["10.2.5"] + - hipaa: ["164.312.b"] + - nist_800_53: ["IA.10","AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 89161716a..c5c33e35e 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -33,7 +33,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" compliance: - - cis: "2.1" + - cis: ["2.1"] condition: none rules: - 'p:gdm' @@ -45,7 +45,7 @@ checks: rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems." remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" compliance: - - cis: "2.2" + - cis: ["2.2"] condition: none rules: - 'c:netstat -an -> r:.25\s*\t* && !r:127.0.0.1.25|::1' @@ -56,7 +56,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" compliance: - - cis: "2.3" + - cis: ["2.3"] condition: none rules: - 'p:keyserv' @@ -67,7 +67,7 @@ checks: rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain" compliance: - - cis: "2.4" + - cis: ["2.4"] condition: none rules: - 'p:ypserv' @@ -83,7 +83,7 @@ checks: rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client # svcadm disable svc:/network/nis/domain" compliance: - - cis: "2.5" + - cis: ["2.5"] condition: none rules: - 'p:ypserv' @@ -99,7 +99,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" compliance: - - cis: "2.6" + - cis: ["2.6"] condition: none rules: - 'p:ktkt_warnd' @@ -110,7 +110,7 @@ checks: rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" compliance: - - cis: "2.7" + - cis: ["2.7"] condition: none rules: - 'p:gssd' @@ -121,7 +121,7 @@ checks: rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports." remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver" compliance: - - cis: "2.8" + - cis: ["2.8"] condition: none rules: - 'p:smserverd' @@ -132,7 +132,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" compliance: - - cis: "2.9" + - cis: ["2.9"] condition: none rules: - 'p:automountd' @@ -143,7 +143,7 @@ checks: rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/http:apache22" compliance: - - cis: "2.10" + - cis: ["2.10"] references: - http://httpd.apache.org/docs/2.0/misc/security_tips.html condition: none @@ -157,7 +157,7 @@ checks: rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." compliance: - - cis: "2.11" + - cis: ["2.11"] condition: none rules: - 'p:rpcbind' @@ -168,7 +168,7 @@ checks: rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts." remediation: "To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo \"ALL: /, , ...\" > /etc/hosts.allow where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true # svcadm refresh rpc/bind The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information." compliance: - - cis: "2.12" + - cis: ["2.12"] references: - ipfilter(5) man page condition: all @@ -183,7 +183,7 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" compliance: - - cis: "2.13" + - cis: ["2.13"] condition: all rules: - 'p:telnet' @@ -195,7 +195,7 @@ checks: rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data." remediation: "To implement the recommendation, run the commands: # chmod 700 /var/cores # coreadm -g /var/cores/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid If the local site chooses, dumping of core files can be completely disabled with the following command: # coreadm -d global -d global-setid -d process -d proc-setid" compliance: - - cis: "3.1" + - cis: ["3.1"] condition: all rules: - 'f:/etc/coreadm.conf' @@ -215,7 +215,7 @@ checks: rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed." remediation: "To enable stack protection and block stack-smashing attacks, run the following to edit the /etc/system file: # if [ ! \"`grep noexec_user_stack= /etc/system`\" ]; then cat <>/etc/system set noexec_user_stack=1 set noexec_user_stack_log=1 END_CFG fi" compliance: - - cis: "3.2" + - cis: ["3.2"] condition: all rules: - 'f:/etc/system' @@ -228,7 +228,7 @@ checks: rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this." remediation: "Run the following commands to set the TCP_STRONG_ISS parameter to use RFC 1948 sequence number generation in the /etc/default/inetinit file: # cd /etc/default # awk '/TCP_STRONG_ISS=/ { $1 = \"TCP_STRONG_ISS=2\" }; { print }' inetinit > inetinit.CIS # mv inetinit.CIS inetinit To set the TCP_STRONG_ISS parameter on a running system, use the command: # ipadm set-prop -p _strong_iss=2 tcp" compliance: - - cis: "3.3" + - cis: ["3.3"] condition: all rules: - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' @@ -240,7 +240,7 @@ checks: rationale: "To simplify administration, a CIS specific audit class should be created." remediation: "To create the CIS audit class, edit the /etc/security/audit_class file and add the following entry before the last line of the file: 0x0100000000000000:cis:CIS Solaris Benchmark" compliance: - - cis: "4.1" + - cis: ["4.1"] condition: all rules: - 'f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark' @@ -251,7 +251,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service- specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_ACCEPT AUE_CONNECT AUE_SOCKACCEPT AUE_SOCKCONNECT AUE_inetd_connect" compliance: - - cis: "4.2" + - cis: ["4.2"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACCEPT:\.+cis\.*' @@ -266,7 +266,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHMOD AUE_CHOWN AUE_FCHOWN AUE_FCHMOD AUE_LCHOWN AUE_ACLSET AUE_FACLSET" compliance: - - cis: "4.3" + - cis: ["4.3"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHMOD:\.+cis\.*' @@ -283,7 +283,7 @@ checks: rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." remediation: "To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to the following audit events: AUE_CHROOT AUE_SETREUID AUE_SETREGID AUE_FCHROOT AUE_PFEXEC AUE_SETUID AUE_NICE AUE_SETGID AUE_PRIOCNTLSYS AUE_SETEGID AUE_SETEUID AUE_SETPPRIV AUE_SETSID AUE_SETPGID" compliance: - - cis: "4.4" + - cis: ["4.4"] condition: all rules: - 'f:/etc/security/audit_event -> r:^\d+:AUE_CHROOT:\.+cis\.*' @@ -307,7 +307,7 @@ checks: rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls." remediation: "To enforce this setting, use the command: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis # auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n . w q END_CRON # chown root:root /var/audit # chmod 750 /var/audit" compliance: - - cis: "4.5" + - cis: ["4.5"] condition: all rules: - 'c:auditconfig -getcond -> audit condition = auditing' @@ -325,7 +325,7 @@ checks: rationale: "The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world." remediation: "Perform the following to implement the recommended state: # svccfg -s svc:/system/environment:init setprop umask/umask = astring: \"022\"" compliance: - - cis: "5.1" + - cis: ["5.1"] condition: all rules: - 'c:svcprop -p umask/umask svc:/system/environment:init -> 022' @@ -337,7 +337,7 @@ checks: rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/ENABLE_NOBODY_KEYS=/ { $1 = \"ENABLE_NOBODY_KEYS=NO\" } { print }' keyserv > keyserv.CIS # mv keyserv.CIS keyserv" compliance: - - cis: "6.2" + - cis: ["6.2"] condition: all rules: - 'f:/etc/default/keyserv' @@ -349,7 +349,7 @@ checks: rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs." remediation: "Perform the following to implement the recommended state: # awk '/^X11Forwarding / { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.3" + - cis: ["6.3"] condition: none rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' @@ -360,7 +360,7 @@ checks: rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks." remediation: "Perform the following to implement the recommended state: # awk '/^MaxAuthTries/ { $2 = \"3\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.4" + - cis: ["6.4"] condition: all rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' @@ -371,7 +371,7 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with SSH." remediation: "Perform the following to implement the recommended state: # awk '/^IgnoreRhosts/ { $2 = \"yes\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh This action will only set the IgnoreRhosts line if it already exists in the file to ensure that it is set to the proper value. If the IgnoreRhosts line does not exist in the file, the default setting of Yes is automatically used, so no additional changes are needed." compliance: - - cis: "6.5" + - cis: ["6.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' @@ -382,7 +382,7 @@ checks: rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user." remediation: "Perform the following to implement the recommended state: # awk '/^PermitRootLogin/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.6" + - cis: ["6.6"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' @@ -393,7 +393,7 @@ checks: rationale: "Permitting login without a password is inherently risky." remediation: "Perform the following to implement the recommended state: # awk '/^PermitEmptyPasswords/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "6.7" + - cis: ["6.7"] condition: none rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' @@ -404,7 +404,7 @@ checks: rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default." remediation: "Perform the following to implement the recommended state: # cd /etc # cp pam.conf pam.conf.pre-CIS # sed -e 's/^.*pam_rhosts_auth/#&/' < /etc/pam.conf > pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - - cis: "6.8" + - cis: ["6.8"] condition: all rules: - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' @@ -416,7 +416,7 @@ checks: rationale: "FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default." remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." compliance: - - cis: "6.9" + - cis: ["6.9"] condition: none rules: - 'f:/etc/ftpd/ftpusers -> r:^root' @@ -446,7 +446,7 @@ checks: rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/SLEEPTIME=/ { $1 = \"SLEEPTIME=4\" } { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "6.10" + - cis: ["6.10"] condition: all rules: - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' @@ -457,7 +457,7 @@ checks: rationale: "As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)." remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - - cis: "6.11" + - cis: ["6.11"] condition: none rules: - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' @@ -468,7 +468,7 @@ checks: rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /usr/share/X11/app-defaults # cp XScreenSaver XScreenSaver.orig # awk '/^\\*timeout:/ { $2 = \"0:10:00\" } /^\\*lockTimeout:/ { $2 = \"0:00:00\" } /^\\*lock:/ { $2 = \"True\" } { print }' xScreenSaver > xScreenSaver.CIS # mv xScreenSaver.CIS xScreenSaver" compliance: - - cis: "6.12" + - cis: ["6.12"] condition: all rules: - 'f:/usr/share/X11/app-defaults/XScreensaver' @@ -482,7 +482,7 @@ checks: rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d # mv cron.deny cron.deny.cis # mv at.deny at.deny.cis # echo root > cron.allow # cp /dev/null at.allow # chown root:root cron.allow at.allow # chmod 400 cron.allow at.allow" compliance: - - cis: "6.13" + - cis: ["6.13"] condition: all rules: - 'not f:/etc/cron.d/cron.deny' @@ -498,7 +498,7 @@ checks: rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "6.14" + - cis: ["6.14"] condition: none rules: - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' @@ -509,7 +509,7 @@ checks: rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS # mv login.CIS login # cd /etc/security # awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS # mv policy.conf.CIS policy.conf # svcadm restart svc:/system/name-service/cache Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle" compliance: - - cis: "6.15" + - cis: ["6.15"] condition: all rules: - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' @@ -521,7 +521,7 @@ checks: rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password." remediation: "Perform the following to implement the recommended state: # /boot/grub/bin/grub grub> md5crypt Password: [enter desired boot loader password] Encrypted: [enter md5 password string] grub> [enter control-C (^C)] The actual menu.lst file for Solaris 11 x64 is the /rpool/boot/grub/menu.lst. First, ensure the menu.lst file can only be read by the root user: # chmod 600 /rpool/boot/grub/menu.lst Next, add the following line to the menu.lst file above the entries added by bootadm: password --md5 [enter md5 password string generated above] Finally, add the keyword lock to the Solaris failsafe boot entry as in the following example (as well as to any other entries that you want to protect): title Solaris failsafe lock" compliance: - - cis: "6.17" + - cis: ["6.17"] condition: all rules: - 'f:/rpool/boot/grub/menu.lst' @@ -534,7 +534,7 @@ checks: rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)." remediation: "Perform the following to implement the recommended state: # logins -ox | awk -F: '($1 == \"root\" || $8 == \"LK\" || $8 == \"NL\") { next } ; { $cmd = \"passwd\" } ; ($11 91) { $cmd = $cmd \" -x 91\" } ($10 < 7) { $cmd = $cmd \" -n 7\" } ($12 < 28) { $cmd = $cmd \" -w 28\" } ($cmd != \"passwd\") { print $cmd \" \" $1 }' > /etc/CISupd_accounts # /sbin/sh /etc/CISupd_accounts # rm -f /etc/CISupd_accounts # cd /etc/default # grep -v WEEKS passwd > passwd.CIS # cat <> passwd.CIS MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 EODefaults # mv passwd.CIS passwd" compliance: - - cis: "7.1" + - cis: ["7.1"] condition: all rules: - 'f:/etc/default/passwd -> n:^maxweeks\(\d+) compare <= 13' @@ -547,7 +547,7 @@ checks: rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=8\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=10\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS # mv passwd.CIS passwd" compliance: - - cis: "7.2" + - cis: ["7.2"] condition: all rules: - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' @@ -569,7 +569,7 @@ checks: rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS # mv login.CIS login" compliance: - - cis: "7.3" + - cis: ["7.3"] condition: none rules: - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' @@ -580,7 +580,7 @@ checks: rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask." remediation: "Perform the following to implement the recommended state: # cd /etc # if [ \"`grep '^Umask' proftpd.conf`\" ]; then awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo \"Umask 027\" >> proftpd.conf fi" compliance: - - cis: "7.4" + - cis: ["7.4"] condition: none rules: - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' @@ -591,7 +591,7 @@ checks: rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality." remediation: "Perform the following to implement the recommended state: # cd /etc # for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done" compliance: - - cis: "7.5" + - cis: ["7.5"] condition: none rules: - 'f:/etc/.login -> !r:^mesg\s*n' @@ -604,7 +604,7 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only." remediation: "Perform the following to implement the recommended state: # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/motd # echo \"Authorized users only. All activity may be monitored and reported.\" > /etc/issue # chown root:root /etc/issue # chmod 644 /etc/issue" compliance: - - cis: "8.1" + - cis: ["8.1"] condition: all rules: - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' @@ -615,7 +615,7 @@ checks: description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - - cis: "8.2" + - cis: ["8.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' @@ -626,7 +626,7 @@ checks: rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=\"Security Message\" --filename=/etc/issue" compliance: - - cis: "8.3" + - cis: ["8.3"] condition: all rules: - 'f:/etc/gdm/Init/Default' @@ -638,7 +638,7 @@ checks: rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording." remediation: "Perform the following to implement the recommended state: # echo \"DisplayConnect /etc/issue\" >> /etc/proftpd.conf # svcadm restart ftp" compliance: - - cis: "8.4" + - cis: ["8.4"] condition: all rules: - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' @@ -649,7 +649,7 @@ checks: rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS # mv telnetd.CIS telnetd" compliance: - - cis: "8.5" + - cis: ["8.5"] condition: all rules: - 'f:/etc/default/telnetd -> r:BANNER=$' @@ -661,7 +661,7 @@ checks: rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled." remediation: "To lock a single account, use the command: # passwd -d [username] # passwd -l [username] To configure a single account to be non-login, use the command: # passwd -d [username] # passwd -N [username]" compliance: - - cis: "9.3" + - cis: ["9.3"] condition: none rules: - 'f:/etc/shadow -> r:daemon && !r::NL:|:NP:' @@ -699,7 +699,7 @@ checks: rationale: "All accounts must have passwords, be configured as \"Non-login,\" or be locked." remediation: "Use the passwd -l command to lock accounts that are not permitted to execute commands . Use the passwd -N command to set accounts to be non-logini." compliance: - - cis: "9.4" + - cis: ["9.4"] condition: none rules: - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' @@ -710,7 +710,7 @@ checks: rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC." remediation: "Disable or delete any other 0 UID entries that are displayed; there should be only one root account. Finer granularity access control for administrative access can be obtained by using the Solaris Role-Based Access Control (RBAC) mechanism. RBAC configurations should be monitored via user_attr(4) to make sure that privileges are managed appropriately." compliance: - - cis: "9.5" + - cis: ["9.5"] condition: none rules: - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' @@ -721,7 +721,7 @@ checks: rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program." remediation: "Correct or justify any items discovered in the Audit step." compliance: - - cis: "9.6" + - cis: ["9.6"] condition: none rules: - 'f:/etc/profile -> r:.' @@ -746,7 +746,7 @@ checks: rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." remediation: "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy." compliance: - - cis: "9.10" + - cis: ["9.10"] condition: none rules: - 'd:/home -> ^.rhosts$' @@ -757,7 +757,7 @@ checks: rationale: "All users must be assigned a home directory in passwd(4)." remediation: "Correct or justify any items discovered in the Audit step. Determine if there exists any users who are in passwd(4) but do not have a home directory, and work with those users to determine the best course of action in accordance with site policy." compliance: - - cis: "9.12" + - cis: ["9.12"] condition: none rules: - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' @@ -768,7 +768,7 @@ checks: rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form." remediation: "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - - cis: "9.20" + - cis: ["9.20"] condition: none rules: - 'd:/home -> ^.netrc$' @@ -779,7 +779,7 @@ checks: rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions." remediation: "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy." compliance: - - cis: "9.21" + - cis: ["9.21"] condition: none rules: - 'd:/home -> ^.forward$' diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml index a8fc522f6..83b99b90a 100644 --- a/sca/windows/acsc_office2016.yml +++ b/sca/windows/acsc_office2016.yml @@ -343,7 +343,7 @@ checks: rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Office 2016 Converters\\Block Opening of Pre-Release Versions of File Formats New to PowerPoint 2016 Through the Compatibility Pack for Office 2013 and PowerPoint 2016 Converter" compliance: - - cis: "2.22.1" + - cis: ["2.22.1"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' @@ -660,7 +660,7 @@ checks: rationale: "By default, the Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Disable Opt-in Wizard on First Run" compliance: - - cis: "2.24.1.1" + - cis: ["2.24.1.1"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' @@ -672,7 +672,7 @@ checks: rationale: "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Enable Customer Experience Improvement Program" compliance: - - cis: "2.24.1.2" + - cis: ["2.24.1.2"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' @@ -684,7 +684,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Allow including screenshot with Office Feedback" compliance: - - cis: "2.24.1.3" + - cis: ["2.24.1.3"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' @@ -696,7 +696,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send Office Feedback" compliance: - - cis: "2.24.1.4" + - cis: ["2.24.1.4"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' @@ -708,7 +708,7 @@ checks: rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send personal information" compliance: - - cis: "2.24.1.5" + - cis: ["2.24.1.5"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' @@ -720,7 +720,7 @@ checks: rationale: "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies." remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" compliance: - - cis: "2.24.1.6" + - cis: ["2.24.1.6"] condition: all rules: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata' diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 8da5a2c1b..6c7e25b19 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -33,8 +33,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -47,8 +47,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -61,8 +61,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2, 6.3" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -75,8 +75,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -89,8 +89,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -102,8 +102,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -116,8 +116,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -130,8 +130,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -144,8 +144,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -158,8 +158,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -172,8 +172,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.1" - - cis_csc: "8" + - cis: ["2.3.7.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -186,8 +186,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.4" - - cis_csc: "16.5" + - cis: ["2.3.7.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -201,8 +201,8 @@ checks: rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.8" - - cis_csc: "16" + - cis: ["2.3.7.8"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -215,8 +215,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -229,8 +229,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -243,8 +243,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -257,8 +257,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -271,8 +271,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -285,8 +285,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -299,8 +299,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -313,8 +313,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -327,8 +327,8 @@ checks: rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" compliance: - - cis: "2.3.9.5" - - cis_csc: "14" + - cis: ["2.3.9.5"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -341,8 +341,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" compliance: - - cis: "2.3.10.2" - - cis_csc: "16" + - cis: ["2.3.10.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -355,8 +355,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" compliance: - - cis: "2.3.10.3" - - cis_csc: "16" + - cis: ["2.3.10.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -369,8 +369,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -383,8 +383,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -397,8 +397,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 14.2" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -411,8 +411,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -425,8 +425,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -439,8 +439,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -453,8 +453,8 @@ checks: rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM" compliance: - - cis: "2.3.10.10" - - cis_csc: "5.1, 9.1, 9.2" + - cis: ["2.3.10.10"] + - cis_csc: ["5.1","9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -467,8 +467,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -481,8 +481,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.12" - - cis_csc: "14, 16" + - cis: ["2.3.10.12"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -495,8 +495,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -509,8 +509,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -523,8 +523,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -537,8 +537,8 @@ checks: rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -551,8 +551,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -565,8 +565,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' @@ -578,8 +578,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -592,8 +592,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -606,8 +606,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -620,8 +620,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -634,7 +634,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -647,8 +647,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4, 14.6" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -661,8 +661,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -675,8 +675,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -689,8 +689,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -703,8 +703,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -717,8 +717,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -731,8 +731,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -745,8 +745,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -759,8 +759,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -773,7 +773,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -787,8 +787,8 @@ checks: rationale: "This is a legacy service - its sole purpose is to maintain a list of computers and their network shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it generates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \"master browser\". This noisy traffic could also aid malicious attackers in discovering online machines, because the service also allows anyone to \"browse\" for shared resources without any authentication. This service used to be running by default in older Windows versions (e.g. Windows XP), but today it only remains for backward compatibility for very old software that requires it." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Computer Browser" compliance: - - cis: "5.3" - - cis_csc: "9.1, 9.2" + - cis: ["5.3"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' @@ -800,8 +800,8 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service" compliance: - - cis: "5.6" - - cis_csc: "9.1, 9.2" + - cis: ["5.6"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' @@ -813,8 +813,8 @@ checks: rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" compliance: - - cis: "5.7" - - cis_csc: "9.1, 9.2" + - cis: ["5.7"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon' @@ -827,8 +827,8 @@ checks: rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)" compliance: - - cis: "5.8" - - cis_csc: "9.1, 9.2" + - cis: ["5.8"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess' @@ -841,8 +841,8 @@ checks: rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" compliance: - - cis: "5.10" - - cis_csc: "9.1, 9.2" + - cis: ["5.10"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' @@ -854,8 +854,8 @@ checks: rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service" compliance: - - cis: "5.11" - - cis_csc: "9.1, 9.2" + - cis: ["5.11"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' @@ -867,8 +867,8 @@ checks: rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator" compliance: - - cis: "5.24" - - cis_csc: "9.1, 9.2" + - cis: ["5.24"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator' @@ -881,8 +881,8 @@ checks: rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" compliance: - - cis: "5.26" - - cis_csc: "9.1, 9.2" + - cis: ["5.26"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess' @@ -895,8 +895,8 @@ checks: rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services" compliance: - - cis: "5.28" - - cis_csc: "9.1, 9.2" + - cis: ["5.28"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' @@ -908,8 +908,8 @@ checks: rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery" compliance: - - cis: "5.30" - - cis_csc: "9.1, 9.2" + - cis: ["5.30"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV' @@ -922,8 +922,8 @@ checks: rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host" compliance: - - cis: "5.31" - - cis_csc: "9.1, 9.2" + - cis: ["5.31"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost' @@ -936,8 +936,8 @@ checks: rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service" compliance: - - cis: "5.32" - - cis_csc: "9.1, 9.2" + - cis: ["5.32"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' @@ -949,8 +949,8 @@ checks: rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service" compliance: - - cis: "5.35" - - cis_csc: "9.1, 9.2" + - cis: ["5.35"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' @@ -962,8 +962,8 @@ checks: rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service" compliance: - - cis: "5.36" - - cis_csc: "9.1, 9.2" + - cis: ["5.36"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc' @@ -976,8 +976,8 @@ checks: rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service" compliance: - - cis: "5.40" - - cis_csc: "9.1, 9.2" + - cis: ["5.40"] + - cis_csc: ["9.1","9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' @@ -989,8 +989,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service" compliance: - - cis: "5.41" - - cis_csc: "9.1, 9.2" + - cis: ["5.41"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc' @@ -1003,8 +1003,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Game Monitoring" compliance: - - cis: "5.42" - - cis_csc: "9.1, 9.2" + - cis: ["5.42"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm' @@ -1017,8 +1017,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager" compliance: - - cis: "5.43" - - cis_csc: "9.1, 9.2" + - cis: ["5.43"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager' @@ -1031,8 +1031,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save" compliance: - - cis: "5.44" - - cis_csc: "9.1, 9.2" + - cis: ["5.44"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave' @@ -1045,8 +1045,8 @@ checks: rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" compliance: - - cis: "5.45" - - cis_csc: "9.1, 9.2" + - cis: ["5.45"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce' @@ -1060,8 +1060,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1074,8 +1074,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1088,8 +1088,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.1.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1102,7 +1102,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1115,8 +1115,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.5"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1129,8 +1129,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3, 6.4" + - cis: ["9.1.6"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1143,8 +1143,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1157,8 +1157,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2, 6.3" + - cis: ["9.1.8"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1171,8 +1171,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1185,8 +1185,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1199,8 +1199,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.2.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1213,7 +1213,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1226,8 +1226,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.5"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1240,8 +1240,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3, 6.4" + - cis: ["9.2.6"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1254,8 +1254,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1268,8 +1268,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2, 6.3" + - cis: ["9.2.8"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1282,8 +1282,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service" remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.1"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1296,8 +1296,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.2"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1310,8 +1310,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2, 9.4" + - cis: ["9.3.3"] + - cis_csc: ["9.2","9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1324,7 +1324,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1337,8 +1337,8 @@ checks: rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1351,8 +1351,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1365,8 +1365,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.7"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1379,8 +1379,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3, 6.4" + - cis: ["9.3.8"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1393,8 +1393,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.9"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1407,8 +1407,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2, 6.3" + - cis: ["9.3.10"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1422,7 +1422,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera" compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1435,7 +1435,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1448,8 +1448,8 @@ checks: rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Regional and Language Options\\Allow input personalization" compliance: - - cis: "18.1.2.2" - - cis_csc: "13" + - cis: ["18.1.2.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' @@ -1462,8 +1462,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" compliance: - - cis: "18.2.1" - - cis_csc: "16.9" + - cis: ["18.2.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' @@ -1476,8 +1476,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy" compliance: - - cis: "18.2.2" - - cis_csc: "16.2, 16.10" + - cis: ["18.2.2"] + - cis_csc: ["16.2","16.10"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1490,8 +1490,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management" compliance: - - cis: "18.2.3" - - cis_csc: "16.9" + - cis: ["18.2.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1504,8 +1504,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.4" - - cis_csc: "5.7" + - cis: ["18.2.4"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1518,8 +1518,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.5" - - cis_csc: "5.7" + - cis: ["18.2.5"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1532,8 +1532,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings" compliance: - - cis: "18.2.6" - - cis_csc: "16.5" + - cis: ["18.2.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1546,8 +1546,8 @@ checks: rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons" compliance: - - cis: "18.3.1" - - cis_csc: "5.8, 4.3" + - cis: ["18.3.1"] + - cis_csc: ["5.8","4.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1560,8 +1560,8 @@ checks: rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver" compliance: - - cis: "18.3.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.3.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' @@ -1574,8 +1574,8 @@ checks: rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server" compliance: - - cis: "18.3.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.3.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' @@ -1588,8 +1588,8 @@ checks: rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP)" compliance: - - cis: "18.3.4" - - cis_csc: "8.4, 8.3" + - cis: ["18.3.4"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' @@ -1602,8 +1602,8 @@ checks: rationale: "This opt-in feature is free and could prevent malicious software from being installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications" compliance: - - cis: "18.3.5" - - cis_csc: "8.4, 8.3" + - cis: ["18.3.5"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine' @@ -1616,8 +1616,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997)" compliance: - - cis: "18.3.6" - - cis_csc: "16.14" + - cis: ["18.3.6"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' @@ -1630,8 +1630,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1644,8 +1644,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' @@ -1658,8 +1658,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1672,8 +1672,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1686,8 +1686,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' @@ -1700,8 +1700,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" compliance: - - cis: "18.4.9" - - cis_csc: "8" + - cis: ["18.4.9"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' @@ -1714,8 +1714,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" compliance: - - cis: "18.4.10" - - cis_csc: "16.5" + - cis: ["18.4.10"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1728,8 +1728,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" compliance: - - cis: "18.4.13" - - cis_csc: "6.3, 6.4" + - cis: ["18.4.13"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' @@ -1742,8 +1742,8 @@ checks: rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeTyp e" compliance: - - cis: "18.5.4.1" - - cis_csc: "9" + - cis: ["18.5.4.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters' @@ -1756,8 +1756,8 @@ checks: rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\DNS Client\\Turn off multicast name resolution" compliance: - - cis: "18.5.4.2" - - cis_csc: "9" + - cis: ["18.5.4.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' @@ -1770,8 +1770,8 @@ checks: rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons" compliance: - - cis: "18.5.8.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.8.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' @@ -1784,8 +1784,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network" compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1798,8 +1798,8 @@ checks: rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network" compliance: - - cis: "18.5.11.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.11.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1812,8 +1812,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location" compliance: - - cis: "18.5.11.4" - - cis_csc: "5.1" + - cis: ["18.5.11.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1826,8 +1826,8 @@ checks: rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths" compliance: - - cis: "18.5.14.1" - - cis_csc: "3" + - cis: ["18.5.14.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' @@ -1842,8 +1842,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain" compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1856,8 +1856,8 @@ checks: rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" compliance: - - cis: "18.5.21.2" - - cis_csc: "12" + - cis: ["18.5.21.2"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1870,8 +1870,8 @@ checks: rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" compliance: - - cis: "18.5.23.2.1" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.23.2.1"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' @@ -1884,8 +1884,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events" compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1898,8 +1898,8 @@ checks: rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Credentials Delegation\\Remote host allows delegation of non-exportable credentials" compliance: - - cis: "18.8.4.2" - - cis_csc: "16" + - cis: ["18.8.4.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' @@ -1912,8 +1912,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy" compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1926,8 +1926,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1940,8 +1940,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1954,8 +1954,8 @@ checks: rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device" compliance: - - cis: "18.8.21.4" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.21.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1968,8 +1968,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy" compliance: - - cis: "18.8.21.5" - - cis_csc: "3.7, 5.4, 5.5" + - cis: ["18.8.21.5"] + - cis_csc: ["3.7","5.4","5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1982,8 +1982,8 @@ checks: rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "2" + - cis: ["18.8.22.1.2"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1996,8 +1996,8 @@ checks: rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP" compliance: - - cis: "18.8.22.1.7" - - cis_csc: "13.1" + - cis: ["18.8.22.1.7"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -2010,8 +2010,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block user from showing account details on sign-in" compliance: - - cis: "18.8.27.1" - - cis_csc: "16.5" + - cis: ["18.8.27.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2024,8 +2024,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI" compliance: - - cis: "18.8.27.2" - - cis_csc: "5" + - cis: ["18.8.27.2"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2038,8 +2038,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers" compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2052,8 +2052,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers" compliance: - - cis: "18.8.27.4" - - cis_csc: "16.9" + - cis: ["18.8.27.4"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2066,8 +2066,8 @@ checks: rationale: "App notifications might display sensitive business or personal data" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen" compliance: - - cis: "18.8.27.5" - - cis_csc: "16.5" + - cis: ["18.8.27.5"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2080,8 +2080,8 @@ checks: rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off picture password sign-in" compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2094,8 +2094,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in" compliance: - - cis: "18.8.27.7" - - cis_csc: "16.5" + - cis: ["18.8.27.7"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2108,8 +2108,8 @@ checks: rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (on battery)" compliance: - - cis: "18.8.33.6.1" - - cis_csc: "9" + - cis: ["18.8.33.6.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' @@ -2122,8 +2122,8 @@ checks: rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow network connectivity during connected-standby (plugged in)" compliance: - - cis: "18.8.33.6.2" - - cis_csc: "9" + - cis: ["18.8.33.6.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' @@ -2136,8 +2136,8 @@ checks: rationale: "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA)." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on battery)" compliance: - - cis: "18.8.33.6.5" - - cis_csc: "13.2, 13.6" + - cis: ["18.8.33.6.5"] + - cis_csc: ["13.2","13.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2150,8 +2150,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in)" compliance: - - cis: "18.8.33.6.6" - - cis_csc: "16.5" + - cis: ["18.8.33.6.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2164,8 +2164,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance" compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2178,8 +2178,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance" compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2192,8 +2192,8 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.36.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2206,8 +2206,8 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis: "18.8.36.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.36.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2220,8 +2220,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional" compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2234,8 +2234,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices" compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2248,8 +2248,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun" compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2262,8 +2262,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay" compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3, 8.4, 8.5" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' @@ -2275,8 +2275,8 @@ checks: rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing" compliance: - - cis: "18.9.10.1.1" - - cis_csc: "16" + - cis: ["18.9.10.1.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' @@ -2289,8 +2289,8 @@ checks: rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences" compliance: - - cis: "18.9.13.1" - - cis_csc: "13" + - cis: ["18.9.13.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' @@ -2303,8 +2303,8 @@ checks: rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing" compliance: - - cis: "18.9.14.1" - - cis_csc: "15.8, 15.9" + - cis: ["18.9.14.1"] + - cis_csc: ["15.8","15.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' @@ -2317,8 +2317,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button" compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -2331,8 +2331,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation" compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -2345,8 +2345,8 @@ checks: rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry" compliance: - - cis: "18.9.16.1" - - cis_csc: "13" + - cis: ["18.9.16.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -2359,8 +2359,8 @@ checks: rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Do not show feedback notifications" compliance: - - cis: "18.9.16.3" - - cis_csc: "13" + - cis: ["18.9.16.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -2373,8 +2373,8 @@ checks: rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Toggle user control over Insider builds" compliance: - - cis: "18.9.16.4" - - cis_csc: "3" + - cis: ["18.9.16.4"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' @@ -2387,8 +2387,8 @@ checks: rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode" compliance: - - cis: "18.9.17.1" - - cis_csc: "4.5, 3.4, 3.5" + - cis: ["18.9.17.1"] + - cis_csc: ["4.5","3.4","3.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' @@ -2401,8 +2401,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2415,8 +2415,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2429,8 +2429,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2443,8 +2443,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2457,8 +2457,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2471,8 +2471,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2485,8 +2485,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size" compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2499,8 +2499,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB)" compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3, 6.4" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3","6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2513,8 +2513,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer" compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2527,8 +2527,8 @@ checks: rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption" compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2541,8 +2541,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode" compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4, 8.3" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4","8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2555,8 +2555,8 @@ checks: rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup" compliance: - - cis: "18.9.35.1" - - cis_csc: "14.1, 14.2" + - cis: ["18.9.35.1"] + - cis_csc: ["14.1","14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' @@ -2569,8 +2569,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft accounts\\Block all consumer Microsoft account user authentication" compliance: - - cis: "18.9.44.1" - - cis_csc: "16" + - cis: ["18.9.44.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount' @@ -2583,8 +2583,8 @@ checks: rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block only 3rd-party cookies (or, if applicable for your environment, Enabled: Block all cookies): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure cookies" compliance: - - cis: "18.9.45.4" - - cis_csc: "13" + - cis: ["18.9.45.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -2597,8 +2597,8 @@ checks: rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Password Manager" compliance: - - cis: "18.9.45.5" - - cis_csc: "16" + - cis: ["18.9.45.5"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -2611,8 +2611,8 @@ checks: rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content \"opt-in\", so the user has to choose to click on each specific piece of Flash content before it will run." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Adobe Flash Click-to-Run setting" compliance: - - cis: "18.9.45.8" - - cis_csc: "7.2" + - cis: ["18.9.45.8"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security' @@ -2625,8 +2625,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -2639,8 +2639,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved" compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2653,8 +2653,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection" compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2667,8 +2667,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection" compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2681,8 +2681,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication" compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2695,8 +2695,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level" compliance: - - cis: "18.9.58.3.9.5" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.5"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2709,8 +2709,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit" compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2723,8 +2723,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session" compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2737,8 +2737,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures" compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2751,8 +2751,8 @@ checks: rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana" compliance: - - cis: "18.9.60.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2765,8 +2765,8 @@ checks: rationale: "Access to any computer resource should not be allowed when the device is locked." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana above lock screen" compliance: - - cis: "18.9.60.4" - - cis_csc: "16.5" + - cis: ["18.9.60.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2779,8 +2779,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files" compliance: - - cis: "18.9.60.5" - - cis_csc: "13.1" + - cis: ["18.9.60.5"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2793,8 +2793,8 @@ checks: rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out" remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location" compliance: - - cis: "18.9.60.6" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.6"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2807,8 +2807,8 @@ checks: rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates" compliance: - - cis: "18.9.68.3" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + - cis: ["18.9.68.3"] + - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2821,8 +2821,8 @@ checks: rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows" compliance: - - cis: "18.9.68.4" - - cis_csc: "3.1, 3.4, 3.5, 4.5, 5.1" + - cis: ["18.9.68.4"] + - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2835,8 +2835,8 @@ checks: rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Configure local setting override for reporting to Microsoft MAPS" compliance: - - cis: "18.9.76.3.1" - - cis_csc: "8" + - cis: ["18.9.76.3.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -2849,8 +2849,8 @@ checks: rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring" compliance: - - cis: "18.9.76.7.1" - - cis_csc: "8.1, 8.6" + - cis: ["18.9.76.7.1"] + - cis_csc: ["8.1","8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' @@ -2863,8 +2863,8 @@ checks: rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Scan removable drives" compliance: - - cis: "18.9.76.10.1" - - cis_csc: "13" + - cis: ["18.9.76.10.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2877,8 +2877,8 @@ checks: rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Scan\\Turn on e-mail scanning" compliance: - - cis: "18.9.76.10.2" - - cis_csc: "13" + - cis: ["18.9.76.10.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2891,8 +2891,8 @@ checks: rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules" compliance: - - cis: "18.9.76.13.1.1" - - cis_csc: "8.4" + - cis: ["18.9.76.13.1.1"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' @@ -2905,8 +2905,8 @@ checks: rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" compliance: - - cis: "18.9.76.13.1.2" - - cis_csc: "8.4" + - cis: ["18.9.76.13.1.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' @@ -2939,8 +2939,8 @@ checks: rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network Protection\\Prevent users and apps from accessing dangerous websites" compliance: - - cis: "18.9.76.13.3.1" - - cis_csc: "7" + - cis: ["18.9.76.13.3.1"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' @@ -2953,8 +2953,8 @@ checks: rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus" compliance: - - cis: "18.9.76.14" - - cis_csc: "8.1, 8.6" + - cis: ["18.9.76.14"] + - cis_csc: ["8.1","8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' @@ -2967,8 +2967,8 @@ checks: rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Security Center\\App and browser protection\\Prevent users from modifying settings" compliance: - - cis: "18.9.79.2.1" - - cis_csc: "8.4" + - cis: ["18.9.79.2.1"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' @@ -2981,8 +2981,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen" compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2997,8 +2997,8 @@ checks: rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Configure Windows Defender SmartScreen" compliance: - - cis: "18.9.80.2.1" - - cis_csc: "2" + - cis: ["18.9.80.2.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3011,8 +3011,8 @@ checks: rationale: "SmartScreen will warn an employee if a file is potentially malicious. Enabling this setting prevents these warnings from being bypassed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: In the Windows 10 Release 1703 Administrative Templates the setting was in the following location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files In the Windows 10 Release 1709 Administrative Templates the setting was removed from the new location above and left in the old location: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for files" compliance: - - cis: "18.9.80.2.2" - - cis_csc: "7" + - cis: ["18.9.80.2.2"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3025,8 +3025,8 @@ checks: rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Microsoft Edge\\Prevent bypassing Windows Defender SmartScreen prompts for sites" compliance: - - cis: "18.9.80.2.3" - - cis_csc: "7" + - cis: ["18.9.80.2.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' @@ -3039,8 +3039,8 @@ checks: rationale: "If this setting is allowed users could record and broadcast session info to external sites which is a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Game Recording and Broadcasting\\Enables or disables Windows Game Recording and Broadcasting" compliance: - - cis: "18.9.82.1" - - cis_csc: "13" + - cis: ["18.9.82.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR' @@ -3053,8 +3053,8 @@ checks: rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow access above lock OR Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow Windows Ink Workspace" compliance: - - cis: "18.9.84.2" - - cis_csc: "16.5" + - cis: ["18.9.84.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' @@ -3067,8 +3067,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs" compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3081,8 +3081,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges" compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3095,8 +3095,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart" compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -3109,8 +3109,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging" compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -3123,8 +3123,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription" compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -3137,8 +3137,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication" compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13, 16.5" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13","16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3151,8 +3151,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic" compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3165,8 +3165,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication" compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3179,8 +3179,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication" compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3193,8 +3193,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" compliance: - - cis: "18.9.97.2.3" - - cis_csc: "3.4" + - cis: ["18.9.97.2.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3207,8 +3207,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic" compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.5, 16.13" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.5","16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3221,8 +3221,8 @@ checks: rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable preview builds: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Manage preview builds" compliance: - - cis: "18.9.101.1.1" - - cis_csc: "3" + - cis: ["18.9.101.1.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3237,8 +3237,8 @@ checks: rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received" compliance: - - cis: "18.9.101.1.2" - - cis_csc: "3" + - cis: ["18.9.101.1.2"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3255,8 +3255,8 @@ checks: rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received" compliance: - - cis: "18.9.101.1.3" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.1.3"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3271,8 +3271,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates" compliance: - - cis: "18.9.101.2" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3285,8 +3285,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day" compliance: - - cis: "18.9.101.3" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3299,8 +3299,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations" compliance: - - cis: "18.9.101.4" - - cis_csc: "3.4, 3.5, 4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["3.4","3.5","4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 64e91932f..391e4dbda 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -33,8 +33,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -47,8 +47,8 @@ checks: rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -61,8 +61,8 @@ checks: rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer" compliance: - - cis: "2.3.14.1" - - cis_csc: "16.14" + - cis: ["2.3.14.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' @@ -76,8 +76,8 @@ checks: rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" compliance: - - cis: "5.2" - - cis_csc: "9.1, 9.2" + - cis: ["5.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' @@ -90,8 +90,8 @@ checks: rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" compliance: - - cis: "5.4" - - cis_csc: "9.1, 9.2" + - cis: ["5.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker' @@ -104,8 +104,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" compliance: - - cis: "5.5" - - cis_csc: "9.1, 9.2" + - cis: ["5.5"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc' @@ -118,8 +118,8 @@ checks: rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" compliance: - - cis: "5.9" - - cis_csc: "9.1, 9.2" + - cis: ["5.9"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc' @@ -132,8 +132,8 @@ checks: rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" compliance: - - cis: "5.12" - - cis_csc: "9.1, 9.2" + - cis: ["5.12"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI' @@ -146,8 +146,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" compliance: - - cis: "5.15" - - cis_csc: "9.1, 9.2" + - cis: ["5.15"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc' @@ -160,8 +160,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" compliance: - - cis: "5.16" - - cis_csc: "9.1, 9.2" + - cis: ["5.16"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc' @@ -174,8 +174,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" compliance: - - cis: "5.17" - - cis_csc: "9.1, 9.2" + - cis: ["5.17"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc' @@ -188,8 +188,8 @@ checks: rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" compliance: - - cis: "5.18" - - cis_csc: "9.1, 9.2" + - cis: ["5.18"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg' @@ -202,8 +202,8 @@ checks: rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" compliance: - - cis: "5.19" - - cis_csc: "9.1, 9.2" + - cis: ["5.19"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport' @@ -216,8 +216,8 @@ checks: rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" compliance: - - cis: "5.20" - - cis_csc: "9.1, 9.2" + - cis: ["5.20"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto' @@ -230,8 +230,8 @@ checks: rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" compliance: - - cis: "5.21" - - cis_csc: "9.1, 9.2" + - cis: ["5.21"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv' @@ -244,8 +244,8 @@ checks: rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" compliance: - - cis: "5.22" - - cis_csc: "9.1, 9.2" + - cis: ["5.22"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService' @@ -258,8 +258,8 @@ checks: rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" compliance: - - cis: "5.23" - - cis_csc: "9.1, 9.2" + - cis: ["5.23"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService' @@ -272,8 +272,8 @@ checks: rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" compliance: - - cis: "5.25" - - cis_csc: "9.1, 9.2" + - cis: ["5.25"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry' @@ -286,8 +286,8 @@ checks: rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" compliance: - - cis: "5.27" - - cis_csc: "9.1, 9.2" + - cis: ["5.27"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer' @@ -300,8 +300,8 @@ checks: rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" compliance: - - cis: "5.29" - - cis_csc: "9.1, 9.2" + - cis: ["5.29"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' @@ -314,8 +314,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" compliance: - - cis: "5.33" - - cis_csc: "9.1, 9.2" + - cis: ["5.33"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc' @@ -328,8 +328,8 @@ checks: rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" compliance: - - cis: "5.34" - - cis_csc: "9.1, 9.2" + - cis: ["5.34"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc' @@ -342,8 +342,8 @@ checks: rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" compliance: - - cis: "5.37" - - cis_csc: "9.1, 9.2" + - cis: ["5.37"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService' @@ -356,8 +356,8 @@ checks: rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" compliance: - - cis: "5.38" - - cis_csc: "9.1, 9.2" + - cis: ["5.38"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall' @@ -370,8 +370,8 @@ checks: rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" compliance: - - cis: "5.39" - - cis_csc: "9.1, 9.2" + - cis: ["5.39"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM' @@ -385,8 +385,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.1.3" - - cis_csc: "9.1" + - cis: ["18.1.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -400,8 +400,8 @@ checks: rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -416,8 +416,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -432,8 +432,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "9" + - cis: ["18.4.8"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -448,8 +448,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.11" - - cis_csc: "9" + - cis: ["18.4.11"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -464,8 +464,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "9" + - cis: ["18.4.12"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -481,8 +481,8 @@ checks: rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.5.5.1" - - cis_csc: "3, 13" + - cis: ["18.5.5.1"] + - cis_csc: ["3","13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -495,8 +495,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -515,8 +515,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -535,8 +535,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -549,8 +549,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -563,8 +563,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -585,8 +585,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4, 15.5" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4","15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -600,8 +600,8 @@ checks: rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" + - cis: ["18.8.22.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -614,8 +614,8 @@ checks: rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "7" + - cis: ["18.8.22.1.2"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -628,8 +628,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -642,8 +642,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -656,8 +656,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.5" - - cis_csc: "13" + - cis: ["18.8.22.1.5"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -670,7 +670,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.8" + - cis: ["18.8.22.1.8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -683,8 +683,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" + - cis: ["18.8.22.1.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -697,8 +697,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -711,8 +711,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -725,8 +725,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -739,8 +739,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -753,8 +753,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.14" - - cis_csc: "13" + - cis: ["18.8.22.1.14"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -770,8 +770,8 @@ checks: rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.8.25.1" - - cis_csc: "1.6" + - cis: ["18.8.25.1"] + - cis_csc: ["1.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' @@ -786,8 +786,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -800,8 +800,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -814,8 +814,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -828,8 +828,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -842,8 +842,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -856,8 +856,8 @@ checks: rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.8.49.1.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -871,8 +871,8 @@ checks: rationale: "Users of a system could accidentally share sensitive data with other users on the same system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.4.1" - - cis_csc: "14.4, 14.6" + - cis: ["18.9.4.1"] + - cis_csc: ["14.4","14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' @@ -885,8 +885,8 @@ checks: rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.12.1" - - cis_csc: "13" + - cis: ["18.9.12.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' @@ -899,8 +899,8 @@ checks: rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.16.2" - - cis_csc: "13" + - cis: ["18.9.16.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -913,8 +913,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -927,8 +927,8 @@ checks: rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.43.1" - - cis_csc: "9.1, 9.2, 13" + - cis: ["18.9.43.1"] + - cis_csc: ["9.1","9.2","13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' @@ -941,8 +941,8 @@ checks: rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.1" - - cis_csc: "13" + - cis: ["18.9.45.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' @@ -955,8 +955,8 @@ checks: rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Adobe Flash Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.2" - - cis_csc: "7.2" + - cis: ["18.9.45.2"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons' @@ -969,8 +969,8 @@ checks: rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow InPrivate Browsing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off InPrivate browsing, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.3" - - cis_csc: "7" + - cis: ["18.9.45.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -983,8 +983,8 @@ checks: rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Pop-up Blocker Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off Pop-up Blocker, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.6" - - cis_csc: "7" + - cis: ["18.9.45.6"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -997,8 +997,8 @@ checks: rationale: "Having search suggestions sent out to be processed is considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1507 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1507 Administrative Templates, this setting was named Stops address bar from showing search suggestions. In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was renamed to Turn off address bar search suggestions, but it was finally renamed to Configure search suggestions in Address bar starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.7" - - cis_csc: "13" + - cis: ["18.9.45.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' @@ -1011,8 +1011,8 @@ checks: rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.45.9" - - cis_csc: "3" + - cis: ["18.9.45.9"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -1025,8 +1025,8 @@ checks: rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Don't allow WebRTC to share the LocalHost IP address, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - - cis: "18.9.45.10" - - cis_csc: "7.2" + - cis: ["18.9.45.10"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -1039,8 +1039,8 @@ checks: rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.57.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.57.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' @@ -1053,7 +1053,7 @@ checks: rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1066,8 +1066,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1080,8 +1080,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1094,8 +1094,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1108,8 +1108,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] references: - https://workbench.cisecurity.org/benchmarks/766 condition: all @@ -1124,8 +1124,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1138,8 +1138,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - - cis: "18.9.60.2" - - cis_csc: "9.1, 9.2" + - cis: ["18.9.60.2"] + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -1152,7 +1152,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -1165,8 +1165,8 @@ checks: rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." compliance: - - cis: "18.9.68.5" - - cis_csc: "2" + - cis: ["18.9.68.5"] + - cis_csc: ["2"] references: - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy @@ -1182,7 +1182,7 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.3.2" + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -1195,8 +1195,8 @@ checks: rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.9.1" - - cis_csc: "13" + - cis: ["18.9.76.9.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -1209,8 +1209,8 @@ checks: rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - - cis: "18.9.84.1" - - cis_csc: "13" + - cis: ["18.9.84.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' @@ -1223,8 +1223,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -1237,8 +1237,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -1251,8 +1251,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index f0f08703f..705020360 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -35,8 +35,8 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2" - - cis_csc: "16.5" + - cis: ["1.1.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -51,8 +51,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -65,8 +65,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -79,8 +79,8 @@ checks: rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -93,8 +93,8 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -107,8 +107,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -121,8 +121,8 @@ checks: rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks" compliance: - - cis: "2.3.5.1" - - cis_csc: "5.1" + - cis: ["2.3.5.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -135,8 +135,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements" compliance: - - cis: "2.3.5.2" - - cis_csc: "3" + - cis: ["2.3.5.2"] + - cis_csc: ["3"] references: - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ condition: all @@ -151,8 +151,8 @@ checks: rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes" compliance: - - cis: "2.3.5.3" - - cis_csc: "16" + - cis: ["2.3.5.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -165,8 +165,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -179,8 +179,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -193,8 +193,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -207,8 +207,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -221,8 +221,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -235,8 +235,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis: "2.3.7.1" - - cis_csc: "13" + - cis: ["2.3.7.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -249,8 +249,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" - - cis_csc: "8" + - cis: ["2.3.7.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -263,8 +263,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" + - cis: ["2.3.7.3"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -278,8 +278,8 @@ checks: rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -292,8 +292,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -306,8 +306,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -320,8 +320,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -334,8 +334,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -348,8 +348,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -363,8 +363,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -377,8 +377,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -391,8 +391,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -406,8 +406,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -420,8 +420,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -434,8 +434,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -448,8 +448,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -462,8 +462,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -476,8 +476,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -490,8 +490,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" + - cis: ["2.3.10.10"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -504,8 +504,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -518,8 +518,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -532,8 +532,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -546,8 +546,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -560,8 +560,8 @@ checks: rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -574,8 +574,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -588,8 +588,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -602,8 +602,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -616,8 +616,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -630,8 +630,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -644,8 +644,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 condition: all @@ -660,8 +660,8 @@ checks: rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" + - cis: ["2.3.13.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -674,7 +674,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -687,8 +687,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -701,8 +701,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -715,8 +715,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -729,8 +729,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -743,8 +743,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -757,8 +757,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -771,8 +771,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -785,8 +785,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -799,8 +799,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -813,7 +813,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -827,8 +827,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2" + - cis: ["9.1.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -841,8 +841,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2" + - cis: ["9.1.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -855,8 +855,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2" + - cis: ["9.1.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -869,7 +869,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -882,8 +882,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2" + - cis: ["9.1.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -896,8 +896,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3" + - cis: ["9.1.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -910,8 +910,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2" + - cis: ["9.1.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -924,8 +924,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2" + - cis: ["9.1.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -939,8 +939,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2" + - cis: ["9.2.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -953,8 +953,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2" + - cis: ["9.2.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -967,8 +967,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2" + - cis: ["9.2.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -981,7 +981,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -994,8 +994,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2" + - cis: ["9.2.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1008,8 +1008,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3" + - cis: ["9.2.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1022,8 +1022,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2" + - cis: ["9.2.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1036,8 +1036,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2" + - cis: ["9.2.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1051,8 +1051,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2" + - cis: ["9.3.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1065,8 +1065,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2" + - cis: ["9.3.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1079,8 +1079,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2" + - cis: ["9.3.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1093,7 +1093,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1107,8 +1107,8 @@ checks: rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1121,8 +1121,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1135,8 +1135,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2" + - cis: ["9.3.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1149,8 +1149,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3" + - cis: ["9.3.8"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1163,8 +1163,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2" + - cis: ["9.3.9"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1177,8 +1177,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2" + - cis: ["9.3.10"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1192,7 +1192,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1205,7 +1205,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1219,8 +1219,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.5" - - cis_csc: "16.14" + - cis: ["18.3.5"] + - cis_csc: ["16.14"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a @@ -1238,8 +1238,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -1255,8 +1255,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1271,8 +1271,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1287,8 +1287,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1303,8 +1303,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1319,8 +1319,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "8" + - cis: ["18.4.8"] + - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1335,8 +1335,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.9" - - cis_csc: "16.5" + - cis: ["18.4.9"] + - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1351,8 +1351,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "6.3" + - cis: ["18.4.12"] + - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1368,8 +1368,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1382,8 +1382,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" + - cis: ["18.5.11.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1396,8 +1396,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1411,8 +1411,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1425,8 +1425,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1439,8 +1439,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1453,8 +1453,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1467,8 +1467,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" + - cis: ["18.8.21.4"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1482,8 +1482,8 @@ checks: rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.1" - - cis_csc: "2" + - cis: ["18.8.22.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1496,8 +1496,8 @@ checks: rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.5" - - cis_csc: "7" + - cis: ["18.8.22.1.5"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1510,8 +1510,8 @@ checks: rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.6" - - cis_csc: "13.1" + - cis: ["18.8.22.1.6"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1524,8 +1524,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.27.1" - - cis_csc: "5" + - cis: ["18.8.27.1"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1538,8 +1538,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" + - cis: ["18.8.27.2"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1552,8 +1552,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1566,8 +1566,8 @@ checks: rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" + - cis: ["18.8.27.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1580,8 +1580,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1594,8 +1594,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.33.6.1" - - cis_csc: "16.5" + - cis: ["18.8.33.6.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1608,8 +1608,8 @@ checks: rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.33.6.2" - - cis_csc: "16.5" + - cis: ["18.8.33.6.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1622,8 +1622,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1636,8 +1636,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1651,8 +1651,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1665,8 +1665,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1679,8 +1679,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1693,8 +1693,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1707,8 +1707,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1721,8 +1721,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1735,8 +1735,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1749,8 +1749,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1763,8 +1763,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1777,8 +1777,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1791,8 +1791,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1805,8 +1805,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1819,8 +1819,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1833,8 +1833,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1847,8 +1847,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1861,8 +1861,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1875,8 +1875,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1889,8 +1889,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1903,8 +1903,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1917,8 +1917,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1931,8 +1931,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1945,8 +1945,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1959,8 +1959,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1973,8 +1973,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1987,8 +1987,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2001,8 +2001,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2015,8 +2015,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" + - cis: ["18.9.60.2"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2029,8 +2029,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2043,8 +2043,8 @@ checks: rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" + - cis: ["18.9.81.2.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2057,8 +2057,8 @@ checks: rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.81.3" - - cis_csc: "13" + - cis: ["18.9.81.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2071,8 +2071,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2085,8 +2085,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2099,8 +2099,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2113,8 +2113,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -2127,8 +2127,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -2141,8 +2141,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2155,8 +2155,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2169,8 +2169,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2183,8 +2183,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2197,8 +2197,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" + - cis: ["18.9.97.2.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2211,8 +2211,8 @@ checks: rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2225,8 +2225,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2239,8 +2239,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2253,8 +2253,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 6f4565287..3ef206482 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -34,8 +34,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -49,8 +49,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -65,8 +65,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -81,8 +81,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.10" - - cis_csc: "9" + - cis: ["18.4.10"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -97,8 +97,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis: "18.4.11" - - cis_csc: "9" + - cis: ["18.4.11"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -114,8 +114,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -134,8 +134,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -154,8 +154,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -168,8 +168,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -182,8 +182,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -204,8 +204,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -218,8 +218,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.22.1.2" - - cis_csc: "13" + - cis: ["18.8.22.1.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -232,8 +232,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -246,8 +246,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -260,7 +260,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.7" + - cis: ["18.8.22.1.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -273,8 +273,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.8" - - cis_csc: "13" + - cis: ["18.8.22.1.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -287,8 +287,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.9" - - cis_csc: "13" + - cis: ["18.8.22.1.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -301,8 +301,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -315,8 +315,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -329,8 +329,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -343,8 +343,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -357,8 +357,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -371,8 +371,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -385,8 +385,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -399,8 +399,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -413,8 +413,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -428,8 +428,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -442,7 +442,7 @@ checks: rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -455,8 +455,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -469,8 +469,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -483,8 +483,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -497,8 +497,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] references: - https://workbench.cisecurity.org/benchmarks/766 condition: all @@ -513,8 +513,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -527,8 +527,8 @@ checks: rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.60.3" - - cis_csc: "13" + - cis: ["18.9.60.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -541,7 +541,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -554,7 +554,7 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.76.3.2" + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -567,8 +567,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -581,8 +581,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -595,8 +595,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index 0a510094d..e29afd959 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -36,8 +36,8 @@ checks: rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - - cis: "1.1.2" - - cis_csc: "16.5" + - cis: ["1.1.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -52,8 +52,8 @@ checks: rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts : Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." compliance: - - cis: "2.3.1.2" - - cis_csc: "16" + - cis: ["2.3.1.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -66,8 +66,8 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." compliance: - - cis: "2.3.1.4" - - cis_csc: "16" + - cis: ["2.3.1.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -80,8 +80,8 @@ checks: rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" compliance: - - cis: "2.3.2.1" - - cis_csc: "6.2" + - cis: ["2.3.2.1"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -95,8 +95,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" default_value: "Disabled." compliance: - - cis: "2.3.2.2" - - cis_csc: "6" + - cis: ["2.3.2.2"] + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -109,8 +109,8 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis: "2.3.4.1" - - cis_csc: "5.1" + - cis: ["2.3.4.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' @@ -122,8 +122,8 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis: "2.3.4.2" - - cis_csc: "5.1" + - cis: ["2.3.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -136,8 +136,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis: "2.3.6.1" - - cis_csc: "13" + - cis: ["2.3.6.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -150,8 +150,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis: "2.3.6.2" - - cis_csc: "13" + - cis: ["2.3.6.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -164,8 +164,8 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis: "2.3.6.3" - - cis_csc: "13" + - cis: ["2.3.6.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -178,8 +178,8 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis: "2.3.6.4" - - cis_csc: "16" + - cis: ["2.3.6.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -192,8 +192,8 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis: "2.3.6.6" - - cis_csc: "13" + - cis: ["2.3.6.6"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -206,8 +206,8 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis: "2.3.7.1" - - cis_csc: "13" + - cis: ["2.3.7.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -220,8 +220,8 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis: "2.3.7.2" - - cis_csc: "8" + - cis: ["2.3.7.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -234,8 +234,8 @@ checks: rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" compliance: - - cis: "2.3.7.3" - - cis_csc: "16.5" + - cis: ["2.3.7.3"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' @@ -248,8 +248,8 @@ checks: rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis: "2.3.7.7" - - cis_csc: "16" + - cis: ["2.3.7.7"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' @@ -262,8 +262,8 @@ checks: rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer." remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation" compliance: - - cis: "2.3.7.8" - - cis_csc: "16.9" + - cis: ["2.3.7.8"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -276,8 +276,8 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis: "2.3.7.9" - - cis_csc: "16.5" + - cis: ["2.3.7.9"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -290,8 +290,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis: "2.3.8.1" - - cis_csc: "13" + - cis: ["2.3.8.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -304,8 +304,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis: "2.3.8.2" - - cis_csc: "13" + - cis: ["2.3.8.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -318,8 +318,8 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis: "2.3.8.3" - - cis_csc: "13" + - cis: ["2.3.8.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -332,8 +332,8 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis: "2.3.9.1" - - cis_csc: "3" + - cis: ["2.3.9.1"] + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -347,8 +347,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis: "2.3.9.2" - - cis_csc: "13" + - cis: ["2.3.9.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -361,8 +361,8 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis: "2.3.9.3" - - cis_csc: "13" + - cis: ["2.3.9.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -375,8 +375,8 @@ checks: rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" compliance: - - cis: "2.3.9.4" - - cis_csc: "16" + - cis: ["2.3.9.4"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -389,8 +389,8 @@ checks: rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" compliance: - - cis: "2.3.9.5" - - cis_csc: "14" + - cis: ["2.3.9.5"] + - cis_csc: ["14"] references: - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n condition: all @@ -405,8 +405,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" compliance: - - cis: "2.3.10.2" - - cis_csc: "16" + - cis: ["2.3.10.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -419,8 +419,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" compliance: - - cis: "2.3.10.3" - - cis_csc: "16" + - cis: ["2.3.10.3"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -433,8 +433,8 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis: "2.3.10.5" - - cis_csc: "14, 16" + - cis: ["2.3.10.5"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -447,8 +447,8 @@ checks: rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - - cis: "2.3.10.6" - - cis_csc: "14.1, 16" + - cis: ["2.3.10.6"] + - cis_csc: ["14.1","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -461,8 +461,8 @@ checks: rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - - cis: "2.3.10.7" - - cis_csc: "14, 16" + - cis: ["2.3.10.7"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -475,8 +475,8 @@ checks: rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - - cis: "2.3.10.8" - - cis_csc: "14, 16" + - cis: ["2.3.10.8"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -489,8 +489,8 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis: "2.3.10.9" - - cis_csc: "14, 16" + - cis: ["2.3.10.9"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -503,8 +503,8 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis: "2.3.10.10" - - cis_csc: "14, 16" + - cis: ["2.3.10.10"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -517,8 +517,8 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis: "2.3.10.11" - - cis_csc: "14, 16" + - cis: ["2.3.10.11"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -531,8 +531,8 @@ checks: rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - - cis: "2.3.11.1" - - cis_csc: "14, 16" + - cis: ["2.3.11.1"] + - cis_csc: ["14","16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -545,8 +545,8 @@ checks: rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" compliance: - - cis: "2.3.11.2" - - cis_csc: "14" + - cis: ["2.3.11.2"] + - cis_csc: ["14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -559,8 +559,8 @@ checks: rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" compliance: - - cis: "2.3.11.3" - - cis_csc: "16.9" + - cis: ["2.3.11.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -573,8 +573,8 @@ checks: rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" compliance: - - cis: "2.3.11.4" - - cis_csc: "16.14" + - cis: ["2.3.11.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -587,8 +587,8 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis: "2.3.11.5" - - cis_csc: "16.14" + - cis: ["2.3.11.5"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -601,8 +601,8 @@ checks: rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" compliance: - - cis: "2.3.11.6" - - cis_csc: "16" + - cis: ["2.3.11.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -615,8 +615,8 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis: "2.3.11.7" - - cis_csc: "13" + - cis: ["2.3.11.7"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -628,8 +628,8 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis: "2.3.11.8" - - cis_csc: "13" + - cis: ["2.3.11.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -642,8 +642,8 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis: "2.3.11.9" - - cis_csc: "13" + - cis: ["2.3.11.9"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -656,8 +656,8 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis: "2.3.11.10" - - cis_csc: "13" + - cis: ["2.3.11.10"] + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 condition: all @@ -672,8 +672,8 @@ checks: rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" compliance: - - cis: "2.3.13.1" - - cis_csc: "5.1" + - cis: ["2.3.13.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -686,7 +686,7 @@ checks: rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - - cis: "2.3.15.1" + - cis: ["2.3.15.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -699,8 +699,8 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis: "2.3.15.2" - - cis_csc: "14.4" + - cis: ["2.3.15.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -713,8 +713,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - - cis: "2.3.17.1" - - cis_csc: "5.1" + - cis: ["2.3.17.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -727,8 +727,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - - cis: "2.3.17.2" - - cis_csc: "16" + - cis: ["2.3.17.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -741,8 +741,8 @@ checks: rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.3" - - cis_csc: "5.1" + - cis: ["2.3.17.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -755,8 +755,8 @@ checks: rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - - cis: "2.3.17.4" - - cis_csc: "5.1" + - cis: ["2.3.17.4"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -769,8 +769,8 @@ checks: rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - - cis: "2.3.17.5" - - cis_csc: "5.1" + - cis: ["2.3.17.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -783,8 +783,8 @@ checks: rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - - cis: "2.3.17.6" - - cis_csc: "5.1" + - cis: ["2.3.17.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -797,8 +797,8 @@ checks: rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - - cis: "2.3.17.7" - - cis_csc: "5.1" + - cis: ["2.3.17.7"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -811,8 +811,8 @@ checks: rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - - cis: "2.3.17.8" - - cis_csc: "5.1" + - cis: ["2.3.17.8"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -825,7 +825,7 @@ checks: rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - - cis: "2.3.17.9" + - cis: ["2.3.17.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -839,8 +839,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - - cis: "9.1.1" - - cis_csc: "9.2" + - cis: ["9.1.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -853,8 +853,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - - cis: "9.1.2" - - cis_csc: "9.2" + - cis: ["9.1.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -867,8 +867,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - - cis: "9.1.3" - - cis_csc: "9.2" + - cis: ["9.1.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -881,7 +881,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.1.4" + - cis: ["9.1.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -894,8 +894,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - - cis: "9.1.5" - - cis_csc: "6.2" + - cis: ["9.1.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -908,8 +908,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.1.6" - - cis_csc: "6.3" + - cis: ["9.1.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -922,8 +922,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.1.7" - - cis_csc: "6.2" + - cis: ["9.1.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -936,8 +936,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.1.8" - - cis_csc: "6.2" + - cis: ["9.1.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -951,8 +951,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis: "9.2.1" - - cis_csc: "9.2" + - cis: ["9.2.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -965,8 +965,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - - cis: "9.2.2" - - cis_csc: "9.2" + - cis: ["9.2.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -979,8 +979,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - - cis: "9.2.3" - - cis_csc: "9.2" + - cis: ["9.2.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -993,7 +993,7 @@ checks: rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.2.4" + - cis: ["9.2.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1006,8 +1006,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - - cis: "9.2.5" - - cis_csc: "6.2" + - cis: ["9.2.5"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1020,8 +1020,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.2.6" - - cis_csc: "6.3" + - cis: ["9.2.6"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1034,8 +1034,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.2.7" - - cis_csc: "6.2" + - cis: ["9.2.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1048,8 +1048,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.2.8" - - cis_csc: "6.2" + - cis: ["9.2.8"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1063,8 +1063,8 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis: "9.3.1" - - cis_csc: "9.2" + - cis: ["9.3.1"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1077,8 +1077,8 @@ checks: rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - - cis: "9.3.2" - - cis_csc: "9.2" + - cis: ["9.3.2"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1091,8 +1091,8 @@ checks: rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - - cis: "9.3.3" - - cis_csc: "9.2" + - cis: ["9.3.3"] + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1105,7 +1105,7 @@ checks: rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - - cis: "9.3.4" + - cis: ["9.3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1118,8 +1118,8 @@ checks: rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - - cis: "9.3.5" - - cis_csc: "5.1" + - cis: ["9.3.5"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1132,8 +1132,8 @@ checks: rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - - cis: "9.3.6" - - cis_csc: "5.1" + - cis: ["9.3.6"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1146,8 +1146,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - - cis: "9.3.7" - - cis_csc: "6.2" + - cis: ["9.3.7"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1160,8 +1160,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - - cis: "9.3.8" - - cis_csc: "6.3" + - cis: ["9.3.8"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1174,8 +1174,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - - cis: "9.3.9" - - cis_csc: "6.2" + - cis: ["9.3.9"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1188,8 +1188,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - - cis: "9.3.10" - - cis_csc: "6.2" + - cis: ["9.3.10"] + - cis_csc: ["6.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1203,7 +1203,7 @@ checks: rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - - cis: "18.1.1.1" + - cis: ["18.1.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1216,7 +1216,7 @@ checks: rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.1.1.2" + - cis: ["18.1.1.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1230,8 +1230,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" compliance: - - cis: "18.2.1" - - cis_csc: "16.9" + - cis: ["18.2.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' @@ -1243,8 +1243,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.2" - - cis_csc: "16.2" + - cis: ["18.2.2"] + - cis_csc: ["16.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1257,8 +1257,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.3" - - cis_csc: "16.9" + - cis: ["18.2.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1271,8 +1271,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.4" - - cis_csc: "5.7" + - cis: ["18.2.4"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1285,8 +1285,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.5" - - cis_csc: "5.7" + - cis: ["18.2.5"] + - cis_csc: ["5.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1299,8 +1299,8 @@ checks: rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: - - cis: "18.2.6" - - cis_csc: "16.5" + - cis: ["18.2.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1314,8 +1314,8 @@ checks: rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.1" - - cis_csc: "5.8" + - cis: ["18.3.1"] + - cis_csc: ["5.8"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows @@ -1332,8 +1332,8 @@ checks: rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: - - cis: "18.3.5" - - cis_csc: "16.14" + - cis: ["18.3.5"] + - cis_csc: ["16.14"] references: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a @@ -1351,8 +1351,8 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.1" - - cis_csc: "16" + - cis: ["18.4.1"] + - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -1368,8 +1368,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.2" - - cis_csc: "9" + - cis: ["18.4.2"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1384,8 +1384,8 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.3" - - cis_csc: "9" + - cis: ["18.4.3"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1400,8 +1400,8 @@ checks: rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.4" - - cis_csc: "9" + - cis: ["18.4.4"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1416,8 +1416,8 @@ checks: rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.6" - - cis_csc: "9" + - cis: ["18.4.6"] + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1432,8 +1432,8 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.8" - - cis_csc: "8" + - cis: ["18.4.8"] + - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1448,8 +1448,8 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.9" - - cis_csc: "16.5" + - cis: ["18.4.9"] + - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1464,8 +1464,8 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis: "18.4.12" - - cis_csc: "6.3" + - cis: ["18.4.12"] + - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -1481,8 +1481,8 @@ checks: rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.5.11.2" - - cis_csc: "5.1" + - cis: ["18.5.11.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1495,8 +1495,8 @@ checks: rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.5.11.3" - - cis_csc: "5.1" + - cis: ["18.5.11.3"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1509,8 +1509,8 @@ checks: rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.5.21.1" - - cis_csc: "12" + - cis: ["18.5.21.1"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1524,8 +1524,8 @@ checks: rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.3.1" - - cis_csc: "16.14" + - cis: ["18.8.3.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1538,8 +1538,8 @@ checks: rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.14.1" - - cis_csc: "8" + - cis: ["18.8.14.1"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1552,8 +1552,8 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.2" - - cis_csc: "3.7" + - cis: ["18.8.21.2"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1566,8 +1566,8 @@ checks: rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.21.3" - - cis_csc: "3.7" + - cis: ["18.8.21.3"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1580,8 +1580,8 @@ checks: rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.8.21.4" - - cis_csc: "3.7" + - cis: ["18.8.21.4"] + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1594,8 +1594,8 @@ checks: rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.8.27.1" - - cis_csc: "5" + - cis: ["18.8.27.1"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1608,8 +1608,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.2" - - cis_csc: "16.9" + - cis: ["18.8.27.2"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1622,8 +1622,8 @@ checks: rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.3" - - cis_csc: "16.9" + - cis: ["18.8.27.3"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1636,8 +1636,8 @@ checks: rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.27.4" - - cis_csc: "16.5" + - cis: ["18.8.27.4"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1650,8 +1650,8 @@ checks: rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - - cis: "18.8.27.6" - - cis_csc: "16.5" + - cis: ["18.8.27.6"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1664,8 +1664,8 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.1" - - cis_csc: "9.1" + - cis: ["18.8.35.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1678,8 +1678,8 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.35.2" - - cis_csc: "5.1" + - cis: ["18.8.35.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1692,8 +1692,8 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.8.36.1" - - cis_csc: "9.1" + - cis: ["18.8.36.1"] + - cis_csc: ["9.1"] references: - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr condition: all @@ -1709,8 +1709,8 @@ checks: rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.6.1" - - cis_csc: "16.9" + - cis: ["18.9.6.1"] + - cis_csc: ["16.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1723,8 +1723,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.1" - - cis_csc: "8.3" + - cis: ["18.9.8.1"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1737,8 +1737,8 @@ checks: rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.8.2" - - cis_csc: "8.3" + - cis: ["18.9.8.2"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1751,8 +1751,8 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.8.3" - - cis_csc: "8.3" + - cis: ["18.9.8.3"] + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1765,8 +1765,8 @@ checks: rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.15.1" - - cis_csc: "16" + - cis: ["18.9.15.1"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1779,8 +1779,8 @@ checks: rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.15.2" - - cis_csc: "16" + - cis: ["18.9.15.2"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1793,8 +1793,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.1" - - cis_csc: "6.3" + - cis: ["18.9.26.1.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1807,8 +1807,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.1.2" - - cis_csc: "6.3" + - cis: ["18.9.26.1.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1821,8 +1821,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.1" - - cis_csc: "6.3" + - cis: ["18.9.26.2.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1835,8 +1835,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.2.2" - - cis_csc: "6.3" + - cis: ["18.9.26.2.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1849,8 +1849,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.1" - - cis_csc: "6.3" + - cis: ["18.9.26.3.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1863,8 +1863,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.3.2" - - cis_csc: "6.3" + - cis: ["18.9.26.3.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1877,8 +1877,8 @@ checks: rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.1" - - cis_csc: "6.3" + - cis: ["18.9.26.4.1"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1891,8 +1891,8 @@ checks: rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.26.4.2" - - cis_csc: "6.3" + - cis: ["18.9.26.4.2"] + - cis_csc: ["6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1905,8 +1905,8 @@ checks: rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.30.2" - - cis_csc: "8.4" + - cis: ["18.9.30.2"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1919,8 +1919,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.3" - - cis_csc: "8.4" + - cis: ["18.9.30.3"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1933,8 +1933,8 @@ checks: rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.30.4" - - cis_csc: "8.4" + - cis: ["18.9.30.4"] + - cis_csc: ["8.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1947,8 +1947,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - - cis: "18.9.52.1" - - cis_csc: "13" + - cis: ["18.9.52.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1961,8 +1961,8 @@ checks: rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." compliance: - - cis: "18.9.52.2" - - cis_csc: "13" + - cis: ["18.9.52.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive' @@ -1975,8 +1975,8 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.2.2" - - cis_csc: "16.4" + - cis: ["18.9.58.2.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1989,8 +1989,8 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.3.2" - - cis_csc: "13" + - cis: ["18.9.58.3.3.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2003,8 +2003,8 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.9.1" - - cis_csc: "16.14" + - cis: ["18.9.58.3.9.1"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2017,8 +2017,8 @@ checks: rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.2" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2031,8 +2031,8 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.9.3" - - cis_csc: "3.4" + - cis: ["18.9.58.3.9.3"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2045,8 +2045,8 @@ checks: rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.58.3.11.1" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.1"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2059,8 +2059,8 @@ checks: rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.58.3.11.2" - - cis_csc: "14.4" + - cis: ["18.9.58.3.11.2"] + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2073,8 +2073,8 @@ checks: rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.59.1" - - cis_csc: "7.2" + - cis: ["18.9.59.1"] + - cis_csc: ["7.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2087,8 +2087,8 @@ checks: rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.60.2" - - cis_csc: "13.1" + - cis: ["18.9.60.2"] + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2101,8 +2101,8 @@ checks: rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - - cis: "18.9.80.1.1" - - cis_csc: "2" + - cis: ["18.9.80.1.1"] + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2115,8 +2115,8 @@ checks: rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.81.2.1" - - cis_csc: "13" + - cis: ["18.9.81.2.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2129,8 +2129,8 @@ checks: rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.81.3" - - cis_csc: "13" + - cis: ["18.9.81.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2143,8 +2143,8 @@ checks: rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - - cis: "18.9.85.1" - - cis_csc: "5.1" + - cis: ["18.9.85.1"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2157,8 +2157,8 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.85.2" - - cis_csc: "5.1" + - cis: ["18.9.85.2"] + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2171,8 +2171,8 @@ checks: rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - - cis: "18.9.86.1" - - cis_csc: "16.5" + - cis: ["18.9.86.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2185,8 +2185,8 @@ checks: rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.1" - - cis_csc: "16.4" + - cis: ["18.9.95.1"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' @@ -2199,8 +2199,8 @@ checks: rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - - cis: "18.9.95.2" - - cis_csc: "16.4" + - cis: ["18.9.95.2"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' @@ -2213,8 +2213,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.1" - - cis_csc: "16.13" + - cis: ["18.9.97.1.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2227,8 +2227,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.2" - - cis_csc: "16.13" + - cis: ["18.9.97.1.2"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2241,8 +2241,8 @@ checks: rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.1.3" - - cis_csc: "16.13" + - cis: ["18.9.97.1.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2255,8 +2255,8 @@ checks: rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.1" - - cis_csc: "16.13" + - cis: ["18.9.97.2.1"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2269,8 +2269,8 @@ checks: rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.97.2.3" - - cis_csc: "16.13" + - cis: ["18.9.97.2.3"] + - cis_csc: ["16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2283,8 +2283,8 @@ checks: rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis: "18.9.97.2.4" - - cis_csc: "16.4" + - cis: ["18.9.97.2.4"] + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2297,8 +2297,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.2" - - cis_csc: "4.5" + - cis: ["18.9.101.2"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2311,8 +2311,8 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis: "18.9.101.3" - - cis_csc: "4.5" + - cis: ["18.9.101.3"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2325,8 +2325,8 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis: "18.9.101.4" - - cis_csc: "4.5" + - cis: ["18.9.101.4"] + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index b1a7d4e94..bdaf0fe88 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -32,8 +32,8 @@ checks: rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" compliance: - - cis: "2.3.7.6" - - cis_csc: "16" + - cis: ["2.3.7.6"] + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -47,8 +47,8 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis: "2.3.10.4" - - cis_csc: "16.14" + - cis: ["2.3.10.4"] + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -62,8 +62,8 @@ checks: rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" compliance: - - cis: "18.4.5" - - cis_csc: "9" + - cis: ["18.4.5"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -76,8 +76,8 @@ checks: rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" compliance: - - cis: "18.4.7" - - cis_csc: "9" + - cis: ["18.4.7"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -90,8 +90,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remedtiation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted" compliance: - - cis: "18.4.10" - - cis_csc: "5" + - cis: ["18.4.10"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -104,8 +104,8 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted" compliance: - - cis: "18.4.11" - - cis_csc: "5" + - cis: ["18.4.11"] + - cis_csc: ["5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -119,8 +119,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver" compliance: - - cis: "18.5.9.1" - - cis_csc: "9" + - cis: ["18.5.9.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -139,8 +139,8 @@ checks: rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver" compliance: - - cis: "18.5.9.2" - - cis_csc: "9" + - cis: ["18.5.9.2"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -160,8 +160,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services" compliance: - - cis: "18.5.10.2" - - cis_csc: "9.1" + - cis: ["18.5.10.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -174,8 +174,8 @@ checks: rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents" compliance: - - cis: "18.5.19.2.1" - - cis_csc: "9" + - cis: ["18.5.19.2.1"] + - cis_csc: ["9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -189,8 +189,8 @@ checks: rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now" compliance: - - cis: "18.5.20.1" - - cis_csc: "15.4" + - cis: ["18.5.20.1"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -211,8 +211,8 @@ checks: rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards" compliance: - - cis: "18.5.20.2" - - cis_csc: "15.4" + - cis: ["18.5.20.2"] + - cis_csc: ["15.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -226,8 +226,8 @@ checks: rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" compliance: - - cis: "18.5.21.2" - - cis_csc: "12" + - cis: ["18.5.21.2"] + - cis_csc: ["12"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -241,8 +241,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing" compliance: - - cis: "18.8.22.1.2" - - cis_csc: "13" + - cis: ["18.8.22.1.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -255,8 +255,8 @@ checks: rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting" compliance: - - cis: "18.8.22.1.3" - - cis_csc: "13" + - cis: ["18.8.22.1.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -269,8 +269,8 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com" compliance: - - cis: "18.8.22.1.4" - - cis_csc: "13" + - cis: ["18.8.22.1.4"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -283,7 +283,7 @@ checks: rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com" compliance: - - cis: "18.8.22.1.7" + - cis: ["18.8.22.1.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -296,8 +296,8 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates" compliance: - - cis: "18.8.22.1.8" - - cis_csc: "13" + - cis: ["18.8.22.1.8"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -311,7 +311,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task" compliance: - cis: 18.8.22.1.9" - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -324,8 +324,8 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders" compliance: - - cis: "18.8.22.1.10" - - cis_csc: "13" + - cis: ["18.8.22.1.10"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -338,8 +338,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program" compliance: - - cis: "18.8.22.1.11" - - cis_csc: "13" + - cis: ["18.8.22.1.11"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -352,8 +352,8 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program" compliance: - - cis: "18.8.22.1.12" - - cis_csc: "13" + - cis: ["18.8.22.1.12"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -366,8 +366,8 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting" compliance: - - cis: "18.8.22.1.13" - - cis_csc: "13" + - cis: ["18.8.22.1.13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -384,8 +384,8 @@ checks: rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in" compliance: - - cis: "18.8.26.1" - - cis_csc: "16.5" + - cis: ["18.8.26.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -399,8 +399,8 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis: "18.8.36.2" - - cis_csc: "9.1" + - cis: ["18.8.36.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -414,8 +414,8 @@ checks: rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" compliance: - - cis: "18.8.44.5.1" - - cis_csc: "13" + - cis: ["18.8.44.5.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -429,8 +429,8 @@ checks: rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack" compliance: - - cis: "18.8.44.11.1" - - cis_csc: "13" + - cis: ["18.8.44.11.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -444,8 +444,8 @@ checks: rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID" compliance: - - cis: "18.8.46.1" - - cis_csc: "13" + - cis: ["18.8.46.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -459,8 +459,8 @@ checks: rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client" compliance: - - cis: "18.8.49.1.1" - - cis_csc: "6.1" + - cis: ["18.8.49.1.1"] + - cis_csc: ["6.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -473,8 +473,8 @@ checks: rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server" compliance: - - cis: "18.8.49.1.2" - - cis_csc: "9.1" + - cis: ["18.8.49.1.2"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -488,7 +488,7 @@ checks: rationale: "This setting affects the Windows Location Provider feature (e.g. GPS or other location tracking)." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Windows Location Provider\\Turn off Windows Location Provider" compliance: - - cis: "18.9.39.1.1" + - cis: ["18.9.39.1.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -501,8 +501,8 @@ checks: rationale: "This setting affects the location feature (e.g. GPS or other location tracking)." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location" compliance: - - cis: "18.9.39.2" - - cis_csc: "13" + - cis: ["18.9.39.2"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -516,7 +516,7 @@ checks: rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session" compliance: - - cis: "18.9.58.3.2.1" + - cis: ["18.9.58.3.2.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -530,8 +530,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection" compliance: - - cis: "18.9.58.3.3.1" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.1"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -544,8 +544,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection" compliance: - - cis: "18.9.58.3.3.3" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.3"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -558,8 +558,8 @@ checks: rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection" compliance: - - cis: "18.9.58.3.3.4" - - cis_csc: "9.1" + - cis: ["18.9.58.3.3.4"] + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -573,8 +573,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions" compliance: - - cis: "18.9.58.3.10.1" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.1"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -587,8 +587,8 @@ checks: rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions" compliance: - - cis: "18.9.58.3.10.2" - - cis_csc: "16.5" + - cis: ["18.9.58.3.10.2"] + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -602,8 +602,8 @@ checks: rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search" compliance: - - cis: "18.9.60.3" - - cis_csc: "13" + - cis: ["18.9.60.3"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -617,7 +617,7 @@ checks: rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation" compliance: - - cis: "18.9.65.1" + - cis: ["18.9.65.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' @@ -631,8 +631,8 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS" compliance: - - cis: "18.9.76.3.2" - - cis_csc: "8" + - cis: ["18.9.76.3.2"] + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -646,8 +646,8 @@ checks: rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events" compliance: - - cis: "18.9.76.9.1" - - cis_csc: "13" + - cis: ["18.9.76.9.1"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -661,8 +661,8 @@ checks: rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts" compliance: - - cis: "18.9.85.3" - - cis_csc: "7" + - cis: ["18.9.85.3"] + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -676,8 +676,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" compliance: - - cis: "18.9.97.2.2" - - cis_csc: "3.4" + - cis: ["18.9.97.2.2"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -691,8 +691,8 @@ checks: rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access" compliance: - - cis: "18.9.98.1" - - cis_csc: "3.4" + - cis: ["18.9.98.1"] + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml new file mode 100644 index 000000000..c36628c92 --- /dev/null +++ b/sca/windows/win_audit_rcl.yml @@ -0,0 +1,146 @@ +# Security Configuration assessment +# Checks for Windows audit +# Copyright (C) 2015-2019, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation +# + +policy: + id: "win_audit" + file: "win_audit_rcl.yml" + name: "Benchmark for Windows audit" + description: "This document provides a way of ensuring the security of the Windows systems." + +requirements: + title: "Check for Windows platform" + description: "Requirements for running the audit policy under a Windows platform" + condition: "any" + rules: + - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' + +checks: + - id: 2500 + title: "Ensure Registry tools set is enabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: all + rules: + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' + - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' + + - id: 2501 + title: "Ensure DCOM is enabled" + description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + references: + - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' + + - id: 2502 + title: "LM authentication not allowed (disable weak passwords)" + compliance: + - pci_dss: ["10.6.1","11.4"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6","IA.10"] + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' + - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^5$' + +# Disabled by some Malwares (sometimes by McAfee and Symantec +# security center too). + - id: 2503 + title: "Ensure Firewall/Anti Virus notifications are enabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' + +# Checking for the microsoft firewall. + - id: 2504 + title: "Ensure Microsoft Firewall is enabled" + compliance: + - pci_dss: ["10.6.1","1.4"] + - hipaa: ["164.312.b","164.312.a.1"] + - nist_800_53: ["AU.6","SC.7"] + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' + - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' + + - id: 2505 + title: "Ensure Null sessions are not allowed" + compliance: + - pci_dss: ["11.4"] + - nist_800_53: ["IA.10"] + condition: all + rules: + - 'r:HKLM\System\CurrentControlSet\Control\Lsa' + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' + - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' + + - id: 2506 + title: "Ensure Turn off Windows Error reporting is enabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + references: + - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html + condition: all + rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' + + - id: 2507 + title: "Ensure Automatic Logon is disabled" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: any + rules: + - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' + - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' + + - id: 2508 + title: "Ensure Winpcap packet filter driver is not present" + compliance: + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] + condition: none + rules: + - 'f:%WINDIR%\System32\drivers\npf.sys' + - 'f:%WINDIR%\Sysnative\drivers\npf.sys' From 1480b9ad945ca5e2b29adff611a589c75e6f103a Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 11:15:38 +0200 Subject: [PATCH 182/247] Fix some typos --- sca/rhel/6/cis_rhel6_linux.yml | 2 +- sca/windows/cis_win2012r2_memberL2.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index 42ee98a30..257d5598b 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -829,7 +829,7 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: ["5].2.7" + - cis: ["5.2.7"] - cis_csc: ["9"] - pci_dss: ["4.1"] - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index bdaf0fe88..93960b46d 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -310,7 +310,7 @@ checks: rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task" compliance: - - cis: 18.8.22.1.9" + - cis: ["18.8.22.1.9"] - cis_csc: ["13"] condition: all rules: From 064faa37f90818add3998194a048a3b5db53c758 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Fri, 28 Jun 2019 12:25:19 +0200 Subject: [PATCH 183/247] Change compliance format --- sca/debian/cis_debian8_L2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 72f6ff664..862c371fe 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -303,7 +303,7 @@ checks: compliance: - cis: ["4.1.8"] - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] - condition: all&& r: + condition: all rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' From f8e8a25af681bca052bdf906cca1743a13137b98 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 12:24:09 +0200 Subject: [PATCH 184/247] Turn compliance block into list for generic Windows policy --- sca/windows/sca_win_audit.yml | 175 +++++++++++++++++----------------- 1 file changed, 87 insertions(+), 88 deletions(-) diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index 94e37cc8b..113ee040f 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -28,7 +28,7 @@ checks: rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" compliance: - - cis_csc: "16" + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -41,7 +41,7 @@ checks: rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - - cis_csc: "6" + - cis_csc: ["6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -54,7 +54,7 @@ checks: rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" compliance: - - cis_csc: "5.1" + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -67,7 +67,7 @@ checks: rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" compliance: - - cis_csc: "5.1" + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -80,7 +80,7 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -93,7 +93,7 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -106,7 +106,7 @@ checks: rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -119,7 +119,7 @@ checks: rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" compliance: - - cis_csc: "16" + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -132,7 +132,7 @@ checks: rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -145,7 +145,7 @@ checks: rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -158,7 +158,7 @@ checks: rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - - cis_csc: "8" + - cis_csc: ["8"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -171,7 +171,7 @@ checks: rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" compliance: - - cis_csc: "16" + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -184,7 +184,7 @@ checks: rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" compliance: - - cis_csc: "16.5" + - cis_csc: ["16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -197,7 +197,7 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -210,7 +210,7 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -223,7 +223,7 @@ checks: rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -236,7 +236,7 @@ checks: rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" compliance: - - cis_csc: "3" + - cis_csc: ["3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -249,7 +249,7 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -262,7 +262,7 @@ checks: rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -275,7 +275,7 @@ checks: rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" compliance: - - cis_csc: "16" + - cis_csc: ["16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -288,7 +288,7 @@ checks: rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" compliance: - - cis_csc: "16.14" + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -301,7 +301,7 @@ checks: rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - - cis_csc: "14, 16" + - cis_csc: ["14, 16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -314,7 +314,7 @@ checks: rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - - cis_csc: "14, 16" + - cis_csc: ["14, 16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -327,7 +327,7 @@ checks: rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - - cis_csc: "14, 16" + - cis_csc: ["14, 16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -340,7 +340,7 @@ checks: rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - - cis_csc: "14, 16" + - cis_csc: ["14, 16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -353,7 +353,7 @@ checks: rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" compliance: - - cis_csc: "16.14" + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -366,7 +366,7 @@ checks: rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -379,7 +379,7 @@ checks: rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -392,7 +392,7 @@ checks: rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -405,7 +405,7 @@ checks: rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: - - cis_csc: "13" + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 condition: all @@ -419,7 +419,6 @@ checks: description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" - compliance: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -432,7 +431,7 @@ checks: rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - - cis_csc: "14.4" + - cis_csc: ["14.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -445,7 +444,7 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - - cis_csc: "9.2" + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -458,7 +457,7 @@ checks: rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - - cis_csc: "9.2" + - cis_csc: ["9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -468,9 +467,9 @@ checks: - id: 2534 title: "Ensure Registry tools set is enabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: all rules: - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -481,9 +480,9 @@ checks: title: "Ensure DCOM is enabled" description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] references: - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows condition: all @@ -495,9 +494,9 @@ checks: - id: 2536 title: "LM authentication not allowed (disable weak passwords)" compliance: - - pci_dss: "10.6.1, 11.4" - - hipaa: "164.312.b" - - nist_800_53: "AU.6, IA.10" + - pci_dss: ["10.6.1","11.4"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6","IA.10"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' @@ -509,9 +508,9 @@ checks: - id: 2537 title: "Ensure Firewall/Anti Virus notifications are enabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' @@ -528,9 +527,9 @@ checks: - id: 2538 title: "Ensure Microsoft Firewall is enabled" compliance: - - pci_dss: "10.6.1, 1.4" - - hipaa: "164.312.b, 164.312.a.1" - - nist_800_53: "AU.6, SC.7" + - pci_dss: ["10.6.1","1.4"] + - hipaa: ["164.312.b","164.312.a.1"] + - nist_800_53: ["AU.6","SC.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' @@ -540,8 +539,8 @@ checks: - id: 2539 title: "Ensure Null sessions are not allowed" compliance: - - pci_dss: "11.4" - - nist_800_53: "IA.10" + - pci_dss: ["11.4"] + - nist_800_53: ["IA.10"] condition: all rules: - 'r:HKLM\System\CurrentControlSet\Control\Lsa' @@ -551,9 +550,9 @@ checks: - id: 2540 title: "Ensure Turn off Windows Error reporting is enabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] references: - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html condition: all @@ -568,9 +567,9 @@ checks: - id: 2541 title: "Ensure Automatic Logon is disabled" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: any rules: - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' @@ -580,9 +579,9 @@ checks: - id: 2542 title: "Ensure Winpcap packet filter driver is not present" compliance: - - pci_dss: "10.6.1" - - hipaa: "164.312.b" - - nist_800_53: "AU.6" + - pci_dss: ["10.6.1"] + - hipaa: ["164.312.b"] + - nist_800_53: ["AU.6"] condition: none rules: - 'f:%WINDIR%\System32\drivers\npf.sys' @@ -594,7 +593,7 @@ checks: rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis_csc: "16" + - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -610,7 +609,7 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis_csc: "9" + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -625,7 +624,7 @@ checks: rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis_csc: "9" + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -640,7 +639,7 @@ checks: rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis_csc: "8" + - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -655,7 +654,7 @@ checks: rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis_csc: "16.5" + - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -670,7 +669,7 @@ checks: rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - - cis_csc: "6.3" + - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -685,7 +684,7 @@ checks: rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis_csc: "3.7" + - cis_csc: ["3.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -698,7 +697,7 @@ checks: rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "2" + - cis_csc: ["2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -711,7 +710,7 @@ checks: rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "7" + - cis_csc: ["7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -724,7 +723,7 @@ checks: rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "13.1" + - cis_csc: ["13.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -737,7 +736,7 @@ checks: rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis_csc: "9.1" + - cis_csc: ["9.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -750,7 +749,7 @@ checks: rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - - cis_csc: "5.1" + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -763,7 +762,7 @@ checks: rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "8.3" + - cis_csc: ["8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -776,7 +775,7 @@ checks: rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "16.4" + - cis_csc: ["16.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -789,7 +788,7 @@ checks: rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -802,7 +801,7 @@ checks: rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - - cis_csc: "16.14" + - cis_csc: ["16.14"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -815,7 +814,7 @@ checks: rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "3.4" + - cis_csc: ["3.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -828,7 +827,7 @@ checks: rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "5.1" + - cis_csc: ["5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -841,7 +840,7 @@ checks: rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "4.5" + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -854,7 +853,7 @@ checks: rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - - cis_csc: "4.5" + - cis_csc: ["4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -867,7 +866,7 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis_csc: "9" + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -882,7 +881,7 @@ checks: rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - - cis_csc: "9" + - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all @@ -897,7 +896,7 @@ checks: rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -910,7 +909,7 @@ checks: rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -923,7 +922,7 @@ checks: rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -936,7 +935,7 @@ checks: rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - - cis_csc: "13" + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -949,7 +948,7 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" compliance: - - cis_csc: "9.1, 9.2" + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -962,7 +961,7 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis_csc: "9.1, 9.2" + - cis_csc: ["9.1","9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' From 9843be07e5d3be6eb4952ab3239e9c4e07d35c47 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 13:25:24 +0200 Subject: [PATCH 185/247] Remove extra files --- sca/darwin/web_vulnerabilities.yml | 145 -------- sca/debian/cis_debian_linux_rcl.yml | 517 ---------------------------- sca/generic/system_audit_pw.yml | 160 --------- sca/generic/system_audit_ssh.yml | 137 -------- sca/windows/win_audit_rcl.yml | 146 -------- 5 files changed, 1105 deletions(-) delete mode 100644 sca/darwin/web_vulnerabilities.yml delete mode 100644 sca/debian/cis_debian_linux_rcl.yml delete mode 100644 sca/generic/system_audit_pw.yml delete mode 100644 sca/generic/system_audit_ssh.yml delete mode 100644 sca/windows/win_audit_rcl.yml diff --git a/sca/darwin/web_vulnerabilities.yml b/sca/darwin/web_vulnerabilities.yml deleted file mode 100644 index ff23ba5d7..000000000 --- a/sca/darwin/web_vulnerabilities.yml +++ /dev/null @@ -1,145 +0,0 @@ -# Security Configuration assessment -# Checks for auditing Mac systems -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation - -policy: - id: "web_vulnerabilities_mac" - file: "web_vulnerabilities.yml" - name: "System audit for web-related vulnerabilities" - description: "Guidance for establishing a secure configuration for web-related vulnerabilities." - -variables: - $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini - $web_dirs: /Library/WebServer/Documents,/usr/htdocs,/usr/local/var/htdocs,/usr/local/var/www - - -# PHP checks -checks: - - id: 2000 - title: "PHP - Register globals are enabled" - condition: any - rules: - - 'f:$php.ini -> r:^register_globals = On' - - id: 2001 - title: "PHP - Expose PHP is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^expose_php = On' - - id: 2002 - title: "PHP - Allow URL fopen is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^allow_url_fopen = On' - - id: 2003 - title: "PHP - Displaying of errors is enabled" - condition: any - rules: - - 'f:$php.ini -> r:^display_errors = On' -# WEB checks - - id: 2004 - title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> ^.yop$' - - id: 2005 - title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> ^id$' - - id: 2006 - title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> ^.ssh$' - - id: 2007 - title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> ^...$' - - id: 2008 - title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> ^.shell$' -# Outdated Web applications - - id: 2009 - title: "Web vulnerability - Outdated WordPress installation" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:^\.wp_version && >:$wp_version = ''4.4.2''' - - id: 2010 - title: "Web vulnerability - Outdated Joomla installation" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> ^version.php$ -> IN r:var \.RELEASE && r:''3.4.8''' - - id: 2011 - title: "Web vulnerability - Outdated osCommerce (v2.2) installation" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - "d:$web_dirs -> ^application_top.php$ -> r:'osCommerce 2.2-;" -# Known backdoors - - id: 2012 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' - - id: 2013 - title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - condition: any - rules: - - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' - - id: 2014 - title: "Web vulnerability - .htaccess file compromised" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond \S+HTTP_REFERERS \S+google' - - id: 2015 - title: "Web vulnerability - .htaccess file compromised - auto append" - compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] - references: - - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html - condition: any - rules: - - 'd:$web_dirs -> ^.htaccess$ -> r:php_value auto_append_file' diff --git a/sca/debian/cis_debian_linux_rcl.yml b/sca/debian/cis_debian_linux_rcl.yml deleted file mode 100644 index 36a02ba05..000000000 --- a/sca/debian/cis_debian_linux_rcl.yml +++ /dev/null @@ -1,517 +0,0 @@ -# Security Configuration assessment -# CIS Checks for Debian/Ubuntu -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation -# -# Based on: -# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 -# Center for Internet Security Debian Linux 8 Benchmark v2.0.0 - 12-28-2018 -# Center for Internet Security Debian Linux 7 Benchmark v1.0.0 - 12-31-2015 - -policy: - id: "cis_debian" - file: "cis_debian_linux_rcl.yml" - name: "CIS benchmark for Debian/Linux" - description: "This document provides prescriptive guidance for establishing a secure configuration posture for Debian Linux systems running on x86 and x64 platforms. Many lists are included including filesystem types, services, clients, and network protocols. Not all items in these lists are guaranteed to exist on all distributions and additional similar items may exist which should be considered in addition to those explicitly mentioned." - references: - - https://www.cisecurity.org/cis-benchmarks/ - -requirements: - title: "Check Debian version" - description: "Requirements for running the SCA scan against Debian/Ubuntu." - condition: all - rules: - - 'f:/etc/debian_version' - - 'f:/proc/sys/kernel/ostype -> Linux' - -checks: -# Section 1.1 - Filesystem Configuration - - id: 5000 - title: "Ensure /tmp is configured" - description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw. This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp." - remediation: "Configure /etc/fstab as appropiate or enable systemd /tmp mounting and edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.2"] - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - condition: all - rules: - - 'c:mount -> r:\s/tmp\s' - - - id: 5001 - title: "Ensure nodev option set on /tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp ." - remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp and enable systemd /tmp mounting." - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.3"] - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'c:mount -> r:\s/tmp\s && r:nodev' - - - id: 5002 - title: "Ensure separate partition exists for /var" - description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." - rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.6"] - references: - - https://tldp.org/HOWTO/LVM-HOWTO/ - condition: all - rules: - - 'c:mount -> r:\s/var\s' - - - id: 5003 - title: "Ensure separate partition exists for /var/tmp" - description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." - rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." - remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp . For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.7"] - condition: all - rules: - - 'c:mount -> r:\s/var/tmp\s' - - - id: 5004 - title: "Ensure nodev option set on /var/tmp partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp ." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.8"] - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'c:mount -> r:\s/var/tmp\s && r:nodev' - - - id: 5005 - title: "Ensure nodev option set on /home partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.14"] - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'c:mount -> r:\s/home\s && r:nodev' - - - id: 5006 - title: "Ensure nodev option set on /dev/shm partition" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm : # mount -o remount,nodev /dev/shm." - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.14"] - condition: all - rules: - - 'c:mount -> r:\s/dev/shm\s && r:nodev' - - - id: 5007 - title: "Ensure nosuid option set on /dev/shm partition" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm." - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.15"] - condition: all - rules: - - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - - - id: 5008 - title: "Ensure noexec option set on /dev/shm partition" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm." - compliance: - - cis_csc: ["5.1"] - - cis: ["1.1.16"] - condition: all - rules: - - 'c:mount -> r:\s/dev/shm\s && r:noexec' - -# Section 1.7 - Warning banners - - id: 5009 - title: "Ensure GDM login banner is configured" - description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." - remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" - compliance: - - cis_csc: ["5.1"] - - cis: ["1.7.2"] - - pci_dss: ["2.2.2"] - condition: all - rules: - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' - -# Section 2 - Filesystem Configuration - Debian 7 - - id: 5010 - title: "Add nodev option to /run/shm Partition" - description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." - rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options of entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nodev /run/shm" - compliance: - - cis_csc: ["5.1"] - - cis: ["2.14"] - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'c:mount -> r:\s/run/shm\s && r:nodev' - - - id: 5011 - title: "Add nosuid option to /run/shm Partition" - description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,nosuid /run/shm." - compliance: - - cis_csc: ["5.1"] - - cis: ["2.15"] - condition: all - rules: - - 'c:mount -> r:\s/run/shm\s && r:nosuid' - - - id: 5012 - title: "Add noexec option to /run/shm Partition" - description: "Set noexec on the shared memory partition to prevent programs from executing from there." - rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /run/shm . See the fstab(5) manual page for more information. # mount -o remount,noexec /run/shm." - compliance: - - cis_csc: ["5.1"] - - cis: ["2.16"] - condition: all - rules: - - 'c:mount -> r:\s/run/shm\s && r:noexec' - -# Section 2.1 - Inetd services - - id: 5013 - title: "Ensure inetd is not installed" - description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." - rationale: "If there are no inetd services required, it is recommended that the daemon be removed." - remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: apt-get remove openbsd-inetd; apt-get remove inetutils-inetd" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.1.2"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - 'c:dpkg -s openbsd-inetd -> r:install ok installed' - -# Section 2.2 - Special purpose services - - id: 5014 - title: "Ensure FTP Server is not enabled" - description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." - rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.9"] - - pci_dss: ["2.2.3"] - condition: any - rules: - - 'c:systemctl is-enabled vsftpd -> r:disabled' - - - id: 5015 - title: "Ensure IMAP and POP3 server is not enabled" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.11"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:dpkg -s exim4 -> install ok installed' - - - id: 5017 - title: "Ensure Samba is not enabled" - description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." - rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable smbd: # systemctl disable smbd" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.12"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled smb -> r:^enabled' - - - id: 5018 - title: "Ensure NFS and RPC are not enabled" - description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." - rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." - remediation: "Run the following commands to disable nfs and rpcbind : # systemctl disable nfs-server; # systemctl disable rpcbind" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.7"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled nfs-server -> r:^enabled' - - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - - id: 5019 - title: "Ensure NIS Server is not enabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable nis: # systemctl disable nis" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.17"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled nis -> r:^enabled' - - - id: 5020 - title: "Ensure HTTP server is not enabled" - description: "HTTP or web servers provide the ability to host web site content." - rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable apache2: # systemctl disable apache2" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.10"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled apache2 -> r:^enabled' - - - id: 5021 - title: "Ensure DNS Server is not enabled" - description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." - rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable named: # systemctl disable bind9" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.8"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled bind9 -> r:^enabled' - - - id: 5022 - title: "Ensure HTTP Proxy Server is not enabled" - description: "Squid is a standard proxy server used in many distributions and environments." - rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." - remediation: "Run the following command to disable squid: # systemctl disable squid" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.13"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled squid -> r:^enabled' - -# Section 2.3 - Service clients - - id: 5023 - title: "Ensure rsh client is not installed" - description: "The rsh package contains the client commands for the rsh services." - rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin ." - remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" - compliance: - - cis_csc: ["2.6","4.5"] - - cis: ["2.3.2"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:dpkg -s rsh-client -> install ok installed' - - 'c:dpkg -s rsh-redone-client -> install ok installed' - - - id: 5024 - title: "Ensure telnet client is not installed" - description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." - remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" - compliance: - - cis_csc: ["2.6","4.5"] - - cis: ["2.3.4"] - - pci_dss: ["2.2.3"] - condition: none - rules: - - 'c:dpkg -s telnet -> install ok installed' - -# Section 3.1 - Network Parameters (Host Only) - - id: 5025 - title: "Ensure IPv4 forwarding is disabled" - description: "The net.ipv4.ip_forward flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0" - compliance: - - cis_csc: ["5.1"] - - cis: ["3.1.1"] - condition: all - rules: - - 'c:sysctl net.ipv4.ip_forward -> r:=^net.ipv4_forward\s*=\s*0$' - - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4_forward\s*=\s*0$' - - - id: 5026 - title: "Ensure IPv6 forwarding is disabled" - description: "The net.ipv6.conf.all.forwarding flag are used to tell the system whether it can forward packets or not." - rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." - remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/*, net.ipv6.conf.all.forwarding = 0" - compliance: - - cis_csc: ["5.1"] - - cis: ["3.1.1"] - condition: all - rules: - - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' - - 'c:grep -Rh net\.ipv6\.ip_forward\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6_forward.conf.all.forwarding\s*=\s*0$' - -# Section 3.2 - Network Parameters (Host and Router) - - id: 5027 - title: "Ensure source routed packets are not accepted" - description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." - rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0, net.ipv4.conf.default.accept_source_route = 0, net.ipv6.conf.all.accept_source_route = 0, net.ipv6.conf.default.accept_source_route = 0" - compliance: - - cis_csc: ["5.1"] - - cis: ["3.2.1"] - condition: all - rules: - - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:sysctl net.ipv4.conf.default.accept_source_route -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' - - 'c:sysctl net.ipv6.conf.all.accept_source_route -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - - 'c:sysctl net.ipv6.conf.default.accept_source_route -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - - id: 5028 - title: "Ensure broadcast ICMP requests are ignored" - description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." - rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." - remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1" - compliance: - - cis_csc: ["5.1"] - - cis: ["3.2.5"] - condition: all - rules: - - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1' - -# Section 5.2 - SSH Server Configuration - - id: 5029 - title: "Ensure SSH Protocol is set to 2" - description: "Older versions of SSH support two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." - rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" - compliance: - - cis_csc: ["14.4"] - - cis: ["5.2.4"] - - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] - - nist_800_53: ["SC.8"] - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - - id: 5030 - title: "Ensure SSH IgnoreRhosts is enabled" - description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." - rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" - compliance: - - cis_csc: ["9.2"] - - cis: ["5.2.8"] - - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] - - nist_800_53: ["SC.8"] - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*IgnoreRhosts\.+yes' - - - id: 5031 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - cis_csc: ["16.3"] - - cis: ["5.2.9"] - - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] - - nist_800_53: ["SC.8"] - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*HostbasedAuthentication\.+no' - - - id: 5032 - title: "Ensure SSH root login is disabled" - description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." - rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" - compliance: - - cis_csc: ["4.3"] - - cis: ["5.2.10"] - - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] - - nist_800_53: ["SC.8"] - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitRootLogin\.+no' - - - id: 5033 - title: "Ensure SSH PermitEmptyPasswords is disabled" - description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." - rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" - compliance: - - cis_csc: ["16.3"] - - cis: ["5.2.11"] - - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] - - nist_800_53: ["SC.8"] - condition: all - rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' - -# Section 6.2 - User and Group Settings - - id: 5034 - title: "Ensure password fields are not empty" - description: "An account with an empty password field means that anybody may log in as that user without providing a password." - rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." - remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l " - compliance: - - cis_csc: ["4.4"] - - cis: ["6.2.1"] - - pci_dss: ["10.2.5"] - - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+::' - - - id: 5035 - title: "Ensure root is the only UID 0 account" - description: "Any account with UID 0 has superuser privileges on the system." - rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." - remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." - compliance: - - cis_csc: ["5.1"] - - cis: ["6.2.5"] - - pci_dss: ["10.2.5"] - - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] - condition: none - rules: - - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/generic/system_audit_pw.yml b/sca/generic/system_audit_pw.yml deleted file mode 100644 index d89930110..000000000 --- a/sca/generic/system_audit_pw.yml +++ /dev/null @@ -1,160 +0,0 @@ -# Security Configuration assessment -# Checks for Password Security on Linux Systems -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation -# -# Mostly based on -# Center for Internet Security Debian Linux 9 Benchmark v1.0.0 - 12-21-2018 -# Center for Internet Security Red Hat Enterprise Linux 7 v2.2.0 - 12-27-2017 -# Center for Internet Security SUSE Linux Enterprise 12 v2.1.0 - 12-28-2017 -# OSSEC v3.2.0 - -policy: - id: "system_audit_pw" - file: "system_audit_pw.yml" - name: "System audit for password-related vulnerabilities" - description: "Guidance for establishing a secure configuration for password vulnerabilities." - references: - - https://www.cisecurity.org/cis-benchmarks/ - -requirements: - title: "Check that password-related files are present on the system" - description: "Requirements for running the SCA scan against the password-related policy." - condition: any - rules: - - 'f:/etc/passwd' - - 'f:/etc/shadow' - -variables: - $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd - -checks: -# 5.3 Configure PAM - - id: 13000 - title: "Ensure password creation requirements are configured" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: ["5.3.1"] - - cis_csc: ["4.4","5.7","16.12"] - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: all - rules: - - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' - - 'f:/etc/pam.d/common-password -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' - - - id: 13001 - title: "Ensure passwords are longer than 13 characters" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: ["5.3.1"] - - cis_csc: ["4.4","5.7","16.12"] - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' - - - id: 13002 - title: "Ensure passwords contain at least one digit" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: ["5.3.1"] - - cis_csc: ["4.4","5.7","16.12"] - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:dcredit=-1' - - - id: 13003 - title: "Ensure passwords contain at least one lowercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: ["5.3.1"] - - cis_csc: ["4.4","5.7","16.12"] - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:lcredit=-1' - - - id: 13004 - title: "Ensure passwords contain at least one uppercase character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: ["5.3.1"] - - cis_csc: ["4.4","5.7","16.12"] - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ucredit=-1' - - - id: 13005 - title: "Ensure passwords contain at least one special character" - description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." - rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" - compliance: - - cis: ["5.3.1"] - - cis_csc: ["4.4","5.7","16.12"] - references: - - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:pam_cracklib.so && r:ocredit=-1' - - - id: 13006 - title: "Ensure password hashing algorithm is SHA-512" - description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." - rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." - remediation: "Edit the /etc/pam.d/common-password file to include the sha512 option for pam_unix.so as shown: password required pam_unix.so sha512" - compliance: - - cis: ["5.3.4"] - - cis_csc: ["16.14"] - condition: any - rules: - - 'f:/etc/pam.d/common-password -> r:^password\.+pam_unix.so\.+sha512' - - - id: 13007 - title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" - description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." - rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." - remediation: "Set the default algorithm for password hashing in /etc/shadow to SHA-512 or SHA-256." - references: - - https://linux-audit.com/password-security-with-linux-etc-shadow-file/ - - https://docs.oracle.com/cd/E19253-01/816-4557/concept-23/index.html - condition: none - rules: - - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' - -# 5.4 User accounts and Environment - - id: 13008 - title: "Ensure password expiration is 365 days or less" - description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." - rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." - remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." - compliance: - - cis: ["5.4.1.1"] - - cis_csc: ["4.4","16"] - references: - - https://www.thegeekdiary.com/understanding-etclogin-defs-file - condition: any - rules: - - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' - - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' diff --git a/sca/generic/system_audit_ssh.yml b/sca/generic/system_audit_ssh.yml deleted file mode 100644 index e57c4cb96..000000000 --- a/sca/generic/system_audit_ssh.yml +++ /dev/null @@ -1,137 +0,0 @@ -# Security Configuration assessment -# Checks for SSH hardening -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation - -policy: - id: "system_audit_ssh" - file: "system_audit_ssh.yml" - name: "System audit for SSH hardening" - description: "Guidance for establishing a secure configuration for SSH service vulnerabilities." - references: - - https://www.ssh.com/ssh/ - -requirements: - title: "Check that the SSH service is installed on the system" - description: "Requirements for running the SCA scan against the SSH policy." - condition: all - rules: - - 'f:/etc/ssh/sshd_config' - -variables: - $sshd_file: /etc/ssh/sshd_config - -checks: - - id: 1500 - title: "SSH Hardening - 1: Port should not be 22" - description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." - rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." - remediation: "Change the Port option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> !r:^# && r:Port && !r:\D22\D*$' - - - id: 1501 - title: "SSH Hardening - 2: Protocol should not be 1" - description: "The SSH protocol should not be 1." - rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." - remediation: "Change the Protocol option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\D+2\D*$' - - - id: 1502 - title: "SSH Hardening - 3: Root account should not be able to log in" - description: "The option PermitRootLogin should be set to no." - rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." - remediation: "Change the PermitRootLogin option value in the sshd_config file." - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PermitRootLogin\.+no' - - - id: 1503 - title: "SSH Hardening - 4: No Public Key authentication" - description: "The option PubkeyAuthentication should be set yes." - rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." - remediation: "Change the PubkeyAuthentication option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\.+yes' - - - id: 1504 - title: "SSH Hardening - 5: Password Authentication should be disabled" - description: "The option PasswordAuthentication should be set to no." - rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." - remediation: "Change the PasswordAuthentication option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PasswordAuthentication\.+no' - - - id: 1505 - title: "SSH Hardening - 6: Empty passwords should not be allowed" - description: "The option PermitEmptyPasswords should be set to no." - rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." - remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\.+no' - - - id: 1506 - title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" - description: "The option IgnoreRhosts should be set to yes." - rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." - remediation: "Change the IgnoreRhosts option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\.+yes' - - - id: 1507 - title: "SSH Hardening - 8: Grace Time should be 30 or less." - description: "The option LoginGraceTime should be set to 30 or less." - rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." - remediation: "Change the LoginGraceTime option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> n:^\s*LoginGraceTime\s+(\d+)s compare <= 30' - - - id: 1508 - title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" - description: "The option MaxAuthTries should be set to 4 or less." - rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." - remediation: "Change the MaxAuthTries option value in the sshd_config file." - compliance: - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'f:$sshd_file -> n:^\s*MaxAuthTries\s+(\d+) compare <= 4' - - - id: 1509 - title: "Ensure SSH HostbasedAuthentication is disabled" - description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." - rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." - remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" - compliance: - - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] - - nist_800_53: ["SC.8"] - condition: all - rules: - - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' diff --git a/sca/windows/win_audit_rcl.yml b/sca/windows/win_audit_rcl.yml deleted file mode 100644 index c36628c92..000000000 --- a/sca/windows/win_audit_rcl.yml +++ /dev/null @@ -1,146 +0,0 @@ -# Security Configuration assessment -# Checks for Windows audit -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation -# - -policy: - id: "win_audit" - file: "win_audit_rcl.yml" - name: "Benchmark for Windows audit" - description: "This document provides a way of ensuring the security of the Windows systems." - -requirements: - title: "Check for Windows platform" - description: "Requirements for running the audit policy under a Windows platform" - condition: "any" - rules: - - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' - -checks: - - id: 2500 - title: "Ensure Registry tools set is enabled" - compliance: - - pci_dss: ["10.6.1"] - - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6"] - condition: all - rules: - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' - - - id: 2501 - title: "Ensure DCOM is enabled" - description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." - compliance: - - pci_dss: ["10.6.1"] - - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6"] - references: - - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - - - id: 2502 - title: "LM authentication not allowed (disable weak passwords)" - compliance: - - pci_dss: ["10.6.1","11.4"] - - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6","IA.10"] - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^5$' - -# Disabled by some Malwares (sometimes by McAfee and Symantec -# security center too). - - id: 2503 - title: "Ensure Firewall/Anti Virus notifications are enabled" - compliance: - - pci_dss: ["10.6.1"] - - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6"] - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' - -# Checking for the microsoft firewall. - - id: 2504 - title: "Ensure Microsoft Firewall is enabled" - compliance: - - pci_dss: ["10.6.1","1.4"] - - hipaa: ["164.312.b","164.312.a.1"] - - nist_800_53: ["AU.6","SC.7"] - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' - - - id: 2505 - title: "Ensure Null sessions are not allowed" - compliance: - - pci_dss: ["11.4"] - - nist_800_53: ["IA.10"] - condition: all - rules: - - 'r:HKLM\System\CurrentControlSet\Control\Lsa' - - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - - id: 2506 - title: "Ensure Turn off Windows Error reporting is enabled" - compliance: - - pci_dss: ["10.6.1"] - - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6"] - references: - - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - - - id: 2507 - title: "Ensure Automatic Logon is disabled" - compliance: - - pci_dss: ["10.6.1"] - - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6"] - condition: any - rules: - - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' - - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - - id: 2508 - title: "Ensure Winpcap packet filter driver is not present" - compliance: - - pci_dss: ["10.6.1"] - - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6"] - condition: none - rules: - - 'f:%WINDIR%\System32\drivers\npf.sys' - - 'f:%WINDIR%\Sysnative\drivers\npf.sys' From b8a54fb72fc141c584d638510da69b5fd974f96b Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 15:00:05 +0200 Subject: [PATCH 186/247] Add compliance lists and remove extra checks --- sca/debian/cis_debian7_L1.yml | 33 --- sca/debian/cis_debian8_L1.yml | 18 +- sca/debian/cis_debian8_L2.yml | 4 +- sca/debian/cis_debian9_L1.yml | 402 +++++++++++++++---------------- sca/debian/cis_debian9_L2.yml | 116 ++++----- sca/sles/12/cis_sles12_linux.yml | 40 --- 6 files changed, 270 insertions(+), 343 deletions(-) diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 020b0f3e3..4254db195 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -1195,39 +1195,6 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 10600 - title: "Check for Presence of User .rhosts Files" - description: "While no .rhosts files are shipped by default, users can easily create them." - rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." - remediation: "If any users have .rhosts files determine why they have them." - compliance: - - cis: ["13.10"] - condition: none - rules: - - 'd:/home -> r:^.rhosts$' - - - id: 10601 - title: "Check for Presence of User .netrc Files" - description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." - rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from other systems which could pose a risk to those systems." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .netrc files and determine the action to be taken in accordance with site policy." - compliance: - - cis: ["13.18"] - condition: none - rules: - - 'd:/home -> r:^.netrc$' - - - id: 10602 - title: "Check for Presence of User .forward Files" - description: "The .forward file specifies an email address to forward the user's mail to." - rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execute commands that may perform unintended actions." - remediation: "Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user .forward files and determine the action to be taken in accordance with site policy." - compliance: - - cis: ["13.19"] - condition: none - rules: - - 'd:/home -> r:^.forward$' - - id: 10603 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index d658bf4c9..efa37e521 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -353,9 +353,9 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" compliance: - - cis_csc: "5.1" - - cis: "1.7.2" - - pci_dss: "2.2.2" + - cis_csc: ["5.1"] + - cis: ["1.7.2"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' @@ -528,9 +528,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.11"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:dpkg -s exim4 -> install ok installed' @@ -589,9 +589,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable nis: # systemctl disable nis" compliance: - - cis_csc: "9.2" - - cis: "2.2.17" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.17"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nis -> r:^enabled' diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 862c371fe..353e0863c 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -459,8 +459,8 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - - cis: "5.2.6" - - cis_csc: "16, 9.2" + - cis: ["5.2.6"] + - cis_csc: ["16","9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' \ No newline at end of file diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index e42221a94..48c3b0c18 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -34,8 +34,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/freevxfs.conf and add the following line: install freevxfs /bin/true Run the following command to unload the freevxfs module: # rmmod freevxfs" compliance: - - cis: "1.1.1.1" - - cis_csc: "5.1" + - cis: ["1.1.1.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -47,8 +47,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/jffs2.conf and add the following line: install jffs2 /bin/true Run the following command to unload the jffs2 module: # rmmod jffs2" compliance: - - cis: "1.1.1.2" - - cis_csc: "5.1" + - cis: ["1.1.1.2"] + - cis_csc: ["5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -60,8 +60,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/hfs.conf and add the following line: install hfs /bin/true Run the following command to unload the hfs module: # rmmod hfs" compliance: - - cis: "1.1.1.3" - - cis_csc: "5.1" + - cis: ["1.1.1.3"] + - cis_csc: ["5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -73,8 +73,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .confExample: vim /etc/modprobe.d/hfsplus.conf and add the following line: install hfsplus /bin/true Run the following command to unload the hfsplus module: # rmmod hfsplus" compliance: - - cis: "1.1.1.4" - - cis_csc: "5.1" + - cis: ["1.1.1.4"] + - cis_csc: ["5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -86,8 +86,8 @@ checks: rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/udf.conf and add the following line: install udf /bin/true Run the following command to unload the udf module: # rmmod udf" compliance: - - cis: "1.1.1.5" - - cis_csc: "5.1" + - cis: ["1.1.1.5"] + - cis_csc: ["5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -100,8 +100,8 @@ checks: rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." remediation: "Configure /etc/fstab as appropriate. Example: tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0 or Run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount" compliance: - - cis: "1.1.2" - - cis_csc: "5.1" + - cis: ["1.1.2"] + - cis_csc: ["5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ @@ -115,8 +115,8 @@ checks: rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount and run the following commands to enable systemd /tmp mounting: systemctl unmask tmp.mount systemctl enable tmp.mount" compliance: - - cis: "1.1.3" - - cis_csc: "5.1" + - cis: ["1.1.3"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -127,8 +127,8 @@ checks: rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." remediation: "Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options: [Mount] Options=mode=1777,strictatime,noexec,nodev,nosuid Run the following command to remount /tmp : # mount -o remount,nodev /tmp" compliance: - - cis: "1.1.4" - - cis_csc: "5.1" + - cis: ["1.1.4"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -139,8 +139,8 @@ checks: rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp : # mount -o remount,nodev /var/tmp" compliance: - - cis: "1.1.8" - - cis_csc: "5.1" + - cis: ["1.1.8"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' @@ -151,8 +151,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp" compliance: - - cis: "1.1.9" - - cis_csc: "5.1" + - cis: ["1.1.9"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' @@ -163,8 +163,8 @@ checks: rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp" compliance: - - cis: "1.1.10" - - cis_csc: "2.6" + - cis: ["1.1.10"] + - cis_csc: ["2.6"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' @@ -175,8 +175,8 @@ checks: rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - - cis: "1.1.14" - - cis_csc: "5.1" + - cis: ["1.1.14"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -187,8 +187,8 @@ checks: rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - - cis: "1.1.15" - - cis_csc: "5.1" + - cis: ["1.1.15"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -199,8 +199,8 @@ checks: rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - - cis: "1.1.16" - - cis_csc: "5.1" + - cis: ["1.1.16"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -211,8 +211,8 @@ checks: rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" compliance: - - cis: "1.1.17" - - cis_csc: "2.6, 8" + - cis: ["1.1.17"] + - cis_csc: ["2.6","8"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -223,8 +223,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Run the following command to disable autofs: # systemctl disable autofs" compliance: - - cis: "1.1.21" - - cis_csc: "8.4, 8.5" + - cis: ["1.1.21"] + - cis_csc: ["8.4","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -236,8 +236,8 @@ checks: rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" compliance: - - cis: "1.3.1" - - cis_csc: "14.9" + - cis: ["1.3.1"] + - cis_csc: ["14.9"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -248,8 +248,8 @@ checks: rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." remediation: "Run the following command to install AIDE: # apt-get install aide aide-common Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" compliance: - - cis: "1.3.2" - - cis_csc: "14.9" + - cis: ["1.3.2"] + - cis_csc: ["14.9"] condition: all rules: - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*|\s*\t*/usr/bin/aide\s*\t* && r:\s*\t*--check' @@ -261,8 +261,8 @@ checks: rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." remediation: "Create an encrypted password with grub-mkpasswd-pbkdf2 Create a custom /etc/grub.d configuration file: If there is a requirement to be able to boot/reboot without entering the password, edit /etc/grub.d/10_linux and add --unrestricted to the line CLASS= Example: CLASS=\"--class gnu-linux --class gnu --class os --unrestricted\" Run the following command to update the grub2 configuration: # update-grub" compliance: - - cis: "1.4.2" - - cis_csc: "5.1" + - cis: ["1.4.2"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' @@ -274,8 +274,8 @@ checks: rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." remediation: "Run the following command and follow the prompts to set a password for the root user: # passwd root" compliance: - - cis: "1.4.3" - - cis_csc: "5.1" + - cis: ["1.4.3"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/shadow -> r:^root:*:|^root:!:' @@ -287,8 +287,8 @@ checks: rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." remediation: "Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: * hard core 0 Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: fs.suid_dumpable = 0 Run the following command to set the active kernel parameter: # sysctl -w fs.suid_dumpable=0" compliance: - - cis: "1.5.1" - - cis_csc: "13" + - cis: ["1.5.1"] + - cis_csc: ["13"] condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' @@ -301,8 +301,8 @@ checks: rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: kernel.randomize_va_space = 2 Run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - - cis: "1.5.3" - - cis_csc: "8.3" + - cis: ["1.5.3"] + - cis_csc: ["8.3"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$' @@ -315,8 +315,8 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m , \\r , \\s , or \\v , or references to the OS platform # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" compliance: - - cis: "1.7.1.2" - - cis_csc: "5.1" + - cis: ["1.7.1.2"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' @@ -327,9 +327,9 @@ checks: rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" compliance: - - cis_csc: "5.1" - - cis: "1.7.2" - - pci_dss: "2.2.2" + - cis_csc: ["5.1"] + - cis: ["1.7.2"] + - pci_dss: ["2.2.2"] condition: all rules: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' @@ -343,8 +343,8 @@ checks: rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." remediation: "Run the following commands to remove xinetd: # apt-get remove xinetd # apt-get purge xinetd" compliance: - - cis: "2.1.1" - - cis_csc: "9.2" + - cis: ["2.1.1"] + - cis_csc: ["9.2"] condition: none rules: - 'c:dpkg -s xinetd -> r:install ok installed' @@ -355,8 +355,8 @@ checks: rationale: "If there are no inetd services required, it is recommended that the daemon be removed." remediation: "Run the following command to uninstall openbsd-inetd: apt-get remove openbsd-inetd" compliance: - - cis: "2.1.2" - - cis_csc: "9.2" + - cis: ["2.1.2"] + - cis_csc: ["9.2"] condition: none rules: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' @@ -368,8 +368,8 @@ checks: rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." remediation: "Add or edit restrict lines in /etc/ntp.conf to match the following: restrict -4 default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Add or edit server or pool lines to /etc/ntp.conf as appropriate: server Configure ntp to run as the ntp user by adding or editing the /etc/init.d/ntp file: RUNASUSER=ntp" compliance: - - cis: "2.2.1.2" - - cis_csc: "6.1" + - cis: ["2.2.1.2"] + - cis_csc: ["6.1"] references: - http://www.ntp.org/ condition: all @@ -386,8 +386,8 @@ checks: rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." remediation: "Add or edit server or pool lines to /etc/chrony/chrony.conf as appropriate: server " compliance: - - cis: "2.2.1.3" - - cis_csc: "6.1" + - cis: ["2.2.1.3"] + - cis_csc: ["6.1"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -398,8 +398,8 @@ checks: rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - - cis: "2.2.3" - - cis_csc: "9.2" + - cis: ["2.2.3"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -410,8 +410,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.2"] references: - https://www.cups.org condition: none @@ -426,8 +426,8 @@ checks: references: - https://www.isc.org/dhcp/ compliance: - - cis: "2.2.5" - - cis_csc: "9.2" + - cis: ["2.2.5"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' @@ -439,8 +439,8 @@ checks: rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." remediation: "Run the following command to disable slapd: # systemctl disable slapd" compliance: - - cis: "2.2.6" - - cis_csc: "9.2" + - cis: ["2.2.6"] + - cis_csc: ["9.2"] references: - https://www.openldap.org condition: none @@ -453,8 +453,8 @@ checks: rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind" compliance: - - cis: "2.2.7" - - cis_csc: "9.2" + - cis: ["2.2.7"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled nfs-server -> r:^enabled' @@ -466,8 +466,8 @@ checks: rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable named: # systemctl disable bind9" compliance: - - cis: "2.2.8" - - cis_csc: "9.2" + - cis: ["2.2.8"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' @@ -478,8 +478,8 @@ checks: rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - - cis: "2.2.9" - - cis_csc: "9.2" + - cis: ["2.2.9"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -490,8 +490,8 @@ checks: rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." remediation: "Run the following command to disable apache2: # systemctl disable apache2" compliance: - - cis: "2.2.10" - - cis_csc: "9.2" + - cis: ["2.2.10"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' @@ -502,9 +502,9 @@ checks: rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" compliance: - - cis_csc: "9.2" - - cis: "2.2.11" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.11"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:dpkg -s exim4 -> install ok installed' @@ -515,8 +515,8 @@ checks: rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." remediation: "Run the following command to disable smbd: # systemctl disable smbd" compliance: - - cis: "2.2.12" - - cis_csc: "9.2" + - cis: ["2.2.12"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled smbd -> r:^enabled' @@ -527,8 +527,8 @@ checks: rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - - cis: "2.2.13" - - cis_csc: "9.2" + - cis: ["2.2.13"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -539,8 +539,8 @@ checks: rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - - cis: "2.2.14" - - cis_csc: "9.2" + - cis: ["2.2.14"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -551,8 +551,8 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsync: # systemctl disable rsync" compliance: - - cis: "2.2.16" - - cis_csc: "9.2" + - cis: ["2.2.16"] + - cis_csc: ["9.2"] condition: none rules: - 'c:systemctl is-enabled rsync -> r:^enabled' @@ -563,9 +563,9 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" remediation: "Run the following command to disable nis: # systemctl disable nis" compliance: - - cis_csc: "9.2" - - cis: "2.2.17" - - pci_dss: "2.2.2" + - cis_csc: ["9.2"] + - cis: ["2.2.17"] + - pci_dss: ["2.2.2"] condition: none rules: - 'c:systemctl is-enabled nis -> r:^enabled' @@ -576,8 +576,8 @@ checks: rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." remediation: "Uninstall the nis package: # apt-get remove nis" compliance: - - cis: "2.3.1" - - cis_csc: "2.6" + - cis: ["2.3.1"] + - cis_csc: ["2.6"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -588,8 +588,8 @@ checks: rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" compliance: - - cis: "2.3.2" - - cis_csc: "2.6, 4.5" + - cis: ["2.3.2"] + - cis_csc: ["2.6","4.5"] condition: none rules: - 'c:dpkg -s rsh-client -> r:install ok installed' @@ -601,8 +601,8 @@ checks: rationale: "The software presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to uninstall talk: apt-get remove talk" compliance: - - cis: "2.3.3" - - cis_csc: "2.6" + - cis: ["2.3.3"] + - cis_csc: ["2.6"] condition: none rules: - 'c:dpkg -s talk -> r:install ok installed' @@ -613,8 +613,8 @@ checks: rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - - cis: "2.3.4" - - cis_csc: "2.6, 4.5" + - cis: ["2.3.4"] + - cis_csc: ["2.6","4.5"] condition: none rules: - 'c:dpkg -s telnet -> r:install ok installed' @@ -626,8 +626,8 @@ checks: rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.1.1" - - cis_csc: "5.1" + - cis: ["3.1.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -641,8 +641,8 @@ checks: rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.1.2" - - cis_csc: "5.1" + - cis: ["3.1.2"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -656,8 +656,8 @@ checks: rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.1" - - cis_csc: "5.1" + - cis: ["3.2.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -675,8 +675,8 @@ checks: rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.2" - - cis_csc: "5.1" + - cis: ["3.2.2"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -694,8 +694,8 @@ checks: rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.3" - - cis_csc: "5.1" + - cis: ["3.2.3"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -709,8 +709,8 @@ checks: rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.4" - - cis_csc: "6.2, 6.3" + - cis: ["3.2.4"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -724,8 +724,8 @@ checks: rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.5" - - cis_csc: "5.1" + - cis: ["3.2.5"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -737,8 +737,8 @@ checks: rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.6" - - cis_csc: "5.1" + - cis: ["3.2.6"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -750,8 +750,8 @@ checks: rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.7" - - cis_csc: "5.1" + - cis: ["3.2.7"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -765,8 +765,8 @@ checks: rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - - cis: "3.2.8" - - cis_csc: "5.1" + - cis: ["3.2.8"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -778,8 +778,8 @@ checks: rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1" compliance: - - cis: "3.2.9" - - cis_csc: "5.1" + - cis: ["3.2.9"] + - cis_csc: ["5.1"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -793,8 +793,8 @@ checks: rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." remediation: "Run the following command to create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow. Where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - - cis: "3.3.2" - - cis_csc: "9.4" + - cis: ["3.3.2"] + - cis_csc: ["9.4"] condition: all rules: - 'f:/etc/hosts.allow' @@ -805,8 +805,8 @@ checks: rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." remediation: "Run the following command to create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - - cis: "3.3.3" - - cis_csc: "9.4" + - cis: ["3.3.3"] + - cis_csc: ["9.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -818,8 +818,8 @@ checks: rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true" compliance: - - cis: "3.4.1" - - cis_csc: "9.2" + - cis: ["3.4.1"] + - cis_csc: ["9.2"] condition: none rules: - 'not c:modprobe -n -v dccp -> r:install /bin/true' @@ -831,8 +831,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true" compliance: - - cis: "3.4.2" - - cis_csc: "9.2" + - cis: ["3.4.2"] + - cis_csc: ["9.2"] condition: none rules: - 'not c:modprobe -n -v sctp -> r:install /bin/true' @@ -844,8 +844,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true" compliance: - - cis: "3.4.3" - - cis_csc: "9.2" + - cis: ["3.4.3"] + - cis_csc: ["9.2"] condition: none rules: - 'not c:modprobe -n -v rds -> r:install /bin/true' @@ -857,8 +857,8 @@ checks: rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true" compliance: - - cis: "3.4.4" - - cis_csc: "9.2" + - cis: ["3.4.4"] + - cis_csc: ["9.2"] condition: none rules: - 'not c:modprobe -n -v tipc -> r:install /bin/true' @@ -872,8 +872,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.1.1" - - cis_csc: "9.4" + - cis: ["3.5.1.1"] + - cis_csc: ["9.4"] condition: all rules: - 'c:iptables -L -> r:^Chain INPUT && r:policy DROP' @@ -886,8 +886,8 @@ checks: rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - - cis: "3.5.2.1" - - cis_csc: "9.4" + - cis: ["3.5.2.1"] + - cis_csc: ["9.4"] condition: all rules: - 'c:ip6tables -L -> r:^Chain INPUT && r:policy DROP' @@ -900,8 +900,8 @@ checks: rationale: "iptables is required for firewall management and configuration." remediation: "Run the following command to install iptables: # apt-get install iptables" compliance: - - cis: "3.5.3" - - cis_csc: "9.4" + - cis: ["3.5.3"] + - cis_csc: ["9.4"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -913,8 +913,8 @@ checks: rationale: "If the rsyslog service is not activated the system will not have a syslog service running." remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" compliance: - - cis: "4.2.1.1" - - cis_csc: "6.2, 6.3" + - cis: ["4.2.1.1"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' @@ -925,8 +925,8 @@ checks: rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.4" - - cis_csc: "6.6, 6.8" + - cis: ["4.2.1.4"] + - cis_csc: ["6.6","6.8"] references: - rsyslog.conf(5) man page condition: all @@ -939,8 +939,8 @@ checks: rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - - cis: "4.2.1.5" - - cis_csc: "9.2" + - cis: ["4.2.1.5"] + - cis_csc: ["9.2"] references: - rsyslog.conf(8) man page condition: all @@ -955,8 +955,8 @@ checks: rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." remediation: "Run the following command to enable cron: systemctl enable cron" compliance: - - cis: "5.1.1" - - cis_csc: "5.1" + - cis: ["5.1.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:systemctl is-enabled cron -> r:^enabled$' @@ -967,8 +967,8 @@ checks: rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." remediation: "Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow" compliance: - - cis: "5.1.8" - - cis_csc: "16" + - cis: ["5.1.8"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/cron.allow' @@ -984,8 +984,8 @@ checks: rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." remediation: "Run the following commands to set ownership and permissions on /etc/ssh/sshd_config: # chown root:root /etc/ssh/sshd_config # chmod og-rwx /etc/ssh/sshd_config" compliance: - - cis: "5.2.1" - - cis_csc: "5.1" + - cis: ["5.2.1"] + - cis_csc: ["5.1"] condition: all rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' @@ -996,8 +996,8 @@ checks: rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - - cis: "5.2.4" - - cis_csc: "14.4" + - cis: ["5.2.4"] + - cis_csc: ["14.4"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -1010,8 +1010,8 @@ checks: references: - https://www.ssh.com/ssh/sshd_config/ compliance: - - cis: "5.2.5" - - cis_csc: "6.2, 6.3" + - cis: ["5.2.5"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' @@ -1022,8 +1022,8 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - - cis: "5.2.6" - - cis_csc: "9.2" + - cis: ["5.2.6"] + - cis_csc: ["9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' @@ -1034,8 +1034,8 @@ checks: rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - - cis: "5.2.7" - - cis_csc: "16.13" + - cis: ["5.2.7"] + - cis_csc: ["16.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -1046,8 +1046,8 @@ checks: rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - - cis: "5.2.8" - - cis_csc: "9.2" + - cis: ["5.2.8"] + - cis_csc: ["9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -1058,8 +1058,8 @@ checks: rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - - cis: "5.2.9" - - cis_csc: "16.3" + - cis: ["5.2.9"] + - cis_csc: ["16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -1070,8 +1070,8 @@ checks: rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - - cis: "5.2.10" - - cis_csc: "4.3" + - cis: ["5.2.10"] + - cis_csc: ["4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -1084,8 +1084,8 @@ checks: rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - - cis: "5.2.11" - - cis_csc: "16.3" + - cis: ["5.2.11"] + - cis_csc: ["16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -1096,8 +1096,8 @@ checks: rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - - cis: "5.2.12" - - cis_csc: "5.1" + - cis: ["5.2.12"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1108,8 +1108,8 @@ checks: rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - - cis: "5.2.16" - - cis_csc: "16.11" + - cis: ["5.2.16"] + - cis_csc: ["16.11"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' @@ -1121,8 +1121,8 @@ checks: rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - - cis: "5.2.18" - - cis_csc: "5.1" + - cis: ["5.2.18"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' @@ -1133,8 +1133,8 @@ checks: rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Banner /etc/issue.net" compliance: - - cis: "5.2.19" - - cis_csc: "5.1" + - cis: ["5.2.19"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|Banner\s\t*/etc/issue' @@ -1147,8 +1147,8 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol." compliance: - - cis: "5.3.1" - - cis_csc: "4.4" + - cis: ["5.3.1"] + - cis_csc: ["4.4"] condition: all rules: - 'c:dpkg -s libpam-pwquality -> install ok installed' @@ -1165,8 +1165,8 @@ checks: rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900. Note: If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing the command /sbin/pam_tally2 -u --reset. This command sets the failed count to 0, effectively unlocking the user. Notes: Use of the \"audit\" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization." compliance: - - cis: "5.3.2" - - cis_csc: "16.7" + - cis: ["5.3.2"] + - cis_csc: ["16.7"] condition: all rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' @@ -1177,8 +1177,8 @@ checks: rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." remediation: "Edit the /etc/pam.d/common-password file to include the remember option and conform to site policy as shown: password required pam_pwhistory.so remember=5. Notes: Additional module options may be set, recommendation only covers those listed here." compliance: - - cis: "5.3.3" - - cis_csc: "16" + - cis: ["5.3.3"] + - cis_csc: ["16"] condition: all rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_pwhistory.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' @@ -1191,8 +1191,8 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." compliance: - - cis: "5.4.1.1" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.1"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' @@ -1203,8 +1203,8 @@ checks: rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.2" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.2"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' @@ -1215,8 +1215,8 @@ checks: rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." compliance: - - cis: "5.4.1.3" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.3"] + - cis_csc: ["4.4","16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' @@ -1227,8 +1227,8 @@ checks: rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." compliance: - - cis: "5.4.1.4" - - cis_csc: "4.4, 16" + - cis: ["5.4.1.4"] + - cis_csc: ["4.4","16"] condition: all rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' @@ -1239,8 +1239,8 @@ checks: rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root" compliance: - - cis: "5.4.3" - - cis_csc: "5.1" + - cis: ["5.4.3"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1251,8 +1251,8 @@ checks: rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." remediation: "Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so Create a comma separated list of users in the sudo statement in the /etc/group file: sudo:x:10:root," compliance: - - cis: "5.6" - - cis_csc: "5.1" + - cis: ["5.6"] + - cis_csc: ["5.1"] condition: all rules: - 'f:/etc/pam.d/su -> !r:^# && r:auth\s*\t*required\s*\t*pam_wheel.so' @@ -1266,8 +1266,8 @@ checks: rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - - cis: "6.2.1" - - cis_csc: "4.4" + - cis: ["6.2.1"] + - cis_csc: ["4.4"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1278,8 +1278,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/passwd if they exist." compliance: - - cis: "6.2.2" - - cis_csc: "16.2" + - cis: ["6.2.2"] + - cis_csc: ["16.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1290,8 +1290,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/shadow if they exist." compliance: - - cis: "6.2.3" - - cis_csc: "16.2" + - cis: ["6.2.3"] + - cis_csc: ["16.2"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1302,8 +1302,8 @@ checks: rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." remediation: "Remove any legacy + entries from /etc/group if they exist." compliance: - - cis: "6.2.4" - - cis_csc: "16.2" + - cis: ["6.2.4"] + - cis_csc: ["16.2"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' @@ -1314,8 +1314,8 @@ checks: rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." remediation: "Remove any users other than root with UID 0 or assign them a new UID if appropriate." compliance: - - cis: "6.2.5" - - cis_csc: "5.1" + - cis: ["6.2.5"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' @@ -1326,8 +1326,8 @@ checks: rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." remediation: "Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group." compliance: - - cis: "6.2.20" - - cis_csc: "5.1" + - cis: ["6.2.20"] + - cis_csc: ["5.1"] condition: none rules: - 'f:/etc/group -> !r:^# && r:shadow:\w*:\w*:\S+' diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index 9501b731b..32193c90a 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -34,8 +34,8 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.6" - - cis_csc: "5.1" + - cis: ["1.1.6"] + - cis_csc: ["5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -48,8 +48,8 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.7" - - cis_csc: "5.1" + - cis: ["1.1.7"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -60,8 +60,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.11" - - cis_csc: "6.4" + - cis: ["1.1.11"] + - cis_csc: ["6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -74,8 +74,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.12" - - cis_csc: "6.4" + - cis: ["1.1.12"] + - cis_csc: ["6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -88,8 +88,8 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: "1.1.13" - - cis_csc: "5.1" + - cis: ["1.1.13"] + - cis_csc: ["5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -102,8 +102,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Run the following command to disable autofs: # systemctl disable autofs" compliance: - - cis: "1.1.22" - - cis_csc: "8.3, 8.5" + - cis: ["1.1.22"] + - cis_csc: ["8.3","8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -115,8 +115,8 @@ checks: rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis: "1.6.3" - - cis_csc: "14.6" + - cis: ["1.6.3"] + - cis_csc: ["14.6"] condition: any rules: - 'c:dpkg -s selinux-basics -> r:install ok installed' @@ -130,8 +130,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: "2.2.4" - - cis_csc: "9.2" + - cis: ["2.2.4"] + - cis_csc: ["9.2"] references: - 'http://www.cups.org' condition: none @@ -146,8 +146,8 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." compliance: - - cis: "4.1.1.1" - - cis_csc: "6.4" + - cis: ["4.1.1.1"] + - cis_csc: ["6.4"] condition: all rules: - 'd:/etc/audit' @@ -160,8 +160,8 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: "4.1.1.2" - - cis_csc: "6.4" + - cis: ["4.1.1.2"] + - cis_csc: ["6.4"] condition: all rules: - 'd:/etc/audit' @@ -176,8 +176,8 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" compliance: - - cis: "4.1.1.3" - - cis_csc: "6.4" + - cis: ["4.1.1.3"] + - cis_csc: ["6.4"] condition: all rules: - 'd:/etc/audit' @@ -190,8 +190,8 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Run the following command to enable auditd: # systemctl enable auditd" compliance: - - cis: "4.1.2" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.2"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'c:systemctl is-enabled auditd -> r:^enabled' @@ -202,8 +202,8 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: "4.1.3" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.3"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' @@ -214,8 +214,8 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" compliance: - - cis: "4.1.4" - - cis_csc: "5.5" + - cis: ["4.1.4"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -232,8 +232,8 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.5" - - cis_csc: "4.8" + - cis: ["4.1.5"] + - cis_csc: ["4.8"] condition: all rules: - 'd:/etc/audit' @@ -250,8 +250,8 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.6" - - cis_csc: "5.5" + - cis: ["4.1.6"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -269,8 +269,8 @@ checks: rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "5.5" + - cis: ["4.1.7"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -284,8 +284,8 @@ checks: rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.7" - - cis_csc: "5.5" + - cis: ["4.1.7"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -299,8 +299,8 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.8" - - cis_csc: "4.9, 16.11, 16.13" + - cis: ["4.1.8"] + - cis_csc: ["4.9, 16.11","16.13"] condition: all rules: - 'd:/etc/audit' @@ -315,8 +315,8 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.9" - - cis_csc: "4.9, 16.11, 16.13" + - cis: ["4.1.9"] + - cis_csc: ["4.9, 16.11","16.13"] condition: all rules: - 'd:/etc/audit' @@ -331,8 +331,8 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.10" - - cis_csc: "5.5" + - cis: ["4.1.10"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -350,8 +350,8 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.11" - - cis_csc: "14.9" + - cis: ["4.1.11"] + - cis_csc: ["14.9"] condition: all rules: - 'd:/etc/audit' @@ -367,8 +367,8 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.13" - - cis_csc: "13" + - cis: ["4.1.13"] + - cis_csc: ["13"] condition: all rules: - 'd:/etc/audit' @@ -382,8 +382,8 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.14" - - cis_csc: "6.2, 13" + - cis: ["4.1.14"] + - cis_csc: ["6.2","13"] condition: all rules: - 'd:/etc/audit' @@ -397,8 +397,8 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.15" - - cis_csc: "4.8" + - cis: ["4.1.15"] + - cis_csc: ["4.8"] condition: all rules: - 'd:/etc/audit' @@ -412,8 +412,8 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.16" - - cis_csc: "4.9" + - cis: ["4.1.16"] + - cis_csc: ["4.9"] condition: all rules: - 'd:/etc/audit' @@ -426,8 +426,8 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: "4.1.17" - - cis_csc: "5.1" + - cis: ["4.1.17"] + - cis_csc: ["5.1"] condition: all rules: - 'd:/etc/audit' @@ -443,8 +443,8 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." compliance: - - cis: "4.1.18" - - cis_csc: "6.2, 6.3" + - cis: ["4.1.18"] + - cis_csc: ["6.2","6.3"] condition: all rules: - 'd:/etc/audit' @@ -457,8 +457,8 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." compliance: - - cis: "5.2.6" - - cis_csc: "9.2" + - cis: ["5.2.6"] + - cis_csc: ["9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index 7b8a05d5b..ae5ff89c1 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -151,46 +151,6 @@ checks: rules: - 'c:mount -> r:\s/home\s && r:nodev' -# 1.1.18 nodev on removable media partitions (not scored) - - id: 7512 - title: "Ensure nodev option set on removable media partitions" - description: "The nodev mount option specifies that the filesystem cannot contain special devices." - rationale: "Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions." - remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: ["1.1.18"] - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'c:mount -> r:\s/media\s && r:nodev' - -# 1.1.19 nosuid on removable media partitions (not scored) - - id: 7513 - title: "Ensure nosuid option set on removable media partitions" - description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." - rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." - remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: ["1.1.19"] - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'c:mount -> r:\s/media\s && r:nosuid' - -# 1.1.20 noexec on removable media partitions (not scored) - - id: 7514 - title: "Ensure noexec option set on removable media partitions" - description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." - rationale: "Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system." - remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information." - compliance: - - cis: ["1.1.20"] - - cis_csc: ["8"] - - pci_dss: ["2.2.4"] - condition: all - rules: - - 'c:mount -> r:\s/media\s && r:noexec' - # 1.1.15 /dev/shm: nodev - id: 7509 title: "Ensure nodev option set on /dev/shm partition" From 4d2cc0d2814f7c568df5378c3cf6e88dcf09f0ff Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 15:56:41 +0200 Subject: [PATCH 187/247] Remove extra checks from Solaris 11 --- sca/sunos/cis_solaris11.yml | 33 --------------------------------- 1 file changed, 33 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index c5c33e35e..56b16ef84 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -740,17 +740,6 @@ checks: - 'f:/.bash_profile -> r::$' - 'f:/.bashrc -> r::$' - - id: 11551 - title: "Check for Presence of User .rhosts Files" - description: "While no .rhosts files are shipped with Solaris, users can easily create them." - rationale: "This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf. Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, they may have been brought over from other systems and could contain information useful to an attacker for those other systems." - remediation: "Correct or justify any items discovered in the Audit step. Determine if any user .rhosts files are present in user directories and work with those users to determine the best course of action in accordance with site policy." - compliance: - - cis: ["9.10"] - condition: none - rules: - - 'd:/home -> ^.rhosts$' - - id: 11552 title: "Check That Users Are Assigned Home Directories" description: "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set." @@ -761,25 +750,3 @@ checks: condition: none rules: - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' - - - id: 11553 - title: "Check for Presence of User .netrc Files" - description: "The .netrc file contains data for logging into a remote host for file transfers via FTP." - rationale: "The .netrc file presents a significant security risk since it stores passwords in unencrypted form." - remediation: "Correct or justify any items discovered in the Audit step. Determine if any .netrc files exist, and work with the owner to determine the best course of action in accordance with site policy." - compliance: - - cis: ["9.20"] - condition: none - rules: - - 'd:/home -> ^.netrc$' - - - id: 11554 - title: "Check for Presence of User .forward Files" - description: "The .forward file specifies an email address to which a user's mail is forwarded." - rationale: "Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a secondary risk as it can be used to execute commands that may perform unintended actions." - remediation: "Correct or justify any items discovered in the Audit step. Determine if any .forward files exist, and work with the owner to determine the best course of action in accordance with site policy." - compliance: - - cis: ["9.21"] - condition: none - rules: - - 'd:/home -> ^.forward$' From 83e86a1d481a52be668c2efa1ffa33346ad5d446 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 3 Jul 2019 17:05:51 +0200 Subject: [PATCH 188/247] Adapt global IDs --- sca/applications/cis_apache2224.yml | 72 +-- sca/applications/cis_mysql5-6_community.yml | 38 +- sca/applications/cis_mysql5-6_enterprise.yml | 52 +-- sca/applications/web_vulnerabilities.yml | 32 +- sca/darwin/15/cis_apple_macOS_10.11.yml | 66 +-- sca/darwin/16/cis_apple_macOS_10.12.yml | 60 +-- sca/darwin/17/cis_apple_macOS_10.13.yml | 60 +-- sca/debian/cis_debian7_L1.yml | 198 ++++---- sca/debian/cis_debian7_L2.yml | 58 +-- sca/debian/cis_debian8_L1.yml | 202 ++++---- sca/debian/cis_debian8_L2.yml | 58 +-- sca/debian/cis_debian9_L1.yml | 198 ++++---- sca/debian/cis_debian9_L2.yml | 58 +-- sca/generic/sca_unix_audit.yml | 46 +- sca/rhel/5/cis_rhel5_linux.yml | 120 ++--- sca/rhel/6/cis_rhel6_linux.yml | 112 ++--- sca/rhel/7/cis_rhel7_linux.yml | 128 ++--- sca/sles/11/cis_sles11_linux.yml | 116 ++--- sca/sles/12/cis_sles12_linux.yml | 116 ++--- sca/sunos/cis_solaris11.yml | 104 ++--- sca/windows/cis_win10_enterprise_L1.yml | 466 +++++++++---------- sca/windows/cis_win10_enterprise_L2.yml | 170 +++---- sca/windows/cis_win2012r2_domainL1.yml | 314 ++++++------- sca/windows/cis_win2012r2_domainL2.yml | 78 ++-- sca/windows/cis_win2012r2_memberL1.yml | 324 ++++++------- sca/windows/cis_win2012r2_memberL2.yml | 90 ++-- sca/windows/sca_win_audit.yml | 142 +++--- 27 files changed, 1739 insertions(+), 1739 deletions(-) diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache2224.yml index 261513ed5..53a9815ed 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache2224.yml @@ -45,7 +45,7 @@ variables: #2.3 Disable WebDAV Modules checks: - - id: 3500 + - id: 9000 title: "Ensure the WebDAV Modules Are Disabled" description: "The Apache mod_dav and mod_dav_fs modules support WebDAV functionality for Apache, which is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server." rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls." @@ -61,7 +61,7 @@ checks: - 'c:httpd -M -> r:dav_\s*_module' #2.4 Disable Status Module - - id: 3501 + - id: 9001 title: "Ensure the Status Module Is Disabled" description: "The Apache mod_status module provides current server performance statistics." rationale: "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files." @@ -77,7 +77,7 @@ checks: - 'c:httpd -M -> r:status_module' #2.5 Disable Autoindex Module - - id: 3502 + - id: 9002 title: "Ensure the Autoindex Module Is Disabled" description: "The Apache mod_autoindex module automatically generates a web page listing the contents of directories on the server, typically used so an index.html does not have to be generated." rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed." @@ -93,7 +93,7 @@ checks: - 'c:httpd -M -> r:autoindex_module' #2.6 Disable Proxy Modules - - id: 3503 + - id: 9003 title: "Ensure the Proxy Modules Are Disabled" description: "The Apache proxy modules allow the server to act as a proxy for HTTP and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network, the proxy module should not be loaded." rationale: "A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended." @@ -109,7 +109,7 @@ checks: - 'c:httpd -M -> r:proxy_' #2.7 Disable User Directories Modules - - id: 3504 + - id: 9004 title: "Ensure the User Directories Module Is Disabled" description: "The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the directory that will be accessed." rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network." @@ -125,7 +125,7 @@ checks: - 'c:httpd -M -> userdir_' #2.8 Disable Info Module - - id: 3505 + - id: 9005 title: "Ensure the Info Module Is Disabled" description: "The Apache mod_info module provides information on the server configuration via access to a /server-info URL location." rationale: "Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory .htaccess files. This can leak sensitive information from the configuration directives of other Apache modules." @@ -141,7 +141,7 @@ checks: - 'c:httpd -M -> r:info_module' #3.2 Give the Apache User Account an Invalid Shell - - id: 3506 + - id: 9006 title: "Ensure the Apache User Account Has an Invalid Shell" description: "The apache account must not be used as a regular login account, so it should be assigned an invalid or nologin shell to ensure it cannot be used to log in." rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system." @@ -154,7 +154,7 @@ checks: - 'f:/etc/passwd -> r:apache' #3.3 Lock the Apache User Account - - id: 3507 + - id: 9007 title: "Ensure the Apache User Account Is Locked" description: "The user account under which Apache runs should not have a valid password, but should be locked." rationale: "As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from su-ing to apache using the password." @@ -167,7 +167,7 @@ checks: - 'c:passwd -S apache -> r:Password locked' #4.4 Restrict Override for All Directories - - id: 3508 + - id: 9008 title: "Ensure OverRide Is Disabled for All Directories" description: "When the server finds an .htaccess file (as specified by AccessFileName), it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, .htaccess files are completely ignored. When this directive is set to All, any directive which has the .htaccess Context is allowed in .htaccess files." rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." @@ -187,7 +187,7 @@ checks: - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' #5.3 Minimize Options for Other Directories - - id: 3509 + - id: 9009 title: "Ensure Options for Other Directories Are Minimized" description: "The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation." rationale: "The options for other directories and hosts should be restricted to the minimal options required. A setting of None is recommended; however, other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, Indexes." @@ -206,7 +206,7 @@ checks: - 'f:$main-conf -> !r:^# && r:options\sincludes' #5.4.1 Remove default index.html sites - - id: 3510 + - id: 9010 title: "Ensure Default HTML Content Is Removed (index.html)" description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." @@ -220,7 +220,7 @@ checks: - 'd:/var/www/html -> index.html' #5.4.2 Remove the Apache user manual - - id: 3511 + - id: 9011 title: "Ensure Default HTML Content Is Removed (Apache user manual)" description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." @@ -233,7 +233,7 @@ checks: - 'd:$confdirs -> r:manual.conf|apache2-doc.conf' #5.4.5 Verify that no Handler is enabled - - id: 3512 + - id: 9012 title: "Ensure Default HTML Content Is Removed (Handler)" description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." @@ -247,7 +247,7 @@ checks: - 'f:$main-conf -> !r:^# && r:/wsethandler' #5.5 Remove default CGI content printenv - - id: 3513 + - id: 9013 title: "Ensure the Default CGI Content printenv Script Is Removed" description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for apache installations is the script printenv that will print back to the requester all of the CGI environment variables, which include many server configuration details and system paths." rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The printenv script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." @@ -261,7 +261,7 @@ checks: - 'd:/usr/lib/cgi-bin -> printenv' #5.6 Remove default CGI content test-cgi - - id: 3514 + - id: 9014 title: "Ensure the Default CGI Content test-cgi Script Is Removed" description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script test-cgi that will print back to the requester CGI environment variables, which includes many server configuration details." rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The test-cgi script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." @@ -275,7 +275,7 @@ checks: - 'd:/usr/lib/cgi-bin -> test-cgi' #5.7 Limit HTTP Request Method - - id: 3515 + - id: 9015 title: "Ensure HTTP Request Methods Are Restricted" description: "Use the Apache directive to restrict unnecessary HTTP request methods of the web server so it only accepts and processes the GET, HEAD, POST and OPTIONS HTTP request methods." rationale: "The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods." @@ -293,7 +293,7 @@ checks: - 'not f:$main-conf -> r:LimitExcept && r:DELETE|HEAD|PUT|CONNECT|TRACE' #5.8 Disable HTTP Trace Method - - id: 3516 + - id: 9016 title: "Ensure the HTTP TRACE Method Is Disabled" description: "Use the Apache TraceEnable directive to disable the HTTP TRACE request method." rationale: "The HTTP 1.1 protocol requires support for the TRACE request method, which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled." @@ -310,7 +310,7 @@ checks: - 'f:$traceen -> !r:^# && r:TraceEnable\s+on\s*$' #5.13 Restrict Listen Directive - - id: 3519 + - id: 9017 title: "Ensure the IP Addresses for Listening for Requests Are Specified" description: "The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen on for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically, a Listen directive with no IP address specified or with an IP address of all zeroes should not be used." rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an IP address or interface that was not intended for the web server." @@ -331,7 +331,7 @@ checks: - 'f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' #5.14 Restrict Browser Frame Options - - id: 3520 + - id: 9018 title: "Ensure Browser Framing Is Restricted" description: "The Header directive allows server HTTP response headers to be added, replaced, or merged. Use the directive to add a server HTTP response header to tell browsers to restrict all the web pages from being framed by other web sites." rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site." @@ -349,7 +349,7 @@ checks: - 'f:$main-conf -> r:Header\salways\sappend\sX-Frame-Options && r:SAMEORIGIN' #6.1 Configure the Error Log to notice at least - - id: 3521 + - id: 9019 title: "Ensure the Error Log Filename and Severity Level Are Configured Correctly" description: "The LogLevel directive is used to configure the severity level for the error logs, while the ErrorLog directive configures the error log filename. The log level values are the standard syslog levels of emerg , alert , crit , error , warn , notice , info and debug . The recommended level is notice , so that all errors from the emerg level through the notice level will be logged." rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." @@ -370,7 +370,7 @@ checks: - 'not f:$main-conf -> r:loglevel\snotice\score\p && r:info|debug' #6.2 Configure a Syslog facility for Error Log - - id: 3522 + - id: 9020 title: "Ensure a Syslog Facility Is Configured for Error Logging" description: "The ErrorLog directive should be configured to send web server error logs to a syslog facility so the logs can be processed and monitored along with the system logs." rationale: "It is easy for web server error logs to be overlooked in the log monitoring process, yet application-level attacks have become the most common and are extremely important for detecting attacks early, as well as detecting non-malicious problems such as a broken link or internal errors." @@ -390,7 +390,7 @@ checks: - 'f:$main-conf -> r:ErrorLog\s+\p*syslog\p\.*\p*' #7.6 Disable SSL Insecure Renegotiation - - id: 3523 + - id: 9021 title: "Ensure Insecure SSL Renegotiation Is Not Enabled" description: "The SSLInsecureRenegotiation directive was added in Apache 2.2.15 for web servers linked with OpenSSL version 0.9.8m or later, to allow the insecure renegotiation to provide backward compatibility to clients with the older unpatched SSL implementations. Enabling this directive also leaves the server vulnerable to man-in-the-middle renegotiation attack, therefore, it should not be enabled." rationale: "The seriousness and ramification of this attack warrants that servers and clients be upgraded to support the improved SSL/TLS protocols. Therefore, the recommendation is to not enable the insecure renegotiation." @@ -408,7 +408,7 @@ checks: - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on' #7.7 Ensure SSL Compression is not enabled - - id: 3524 + - id: 9022 title: "Ensure SSL Compression is Not Enabled" description: "The SSLCompression directive controls whether SSL compression is used by Apache when serving content over HTTPS. It is recommended that the SSLCompression directive be set to off." rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator that can be used to impersonate the account associated with the authenticator." @@ -426,7 +426,7 @@ checks: - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+off' #8.1 Set ServerToken to Prod or ProductOnly - - id: 3528 + - id: 9023 title: "Ensure ServerTokens Provides Minimal Information" description: "Configure the Apache ServerTokens directive to provide minimal information by setting the value to Prod or ProductOnly." rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." @@ -442,7 +442,7 @@ checks: - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+ProductOnly' #8.2: Set ServerSignature to Off - - id: 3529 + - id: 9024 title: "Ensure ServerSignature Is Not Enabled" description: "Disable the server signatures, which is the generation of a signature line as a trailing footer at the bottom of server-generated documents such as error pages." rationale: "Server signatures are helpful when the server is acting as a proxy because they help the user distinguish errors from the proxy rather than the destination server. However, in this context there is no need for the additional information." @@ -459,7 +459,7 @@ checks: - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on' #8.3: Prevent Information Leakage via Default Apache Content - - id: 3530 + - id: 9025 title: "Ensure All Default Apache Content Is Removed" description: "If you want to further restrict information leakage about the web server, it is important that default content such as icons are not left on the web server." rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." @@ -473,7 +473,7 @@ checks: - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*' #9.1:Set TimeOut to 10 or less - - id: 3531 + - id: 9026 title: "Ensure the TimeOut Is Set Properly" description: "The TimeOut directive controls the maximum time in seconds that Apache HTTP server will wait for an Input/Output call to complete. It is recommended that the TimeOut directive be set to 10 or less." rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." @@ -489,7 +489,7 @@ checks: - 'f:$main-conf -> !r:^# && n:timeout\s+(\d+) compare <= 10' #9.2:Set the KeepAlive directive to On - - id: 3532 + - id: 9027 title: "Ensure KeepAlive Is Enabled" description: "The KeepAlive directive controls whether Apache will reuse the same TCP connection per client to process subsequent HTTP requests from that client. It is recommended that the KeepAlive directive be set to On." rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks." @@ -505,7 +505,7 @@ checks: - 'f:$main-conf -> !r:^# && r:keepalive\s+Off' #9.3:Set MaxKeepAliveRequests to 100 or greater - - id: 3533 + - id: 9028 title: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed. It is recommended that the MaxKeepAliveRequests directive be set to 100 or greater." description: "Set MaxKeepAliveRequest to 100 or greater" rationale: "Limiting the number of requests per connection may improve a server's resiliency to DoS attacks." @@ -521,7 +521,7 @@ checks: - 'f:$main-conf -> n:^maxkeepaliverequests\s+(\d+) compare <= 100' #9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service - - id: 3534 + - id: 9029 title: "Ensure the KeepAliveTimeout Is Set Properly" description: "The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a subsequent request before closing a connection that is being kept alive." rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." @@ -537,7 +537,7 @@ checks: - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare > 15' #9.5 Set Timeout Limits for Request Headers - - id: 3535 + - id: 9030 title: "Ensure Timeout Limits for Request Headers Are Set Properly" description: "The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout, and a minimum rate." rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." @@ -556,7 +556,7 @@ checks: - 'f:$request-confs -> n:^\t*\s*requestreadtimeout\.+header\p(\d+) compare <= 40' #9.6 Set Timeout Limits for Request Body - - id: 3536 + - id: 9031 title: "Ensure Timeout Limits for the Request Body Are Set Properly" description: "The RequestReadTimeout directive allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, a maximum timeout, and a minimum rate." rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." @@ -573,7 +573,7 @@ checks: - 'f:$request-confs -> n:\t*\s*requestreadtimeout\.+body\p(\d+) compare <= 20' #10.1 Set the LimitRequestLine directive to 512 or less - - id: 3537 + - id: 9032 title: "Ensure the Maximum Request Line Length Is Set Properly" description: "The LimitRequestLine directive sets the maximum number of bytes that Apache will read for each line of an HTTP request. It is recommended that the LimitRequestLine be set to 512 or less." rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." @@ -589,7 +589,7 @@ checks: - 'f:$main-conf -> n:^LimitRequestLine\s+(\d+) compare <= 512' #10.2 Set the LimitRequestFields directive to 100 or less - - id: 3538 + - id: 9033 title: "Ensure the Maximum Request Headers Per Request Is Set Properly" description: "The LimitRequestFields directive sets the maximum limit on the number of HTTP request headers allowed per request. It is recommended that the LimitRequestFields directive be set to 100 or less." rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." @@ -605,7 +605,7 @@ checks: - 'f:$main-conf -> n:^LimitRequestFields\s(\d+) compare <= 100' #10.3 Set the LimitRequestFieldsize directive to 1024 or less - - id: 3539 + - id: 9034 title: "Ensure the Maximum Request Header Field Size Is Set Properly" description: "The LimitRequestFieldSize directive sets the maximum size of an HTTP request header field. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less." rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." @@ -621,7 +621,7 @@ checks: - 'f:$main-conf -> n:^LimitRequestFieldSize\s+(\d+) compare <= 1024' #10.4 Set the LimitRequestBody directive to 102400 or less - - id: 3540 + - id: 9035 title: "Ensure the Maximum Request Body Size Is Set Properly" description: "The LimitRequestBody directive sets the maximum size of an HTTP request body. It is recommended that the LimitRequestBody directive be set to 102400 or less." rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index 459a7e5e9..7aeebf250 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -27,7 +27,7 @@ requirements: checks: #1 Operating System Level Configuration - - id: 4500 + - id: 9500 title: "Disable MySQL Command History" description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." @@ -41,7 +41,7 @@ checks: rules: - 'd:/home -> ^.mysql_history$' - - id: 4501 + - id: 9501 title: "Disable Interactive Login" description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." @@ -52,7 +52,7 @@ checks: rules: - 'c:getent passwd mysql -> r:^\s$' - - id: 4502 + - id: 9502 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." @@ -66,7 +66,7 @@ checks: - 'c:find /home -maxdepth 2 -type f -regex "/home/.*/\(\.bashrc\|\.profile\|.bash_profile\)" -exec grep MYSQL_PWD {} + -> r:MYSQL_PWD' #4 General - - id: 4503 + - id: 9503 title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add." rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." @@ -80,7 +80,7 @@ checks: rules: - 'c:my_print_defaults mysqld -> r:allow-suspicious-udfs' - - id: 4504 + - id: 9504 title: "Ensure 'local_infile' is Disabled" description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." @@ -94,7 +94,7 @@ checks: rules: - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' - - id: 4505 + - id: 9505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" description: "This option causes mysqld to start without using the privilege system." rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." @@ -107,7 +107,7 @@ checks: rules: - 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' - - id: 4506 + - id: 9506 title: "Ensure '--skip-symbolic-links' Is Enabled" description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." @@ -121,7 +121,7 @@ checks: rules: - 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' - - id: 4507 + - id: 9507 title: "Ensure 'secure_file_priv' is not empty" description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " @@ -134,7 +134,7 @@ checks: rules: - 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' - - id: 4508 + - id: 9508 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " @@ -146,7 +146,7 @@ checks: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' #6 Auditing and Logging - - id: 4509 + - id: 9509 title: "Ensure 'log_error' is not empty" description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails" rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." @@ -159,7 +159,7 @@ checks: rules: - 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' - - id: 4510 + - id: 9510 title: "Ensure Log Files are not Stored on a non-system partition" description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." @@ -173,7 +173,7 @@ checks: rules: - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - - id: 4511 + - id: 9511 title: "Ensure 'log_warning' is set to 2" description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." @@ -186,7 +186,7 @@ checks: rules: - 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' - - id: 4512 + - id: 9512 title: "Ensure 'log_raw' is set to 'OFF'" description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." @@ -201,7 +201,7 @@ checks: - 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' #7 Authentication - - id: 4513 + - id: 9513 title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." @@ -218,7 +218,7 @@ checks: - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' - - id: 4514 + - id: 9514 title: "Ensure 'secure_auth' is set to 'ON'" description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." @@ -231,7 +231,7 @@ checks: rules: - 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' - - id: 4515 + - id: 9515 title: "Ensure Passwords Are Not Stored in the Global Configuration" description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." @@ -244,7 +244,7 @@ checks: rules: - 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' - - id: 4516 + - id: 9516 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." @@ -255,7 +255,7 @@ checks: rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' - - id: 4517 + - id: 9517 title: "Ensure Password Policy is in Place" description: "Password complexity includes password characteristics such as length, case, length, and character sets." rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." @@ -275,7 +275,7 @@ checks: - 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' #9 Replication - - id: 4518 + - id: 9518 title: "Ensure 'master_info_repositrory' is set to 'TABLE'" description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index f87edcff1..7e8fdd4b1 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -27,7 +27,7 @@ requirements: checks: #1 Operating System Level Configuration - - id: 4500 + - id: 10000 title: "Disable MySQL Command History" description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." @@ -41,7 +41,7 @@ checks: rules: - 'd:/home -> ^.mysql_history$' - - id: 4501 + - id: 10001 title: "Disable Interactive Login" description: "When created, the MySQL user may have interactive access to the operating system, which means that the MySQL user could login to the host as any other user would." rationale: "Preventing the MySQL user from logging in interactively may reduce the impact of a compromised MySQL account. There is also more accountability as accessing the operating system where the MySQL server lies will require the user's own account. Interactive access by the MySQL user is unnecessary and should be disabled." @@ -52,7 +52,7 @@ checks: rules: - 'c:getent passwd mysql -> r:^\s$' - - id: 4502 + - id: 10002 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" description: "MySQL can read a default database password from an environment variable called MYSQL_PWD." rationale: "The use of the MYSQL_PWD environment variable implies the clear text storage of MySQL credentials. Avoiding this may increase assurance that the confidentiality of MySQL credentials is preserved." @@ -66,7 +66,7 @@ checks: - 'c:find /home -maxdepth 2 -type f -regex "/home/.*/\(\.bashrc\|\.profile\|.bash_profile\)" -exec grep MYSQL_PWD {} + -> r:MYSQL_PWD' #4 General - - id: 4503 + - id: 10003 title: "Ensure 'allow-suspicious-udfs' Is Set to 'FALSE'" description: "This option prevents attaching arbitrary shared library functions as user-defined functions by checking for at least one corresponding method named _init, _deinit, _reset, _clear, or _add." rationale: "Preventing shared libraries that do not contain user-defined functions from loading will reduce the attack surface of the server." @@ -80,7 +80,7 @@ checks: rules: - 'c:my_print_defaults mysqld -> r:allow-suspicious-udfs' - - id: 4504 + - id: 10004 title: "Ensure 'local_infile' is Disabled" description: "The 'local_infile' parameter dictates whether files located on the MySQL client's computer can be loaded or selected via 'LOAD DATA INFILE' or 'SELECT local_file'." rationale: "Disabling 'local_infile' reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability." @@ -94,7 +94,7 @@ checks: rules: - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' - - id: 4505 + - id: 10005 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" description: "This option causes mysqld to start without using the privilege system." rationale: "If this option is used, all clients of the affected server will have unrestricted access to all databases." @@ -107,7 +107,7 @@ checks: rules: - 'c:grep -Rh skip-grant-tables /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip-grant-tables\s*=\s*FALSE|skip-grant-tables\s*=\s*false' - - id: 4506 + - id: 10006 title: "Ensure '--skip-symbolic-links' Is Enabled" description: "The symbolic-links and skip-symbolic-links options for MySQL determine whether symbolic link support is available. When use of symbolic links are enabled, they have different effects depending on the host platform. When symbolic links are disabled, then symbolic links stored in files or entries in tables are not used by the database. " rationale: "Prevents sym links being used for data base files. This is especially important when MySQL is executing as root as arbitrary files may be overwritten. The symbolic-links option might allow someone to direct actions by to MySQL server to other files and/or directories." @@ -121,7 +121,7 @@ checks: rules: - 'c:grep -Rh skip_symbolic_links /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:skip_symbolic_links\s*=\s*YES|skip_symbolic_links\s*=\s*yes' - - id: 4507 + - id: 10007 title: "Ensure 'secure_file_priv' is not empty" description: "The secure_file_priv option restricts to paths used by LOAD DATA INFILE or SELECT local_file. It is recommended that this option be set to a file system location that contains only resources expected to be loaded by MySQL." rationale: "Setting secure_file_priv reduces an attacker's ability to read sensitive files off the affected server via a SQL injection vulnerability. " @@ -134,7 +134,7 @@ checks: rules: - 'c:grep -Rh secure_file_priv /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_file_priv\s*=\s*\.' - - id: 4508 + - id: 10008 title: "Ensure 'sql_mode' Contains 'STRICT_ALL_TABLES'" description: "When data changing statements are made (i.e. INSERT, UPDATE), MySQL can handle invalid or missing values differently depending on whether strict SQL mode is enabled. When strict SQL mode is enabled, data may not be truncated or otherwise 'adjusted' to make the data changing statement work." rationale: "Without strict mode the server tries to do proceed with the action when an error might have been a more secure choice. For example, by default MySQL will truncate data if it does not fit in a field, which can lead to unknown behavior, or be leveraged by an attacker to circumvent data validation. " @@ -146,7 +146,7 @@ checks: - 'c:grep -Rh strict_all_tables /etc/mysql/my.cnf /etc/mysql/my.ini /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:strict_all_tables' #6 Auditing and Logging - - id: 4509 + - id: 10009 title: "Ensure 'log_error' is not empty" description: "The error log contains information about events such as mysqld starting and stopping, when a table needs to be checked or repaired, and, depending on the host operating system, stack traces when mysqld fails" rationale: "nabling error logging may increase the ability to detect malicious attempts against MySQL, and other critical messages, such as if the error log is not enabled then connection error might go unnoticed." @@ -159,7 +159,7 @@ checks: rules: - 'c:grep -Rh log_error /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_error\s*=\s*\S+\s*' - - id: 4510 + - id: 10010 title: "Ensure Log Files are not Stored on a non-system partition" description: "MySQL log files can be set in the MySQL configuration to exist anywhere on the filesystem. It is common practice to ensure that the system filesystem is left uncluttered by application logs. System filesystems include the root, /var, or /usr." rationale: "Moving the MySQL logs off the system partition will reduce the probability of denial of service via the exhaustion of available disk space to the operating system." @@ -173,7 +173,7 @@ checks: rules: - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' - - id: 4511 + - id: 10011 title: "Ensure 'log_warning' is set to 2" description: "The log_warnings system variable, enabled by default, provides additional information to the MySQL log. A value of 1 enables logging of warning messages, and higher integer values tend to enable more logging." rationale: "This might help to detect malicious behavior by logging communication errors and aborted connections." @@ -186,7 +186,7 @@ checks: rules: - 'c:grep -Rh log_warnings /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log_warnings\s*=\s*2' - - id: 4512 + - id: 10012 title: "Ensure 'log_raw' is set to 'OFF'" description: "The log-raw MySQL option determines whether passwords are rewritten by the server so as not to appear in log files as plain text. If log-raw is enabled, then passwords are written to the various log files (general query log, slow query log, and binary log) in plain text. " rationale: "With raw logging of passwords enabled someone with access to the log files might see plain text passwords." @@ -201,7 +201,7 @@ checks: - 'c:grep -Rh log-raw /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:log-raw\s*OFF$|log-raw\s*off$' #7 Authentication - - id: 4513 + - id: 10013 title: "Ensure 'old_passwords' Is Not Set to '1' or 'ON'" description: "This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements. Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin" rationale: "The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details." @@ -218,7 +218,7 @@ checks: - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*1' - 'c:grep -Rh old_passwords /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:old_passwords\s*=\s*ON|old_passwords\s*=\s*on' - - id: 4514 + - id: 10014 title: "Ensure 'secure_auth' is set to 'ON'" description: "This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format." rationale: "Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network)." @@ -231,7 +231,7 @@ checks: rules: - 'c:grep -Rh secure_auth /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:secure_auth\s*=\s*ON|secure_auth\s*=\s*on' - - id: 4515 + - id: 10015 title: "Ensure Passwords Are Not Stored in the Global Configuration" description: "The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf)." rationale: "The use of the password parameter may negatively impact the confidentiality of the user's password." @@ -244,7 +244,7 @@ checks: rules: - 'c:grep -Rh password /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:^\s*password\.*' - - id: 4516 + - id: 10016 title: "Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'" description: "NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided." rationale: "Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password." @@ -255,7 +255,7 @@ checks: rules: - 'c:grep -Rh no_auto_create_user /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:\s*no_auto_create_user\s*$' - - id: 4517 + - id: 10017 title: "Ensure Password Policy is in Place" description: "Password complexity includes password characteristics such as length, case, length, and character sets." rationale: "Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed." @@ -275,7 +275,7 @@ checks: - 'c:grep -Rh validate_password_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:validate_password_policy\s*=\s*MEDIUM\s*|validate_password_policy\s*=\s*STRONG\s*|validate_password_policy\s*=\s*medium\s*|validate_password_policy\s*=\s*strong\s*' #9 Replication - - id: 4518 + - id: 10018 title: "Ensure 'master_info_repositrory' is set to 'TABLE'" description: "The master_info_repository setting determines to where a slave logs master status and connection information. The options are FILE or TABLE. Note also that this setting is associated with the sync_master_info setting as well." rationale: "The password which the client uses is stored in the master info repository, which by default is a plaintext file. The TABLE master info repository is a bit safer, but with filesystem access it's still possible to gain access to the password the slave is using." @@ -289,7 +289,7 @@ checks: - 'c:grep -Rh master_info_repository /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:master_info_repository\s*=\s*TABLE|master_info_repository\s*=\s*table' #10 Enterprise rules - - id: 4519 + - id: 10019 title: "Ensure audit_log_connection_policy is not set to 'NONE'" description: "The audit_log_connection_policy variable controls how the audit plugin writes connection events to the audit log file. " rationale: "The audit_log_connection_policy offers three options: NONE, ERRORS, and ALL. Each option determines whether connection events are logged and the type of connection events that are logged. Setting a non 'NONE' value for audit_log_connection_policy ensures at a minimum, failed connection events are being logged. The ERRORS setting will log failed connection events and the ALL setting will log all connection events. For MySQL versions => 5.6.20, the audit_log_policy variable can override the audit_log_connection_policy, potentially invalidating this benchmark recommendation, therefore enforcing a setting for audit_log_connection_policy ensures the integrity of this recommendation." @@ -300,7 +300,7 @@ checks: rules: - 'c:grep -Rh audit_log_connection_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_connection_policy\s*=\s* && r:none|NONE' - - id: 4520 + - id: 10020 title: "Ensure audit_log_exclude_account is set to NULL" description: "The audit_log_exclude_accounts variable enables the administrator to set accounts for which events will not be logged in the audit log." rationale: "The audit_log_exclude_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures no single user is able to unintentionally evade being logged. Particular attention should be made to privileged accounts, as such accounts will generally be bestowed with more privileges than normal users, and should not be listed against this variable." @@ -311,7 +311,7 @@ checks: rules: - 'c:grep -Rh audit_log_exclude_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_exclude_accounts\s*=\s* && r:null\s*$|NULL\s*$' - - id: 4521 + - id: 10021 title: "Ensure audit_log_include_accounts is set to NULL" description: "The audit_log_include_accounts variable enables the administrator to set accounts for which events should be logged in the audit log." rationale: "The audit_log_include_accounts variable has two permitted values, either NULL or a list of MySQL accounts. Setting this variable correctly ensures all MySQL users are being logged in the audit log." @@ -322,7 +322,7 @@ checks: rules: - 'c:grep -Rh audit_log_include_accounts /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_include_accounts\s*=\s* && r:null\s*$|NULL\s*$' - - id: 4522 + - id: 10022 title: "Ensure audit_log_policy is set to log logins and connections" description: "With the audit_log_policy setting the amount of information which is sent to the audit log is controlled. It must be set to log logins and connections." rationale: "If this setting is set to QUERIES, CONNECTIONS or NONE then either connections or queries are not written to the audit log file." @@ -333,7 +333,7 @@ checks: rules: - 'c:grep -Rh audit_log_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> !r:^\s*\t*# && r:audit_log_policy\s*=\s* && r:ALL|LOGINS|all|logins' - - id: 4523 + - id: 10023 title: "Ensure audit_log_statement_policy is set to ALL" description: "This setting controls whether statements are written to the audit log." rationale: "This setting must be set to ALL to ensure all statement information is written to the audit log." @@ -344,7 +344,7 @@ checks: rules: - 'c:grep -Rh audit_log_statement_policy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_statement_policy\s*=\s* && r:all$|ALL$' - - id: 4524 + - id: 10024 title: "Set audit_log_strategy to SYNCHRONOUS or SEMISYNCRONOUS" description: "The audit_log_strategy must be set to SYNCHRONOUS or SEMISYNCHRONOUS." rationale: "This setting controls how information is written to the audit log. It can be set to SYNCHRONOUS to make it fully durable or other settings which are less durable but have less performance overhead." @@ -355,7 +355,7 @@ checks: rules: - 'c:grep -Rh audit_log_strategy /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:audit_log_strategy\s*=\s* && r:semisynchronous|synchronous|SEMISYNCHRONOUS|SYNCHRONOUS' - - id: 4525 + - id: 10025 title: "Make sure the audit plugin can't be unloaded" description: "Set audit_log to FORCE_PLUS_PERMANENT." rationale: "This makes disables unloading on the plugin." diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 25cd7902b..69003e930 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -27,32 +27,32 @@ requirements: # PHP checks checks: - - id: 1000 + - id: 10500 title: "PHP - Ensure 'Register globals' are not enabled" condition: all rules: - 'f:$php.ini -> r:^register_globals\s*\t*=\s*\t*Off|register_globals\s*\t*=\s*\t*off' - - id: 1001 + - id: 10501 title: "PHP - Ensure 'Expose PHP' is not enabled" condition: all rules: - 'f:$php.ini -> r:^expose_php\s*\t*=\s*\t*Off|^expose_php\s*\t*=\s*\t*off' - - id: 1002 + - id: 10502 title: "PHP - Ensure 'Allow URL fopen' is not enabled" condition: all rules: - 'f:$php.ini -> r:^allow_url_fopen\s*\t*=\s*\t*Off|^allow_url_fopen\s*\t*=\s*\t*off' - - id: 1003 + - id: 10503 title: "PHP - Ensure 'Displaying of errors' is not enabled" condition: all rules: - 'f:$php.ini -> r:^display_errors\s*\t*=\s*\t*Off|^display_errors\s*\t*=\s*\t*off' # WEB checks - - id: 1004 + - id: 10504 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -61,7 +61,7 @@ checks: rules: - 'd:$web_dirs -> ^.yop$' - - id: 1005 + - id: 10505 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -70,7 +70,7 @@ checks: rules: - 'd:$web_dirs -> ^id$' - - id: 1006 + - id: 10506 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -79,7 +79,7 @@ checks: rules: - 'd:$web_dirs -> ^.ssh$' - - id: 1007 + - id: 10507 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -88,7 +88,7 @@ checks: rules: - 'd:$web_dirs -> ^...$' - - id: 1008 + - id: 10508 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -98,7 +98,7 @@ checks: - 'd:$web_dirs -> ^.shell$' # Outdated Web applications - - id: 1009 + - id: 10509 title: "Web vulnerability - Outdated WordPress installation" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -107,7 +107,7 @@ checks: rules: - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' - - id: 1010 + - id: 10510 title: "Web vulnerability - Outdated Joomla installation" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -116,7 +116,7 @@ checks: rules: - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' - - id: 1011 + - id: 10511 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -126,7 +126,7 @@ checks: - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' # Known backdoors - - id: 1012 + - id: 10512 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -135,7 +135,7 @@ checks: rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' - - id: 1013 + - id: 10513 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -144,7 +144,7 @@ checks: rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' - - id: 1014 + - id: 10514 title: "Web vulnerability - .htaccess file compromised" compliance: - pci_dss: ["6.5","6.6","11.4"] @@ -155,7 +155,7 @@ checks: rules: - 'd:$web_dirs -> ^.htaccess$ -> r:RewriteCond\s+\S+HTTP_REFERERS\s+\S+google' - - id: 1015 + - id: 10515 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: - pci_dss: ["6.5","6.6","11.4"] diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 0ba3fc8ab..dd2d42a9e 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -29,7 +29,7 @@ requirements: checks: # 1.1 Verify all Apple provided software is current (Scored) - - id: 3000 + - id: 7500 title: "Verify all Apple provided software is current" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." @@ -41,7 +41,7 @@ checks: - 'c:softwareupdate -l -> r:No new software available' # 1.2 Enable Auto Update (Scored) - - id: 3001 + - id: 7501 title: "Enable Auto Update" description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." @@ -56,7 +56,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1' # 1.3 Enable app update installs (Scored) - - id: 3002 + - id: 7502 title: "Enable app update installs" description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -68,7 +68,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' # 1.4 Enable system data files and security update installs (Scored) - - id: 3003 + - id: 7503 title: "Enable system data files and security update installs" description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -84,7 +84,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1' # 1.5 Enable OS X update installs (Scored) - - id: 3004 + - id: 7504 title: "Enable OS X update installs" description: "Ensure that OS X updates are installed after they are available from Apple. This setting enables OS X updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -96,7 +96,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' # 2.2.1 Enable "Set time and date automatically" (Not Scored) - - id: 3005 + - id: 7505 title: "Enable \"Set time and date automatically\"" description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Apple's automatic time update solution will enable an NTP server that is not controlled by the Application Firewall. Turning on \"Set time and date automatically\" allows other computers to connect to set their time and allows for exploit attempts against ntpd. It also allows for more accurate network detection and OS fingerprinting." rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." @@ -108,7 +108,7 @@ checks: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.2.3 Restrict NTP server to loopback interface (Scored) - - id: 3006 + - id: 7506 title: "Restrict NTP server to loopback interface" description: "The Apple System Preference setting to \"Set date and time automatically\" enables both an NTP client that can synchronize the time from known time server(s) and an open listening NTP server that can be used by any other computer that can connect to port 123 on the time syncing computer. This open listening service can allow for both exploits of future NTP vulnerabilities and allow for open ports that can be used for fingerprinting to target exploits. Access to this port should be restricted. Editing the /etc/ntp-restrict.conf file by adding a control on the loopback interface limits external access." rationale: "Mobile workstations on untrusted networks should not have open listening services available to other nodes on the network." @@ -120,7 +120,7 @@ checks: - 'f:/etc/ntp-restrict.conf -> r:restrict lo' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 3007 + - id: 7507 title: "Disable Remote Apple Events" description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." @@ -132,7 +132,7 @@ checks: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 3008 + - id: 7508 title: "Disable Printer Sharing" description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." @@ -144,7 +144,7 @@ checks: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 3009 + - id: 7509 title: "Disable Remote Login" description: "Remote Login allows an interactive terminal connection to a computer." rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple OSX clients, not servers." @@ -156,7 +156,7 @@ checks: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 3010 + - id: 7510 title: "Disable File Sharing" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." @@ -169,7 +169,7 @@ checks: - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\ r:womp && !r:\s0$' # 2.6.1 Enable FileVault (Scored) - - id: 3012 + - id: 7512 title: "Enable FileVault" description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." @@ -195,7 +195,7 @@ checks: - 'c:diskutil cs list -> r:^Encryption Type && r:AES-XTS' # 2.6.2 Enable Gatekeeper (Scored) - - id: 3013 + - id: 7513 title: "Enable Gatekeeper" description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." @@ -207,7 +207,7 @@ checks: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' # 2.6.3 Enable Firewall (Scored) - - id: 3014 + - id: 7514 title: "Enable Firewall" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." @@ -221,7 +221,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 3015 + - id: 7515 title: "Enable Firewall Stealth Mode" description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." @@ -235,7 +235,7 @@ checks: - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 3016 + - id: 7516 title: "Enable Secure Keyboard Entry in terminal.app" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." @@ -247,7 +247,7 @@ checks: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 3017 + - id: 7517 title: "Java 6 is not the default Java runtime" description: "Apple had made Java part of the core Operating System for OS X. Apple is no longer providing Java updates for OS X and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java is one of the most exploited environments and is no longer maintained by Apple, old versions may still be installed and should be removed from the computer or not be in the default path." @@ -259,7 +259,7 @@ checks: - 'c:java -version -> r:1.6.0' # 3.2 Enable security auditing (Scored) - - id: 3018 + - id: 7518 title: "Enable security auditing" description: "OSX's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." @@ -271,7 +271,7 @@ checks: - 'c:launchctl list -> r:com.apple.auditd' # 3.3 Configure Security Auditing Flags (Scored) - - id: 3019 + - id: 7519 title: "Configure Security Auditing Flags" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." @@ -283,7 +283,7 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 3020 + - id: 7520 title: "Disable Bonjour advertising service" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on Mac OS X is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers. This setting does not stop the computer from sending out service discovery messages when looking for services on an internal subnet, if the computer is looking for a printer or server and using service discovery. To block all Bonjour traffic except to approved devices the pf or other firewall would be needed." @@ -295,7 +295,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' # 4.4 Ensure http server is not running (Scored) - - id: 3021 + - id: 7521 title: "Ensure http server is not running" description: "Mac OS X used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -308,7 +308,7 @@ checks: - 'p:/usr/sbin/httpd' # 4.5 Ensure ftp server is not running (Scored) - - id: 3022 + - id: 7522 title: "Ensure ftp server is not running" description: "Mac OS X used to have a graphical front-end to the embedded ftp server in the Operating System. Ftp sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an Ftp server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The Ftp server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Ftp servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" rationale: "Ftp servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -320,7 +320,7 @@ checks: - 'c:launchctl list -> r:com.apple.ftpd' # 4.6 Ensure nfs server is not running (Scored) - - id: 3023 + - id: 7523 title: "Ensure nfs server is not running" description: "Mac OS X can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." @@ -334,7 +334,7 @@ checks: - 'f:/etc/exports' # 5.7 Do not enable the "root" account (Scored) - - id: 3024 + - id: 7524 title: "Do not enable the \"root\" account" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. In the UNIX/Linux world, the system administrator commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." @@ -346,7 +346,7 @@ checks: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' # 5.8 Disable automatic login (Scored) - - id: 3025 + - id: 7525 title: "Disable automatic login" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." @@ -358,7 +358,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' # 5.9 Require a password to wake the computer from sleep or screen saver (Scored) - - id: 3026 + - id: 7526 title: "Require a password to wake the computer from sleep or screen saver" description: "Sleep and screensaver modes are low power modes that reduces electrical consumption while the system is not in use." rationale: "Prompting for a password when waking from sleep or screensaver mode mitigates the threat of an unauthorized person gaining access to a system in the user's absence." @@ -370,7 +370,7 @@ checks: - 'c:defaults read com.apple.screensaver askForPassword -> 1' # 5.11 Disable ability to login to another user's active and locked session (Scored) - - id: 3027 + - id: 7527 title: "Disable ability to login to another user's active and locked session" description: "OSX has a privilege that can be granted to any user that will allow that user to unlock active user's sessions." rationale: "Disabling the admins and/or user's ability to log into another user's active and locked session prevents unauthorized persons from viewing potentially sensitive and/or personal information." @@ -382,7 +382,7 @@ checks: - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel && r:fail_safe' # 5.18 System Integrity Protection status (Scored) - - id: 3028 + - id: 7528 title: "System Integrity Protection status" description: "System Integrity Protection is a new security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." @@ -394,7 +394,7 @@ checks: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 3029 + - id: 7529 title: "Disable guest account login" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." @@ -406,7 +406,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' # 6.1.5 Remove Guest home folder (Scored) - - id: 3030 + - id: 7530 title: "Remove Guest home folder" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." @@ -418,7 +418,7 @@ checks: - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 3031 + - id: 7531 title: "Turn on filename extensions" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." @@ -430,7 +430,7 @@ checks: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 3032 + - id: 7532 title: "Disable the automatic run of safe files in Safari" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index bcf991d9a..bb261657e 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -29,7 +29,7 @@ requirements: checks: # 1.1 Verify all Apple provided software is current (Scored) - - id: 13500 + - id: 8000 title: "Verify all Apple provided software is current" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." @@ -41,7 +41,7 @@ checks: - 'c:softwareupdate -l -> r:No new software available' # 1.2 Enable Auto Update (Scored) - - id: 13501 + - id: 8001 title: "Enable Auto Update" description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." @@ -56,7 +56,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1' # 1.3 Enable app update installs (Scored) - - id: 13502 + - id: 8002 title: "Enable app update installs" description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -68,7 +68,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' # 1.4 Enable system data files and security update installs (Scored) - - id: 13503 + - id: 8003 title: "Enable system data files and security update installs" description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -84,7 +84,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1' # 1.5 Enable macOS update installs (Scored) - - id: 13504 + - id: 8004 title: "Enable macOS update installs" description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -96,7 +96,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdateRestartRequired -> 1' # 2.2.1 Enable "Set time and date automatically" (Scored) - - id: 13505 + - id: 8005 title: "Enable \"Set time and date automatically\"" description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries. Note: If your organization has internal time servers, enter them here. Enterprise mobile devices may need to use a mix of internal and external time servers. If multiple servers are required use the Date & Time System Preference with each server separated by a space." rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." @@ -108,7 +108,7 @@ checks: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 13506 + - id: 8006 title: "Disable Remote Apple Events" description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." @@ -120,7 +120,7 @@ checks: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 13507 + - id: 8007 title: "Disable Printer Sharing" description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." @@ -132,7 +132,7 @@ checks: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 13508 + - id: 8008 title: "Disable Remote Login" description: "Remote Login allows an interactive terminal connection to a computer." rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." @@ -144,7 +144,7 @@ checks: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 13509 + - id: 8009 title: "Disable File Sharing" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." @@ -157,7 +157,7 @@ checks: - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\ r:womp && !r:\s0$' # 2.6.1.1 Enable FileVault (Scored) - - id: 13511 + - id: 8011 title: "Enable FileVault" description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." @@ -181,7 +181,7 @@ checks: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' # 2.6.2 Enable Gatekeeper (Scored) - - id: 13512 + - id: 8012 title: "Enable Gatekeeper" description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." @@ -193,7 +193,7 @@ checks: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' # 2.6.3 Enable Firewall (Scored) - - id: 13513 + - id: 8013 title: "Enable Firewall" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." @@ -207,7 +207,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 13514 + - id: 8014 title: "Enable Firewall Stealth Mode" description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." @@ -221,7 +221,7 @@ checks: - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 13515 + - id: 8015 title: "Enable Secure Keyboard Entry in terminal.app" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." @@ -233,7 +233,7 @@ checks: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 13516 + - id: 8016 title: "Java 6 is not the default Java runtime" description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." @@ -245,7 +245,7 @@ checks: - 'c:java -version -> r:1.6.0' # 3.1 Enable security auditing (Scored) - - id: 13517 + - id: 8017 title: "Enable security auditing" description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." @@ -257,7 +257,7 @@ checks: - 'c:launchctl list -> r:com.apple.auditd' # 3.2 Configure Security Auditing Flags (Scored) - - id: 13518 + - id: 8018 title: "Configure Security Auditing Flags" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." @@ -269,7 +269,7 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 13519 + - id: 8019 title: "Disable Bonjour advertising service" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." @@ -281,7 +281,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' # 4.4 Ensure http server is not running (Scored) - - id: 13520 + - id: 8020 title: "Ensure http server is not running" description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -294,7 +294,7 @@ checks: - 'p:/usr/sbin/httpd' # 4.5 Ensure FTP server is not running (Scored) - - id: 13521 + - id: 8021 title: "Ensure FTP server is not running" description: "macOS used to have a graphical front-end to the embedded FTP server in the Operating System. FTP sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Running an FTP server from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. The FTP server however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. FTP servers meet a specialized need to distribute files without strong authentication and should only be done through hardened servers. Cloud services or other distribution methods should be considered" rationale: "FTP servers should not be run on an end user desktop. Dedicated servers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -306,7 +306,7 @@ checks: - 'c:launchctl list -> r:com.apple.ftpd' # 4.6 Ensure nfs server is not running (Scored) - - id: 13522 + - id: 8022 title: "Ensure nfs server is not running" description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." @@ -320,7 +320,7 @@ checks: - 'f:/etc/exports' # 5.8 Do not enable the "root" account (Scored) - - id: 13523 + - id: 8023 title: "Do not enable the \"root\" account" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." @@ -332,7 +332,7 @@ checks: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' # 5.9 Disable automatic login (Scored) - - id: 13524 + - id: 8024 title: "Disable automatic login" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." @@ -345,7 +345,7 @@ checks: # 5.20 System Integrity Protection status (Scored) - - id: 13525 + - id: 8025 title: "System Integrity Protection status" description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." @@ -357,7 +357,7 @@ checks: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 13526 + - id: 8026 title: "Disable guest account login" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." @@ -369,7 +369,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' # 6.1.5 Remove Guest home folder (Scored) - - id: 13527 + - id: 8027 title: "Remove Guest home folder" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." @@ -381,7 +381,7 @@ checks: - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 13528 + - id: 8028 title: "Turn on filename extensions" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." @@ -393,7 +393,7 @@ checks: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 13529 + - id: 8029 title: "Disable the automatic run of safe files in Safari" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index b3560768f..624eaea43 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -29,7 +29,7 @@ requirements: checks: # 1.1 Verify all Apple provided software is current (Scored) - - id: 14000 + - id: 8500 title: "Verify all Apple provided software is current" description: "Software vendors release security patches and software updates for their products when security vulnerabilities are discovered. There is no simple way to complete this action without a network connection to an Apple software repository. Please ensure appropriate access for this control. This check is only for what Apple provides through software update." rationale: "It is important that these updates be applied in a timely manner to prevent unauthorized persons from exploiting the identified vulnerabilities." @@ -41,7 +41,7 @@ checks: - 'c:softwareupdate -l -> r:No new software available' # 1.2 Enable Auto Update (Scored) - - id: 14001 + - id: 8501 title: "Enable Auto Update" description: "Auto Update verifies that your system has the newest security patches and software updates. If \"Automatically check for updates\" is not selected background updates for new malware definition files from Apple for XProtect and Gatekeeper will not occur." rationale: "It is important that a system has the newest updates applied so as to prevent unauthorized persons from exploiting identified vulnerabilities." @@ -56,7 +56,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -> 1' # 1.3 Enable app update installs (Scored) - - id: 14002 + - id: 8502 title: "Enable app update installs" description: "Ensure that application updates are installed after they are available from Apple. These updates do not require reboots or admin privileges for end users." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -68,7 +68,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.commerce AutoUpdate -> 1' # 1.4 Enable system data files and security update installs (Scored) - - id: 14003 + - id: 8503 title: "Enable system data files and security update installs" description: "Ensure that system and security updates are installed after they are available from Apple. This setting enables definition updates for XProtect and Gatekeeper, with this setting in place new malware and adware that Apple has added to the list of malware or untrusted software will not execute. These updates do not require reboots or end user admin rights." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -84,7 +84,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -> 1' # 1.5 Enable macOS update installs (Scored) - - id: 14004 + - id: 8504 title: "Enable macOS update installs" description: "Ensure that macOS updates are installed after they are available from Apple. This setting enables macOS updates to be automatically installed. Some environments will want to approve and test updates before they are delivered. It is best practice to test first where updates can and have caused disruptions to operations. Automatic updates should be turned off where changes are tightly controlled and there are mature testing and approval processes. Automatic updates should not be turned off so the admin can call the users first to let them know it's ok to install. A dependable repeatable process involving a patch agent or remote management tool should be in place before auto-updates are turned off." rationale: "Patches need to be applied in a timely manner to reduce the risk of vulnerabilities being exploited" @@ -97,7 +97,7 @@ checks: # 2.2.1 Enable "Set time and date automatically" (Scored) - - id: 14005 + - id: 8505 title: "Enable \"Set time and date automatically\"" description: "Correct date and time settings are required for authentication protocols, file creation, modification dates and log entries." rationale: "Kerberos may not operate correctly if the time on the Mac is off by more than 5 minutes. This in turn can affect Apple's single sign-on feature, Active Directory logons, and other features." @@ -109,7 +109,7 @@ checks: - 'c:systemsetup -getusingnetworktime -> r:Network Time:\s*\t*On' # 2.4.1 Disable Remote Apple Events (Scored) - - id: 14006 + - id: 8506 title: "Disable Remote Apple Events" description: "Apple Events is a technology that allows one program to communicate with other programs. Remote Apple Events allows a program on one computer to communicate with a program on a different computer." rationale: "Disabling Remote Apple Events mitigates the risk of an unauthorized program gaining access to the system." @@ -121,7 +121,7 @@ checks: - 'c:systemsetup -getremoteappleevents -> r:Remote Apple Events:\s*\t*Off' # 2.4.4 Disable Printer Sharing (Scored) - - id: 14007 + - id: 8507 title: "Disable Printer Sharing" description: "By enabling Printer sharing the computer is set up as a print server to accept print jobs from other computers. Dedicated print servers or direct IP printing should be used instead." rationale: "Disabling Printer Sharing mitigates the risk of attackers attempting to exploit the print server to gain access to the system." @@ -133,7 +133,7 @@ checks: - 'c:system_profiler SPPrintersDataType -> r:Shared:\s*\t*Yes' # 2.4.5 Disable Remote Login (Scored) - - id: 14008 + - id: 8508 title: "Disable Remote Login" description: "Remote Login allows an interactive terminal connection to a computer." rationale: "Disabling Remote Login mitigates the risk of an unauthorized person gaining access to the system via Secure Shell (SSH). While SSH is an industry standard to connect to posix servers, the scope of the benchmark is for Apple macOS clients, not servers." @@ -145,7 +145,7 @@ checks: - 'c:systemsetup -getremotelogin -> r:Remote Login:\s*\t*Off' # 2.4.8 Disable File Sharing (Scored) - - id: 14009 + - id: 8509 title: "Disable File Sharing" description: "Apple's File Sharing uses a combination of SMB (Windows sharing) and AFP (Mac sharing)" rationale: "By disabling file sharing, the remote attack surface and risk of unauthorized access to files stored on the system is reduced." @@ -158,7 +158,7 @@ checks: - 'f:/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist -> r:\ r:womp && !r:\s0$' # 2.6.1.1 Enable FileVault (Scored) - - id: 14011 + - id: 8511 title: "Enable FileVault" description: "FileVault secures a system's data by automatically encrypting its boot volume and requiring a password or recovery key to access it." rationale: "Encrypting sensitive data minimizes the likelihood of unauthorized users gaining access to it." @@ -182,7 +182,7 @@ checks: - 'c:fdesetup status -> r:^FileVault\s*\t*is\s*\t*On$' # 2.6.2 Enable Gatekeeper (Scored) - - id: 14012 + - id: 8512 title: "Enable Gatekeeper" description: "Gatekeeper is Apple's application white-listing control that restricts downloaded applications from launching. It functions as a control to limit applications from unverified sources from running without authorization." rationale: "Disallowing unsigned software will reduce the risk of unauthorized or malicious applications from running on the system." @@ -194,7 +194,7 @@ checks: - 'c:spctl --status -> r:^assessments\s*\t*enabled$' # 2.6.3 Enable Firewall (Scored) - - id: 14013 + - id: 8513 title: "Enable Firewall" description: "A firewall is a piece of software that blocks unwanted incoming connections to a system. Apple has posted general documentation about the application firewall." rationale: "A firewall minimizes the threat of unauthorized users from gaining access to your system while connected to a network or the Internet." @@ -208,7 +208,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.alf globalstate -> r:^1$|^2$' # 2.6.4 Enable Firewall Stealth Mode (Scored) - - id: 14014 + - id: 8514 title: "Enable Firewall Stealth Mode" description: "While in Stealth mode the computer will not respond to unsolicited probes, dropping that traffic." rationale: "Stealth mode on the firewall minimizes the threat of system discovery tools while connected to a network or the Internet." @@ -222,7 +222,7 @@ checks: - 'c:/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode -> r:^Stealth mode enabled' # 2.10 Enable Secure Keyboard Entry in terminal.app (Scored) - - id: 14015 + - id: 8515 title: "Enable Secure Keyboard Entry in terminal.app" description: "Secure Keyboard Entry prevents other applications on the system and/or network from detecting and recording what is typed into Terminal." rationale: "Enabling Secure Keyboard Entry minimizes the risk of a key logger from detecting what is entered in Terminal." @@ -234,7 +234,7 @@ checks: - 'c:defaults read -app Terminal SecureKeyboardEntry -> 1' # 2.11 Java 6 is not the default Java runtime (Scored) - - id: 14016 + - id: 8516 title: "Java 6 is not the default Java runtime" description: "Apple had made Java part of the core Operating System for macOS. Apple is no longer providing Java updates for macOS and updated JREs and JDK are made available by Oracle. The latest version of Java 6 made available by Apple has many unpatched vulnerabilities and should not be the default runtime for Java applets that request one from the Operating System" rationale: "Java has been one of the most exploited environments and Java 6, which was provided as an OS component by Apple, is no longer maintained by Apple or Oracle. The old versions provided by Apple are both unsupported and missing the more modern security controls that have limited current exploits. The EOL version may still be installed and should be removed from the computer or not be in the default path." @@ -246,7 +246,7 @@ checks: - 'c:java -version -> r:1.6.0' # 2.13 Ensure EFI version is valid and being regularly checked (Scored) - - id: 14017 + - id: 8517 title: "Ensure EFI version is valid and being regularly checked" description: "In order to mitigate firmware attacks Apple has created a automated Firmware check to ensure that the EFI version running is a known good version from Apple. There is also an automated process to check it every seven days." rationale: "If the Firmware of a computer has been compromised the Operating System that the Firmware loads cannot be trusted either." @@ -259,7 +259,7 @@ checks: - 'c:launchctl list -> r:^-\s*\t*0\s*\t*com.apple.driver.eficheck$' # 3.1 Enable security auditing (Scored) - - id: 14018 + - id: 8518 title: "Enable security auditing" description: "macOS's audit facility, auditd, receives notifications from the kernel when certain system calls, such as open, fork, and exit, are made. These notifications are captured and written to an audit log." rationale: "Logs generated by auditd may be useful when investigating a security incident as they may help reveal the vulnerable application and the actions taken by a malicious actor." @@ -271,7 +271,7 @@ checks: - 'c:launchctl list -> r:com.apple.auditd' # 3.2 Configure Security Auditing Flags (Scored) - - id: 14019 + - id: 8519 title: "Configure Security Auditing Flags" description: "Auditing is the capture and maintenance of information about security-related events." rationale: "Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises or attacks that have occurred, have begun, or are about to begin. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised." @@ -283,7 +283,7 @@ checks: - 'f:/etc/security/audit_control -> r:^flags && r:lo && r:ad && r:fd && r:fm && r:-all' # 4.1 Disable Bonjour advertising service (Scored) - - id: 14020 + - id: 8520 title: "Disable Bonjour advertising service" description: "Bonjour is an auto-discovery mechanism for TCP/IP devices which enumerate devices and services within a local subnet. DNS on macOS is integrated with Bonjour and should not be turned off, but the Bonjour advertising service can be disabled." rationale: "Bonjour can simplify device discovery from an internal rogue or compromised host. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly- configured service or additional information to aid a targeted attack. Implementing this control disables the continuous broadcasting of \"I'm here!\" messages. Typical end-user endpoints should not have to advertise services to other computers." @@ -295,7 +295,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' # 4.4 Ensure http server is not running (Scored) - - id: 14021 + - id: 8521 title: "Ensure http server is not running" description: "macOS used to have a graphical front-end to the embedded Apache web server in the Operating System. Personal web sharing could be enabled to allow someone on another computer to download files or information from the user's computer. Personal web sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. Apache however is still part of the Operating System and can be easily turned on to share files and provide remote connectivity to an end user computer. Web sharing should only be done through hardened web servers and appropriate cloud services." rationale: "Web serving should not be done from a user desktop. Dedicated webservers or appropriate cloud storage should be used. Open ports make it easier to exploit the computer." @@ -308,7 +308,7 @@ checks: - 'p:/usr/sbin/httpd' # 4.5 Ensure nfs server is not running (Scored) - - id: 14022 + - id: 8522 title: "Ensure nfs server is not running" description: "macOS can act as an NFS fileserver. NFS sharing could be enabled to allow someone on another computer to mount shares and gain access to information from the user's computer. File sharing from a user endpoint has long been considered questionable and Apple has removed that capability from the GUI. NFSD is still part of the Operating System and can be easily turned on to export shares and provide remote connectivity to an end user computer." rationale: "File serving should not be done from a user desktop, dedicated servers should be used. Open ports make it easier to exploit the computer." @@ -322,7 +322,7 @@ checks: - 'f:/etc/exports' # 5.11 Do not enable the "root" account (Scored) - - id: 14023 + - id: 8523 title: "Do not enable the \"root\" account" description: "The root account is a superuser account that has access privileges to perform any actions and read/write to any file on the computer. With some Linux distros the system administrator may commonly uses the root account to perform administrative functions." rationale: "Enabling and using the root account puts the system at risk since any successful exploit or mistake while the root account is in use could have unlimited access privileges within the system. Using the sudo command allows users to perform functions as a root user while limiting and password protecting the access privileges. By default the root account is not enabled on a macOS computer. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell)." @@ -334,7 +334,7 @@ checks: - 'c:dscl . -read /Users/root AuthenticationAuthority -> r:^No such key: AuthenticationAuthority' # 5.12 Disable automatic login (Scored) - - id: 14024 + - id: 8524 title: "Disable automatic login" description: "The automatic login feature saves a user's system access credentials and bypasses the login screen, instead the system automatically loads to the user's desktop screen." rationale: "Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system." @@ -346,7 +346,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.loginwindow -> r:autoLoginUser' # 5.23 System Integrity Protection status (Scored) - - id: 14025 + - id: 8525 title: "System Integrity Protection status" description: "System Integrity Protection is a security feature introduced in OS X 10.11 El Capitan. System Integrity Protection restricts access to System domain locations and restricts runtime attachment to system processes. Any attempt to attempt to inspect or attach to a system process will fail. Kernel Extensions are now restricted to /Library/Extensions and are required to be signed with a Developer ID." rationale: "Running without System Integrity Protection on a production system runs the risk of the modification of system binaries or code injection of system processes that would otherwise be protected by SIP." @@ -358,7 +358,7 @@ checks: - 'c:/usr/bin/csrutil status -> r:^System Integrity Protection status: enabled' # 6.1.3 Disable guest account login (Scored) - - id: 14026 + - id: 8526 title: "Disable guest account login" description: "The guest account allows users access to the system without having to create an account or password. Guest users are unable to make setting changes, cannot remotely login to the system and all created files, caches, and passwords are deleted upon logging out." rationale: "Disabling the guest account mitigates the risk of an untrusted user doing basic reconnaissance and possibly using privilege escalation attacks to take control of the system." @@ -370,7 +370,7 @@ checks: - 'c:defaults read /Library/Preferences/com.apple.loginwindow.plist GuestEnabled -> 0' # 6.1.5 Remove Guest home folder (Scored) - - id: 14027 + - id: 8527 title: "Remove Guest home folder" description: "The guest account login should have been disabled, so there is no need for the legacy Guest home folder to remain in the file system. When normal user accounts are removed you have the option to archive it, leave it in place or delete. In the case of the guest folder the folder remains in place without a GUI option to remove it. If at some point in the future a Guest account is needed it will be re-created. The presence of the Guest home folder can cause automated audits to fail when looking for compliant settings within all User folders as well. Rather than ignoring the folders continued existence it is best removed." rationale: "The Guest home folders are unneeded after the Guest account is disabled and could be used inappropriately." @@ -382,7 +382,7 @@ checks: - 'd:/Users/Guest' # 6.2 Turn on filename extensions (Scored) - - id: 14028 + - id: 8528 title: "Turn on filename extensions" description: "A filename extension is a suffix added to a base filename that indicates the base filename's file format." rationale: "Visible filename extensions allows the user to identify the file type and the application it is associated with which leads to quick identification of misrepresented malicious files." @@ -394,7 +394,7 @@ checks: - 'c:defaults read NSGlobalDomain AppleShowAllExtensions -> 1' # 6.3 Disable the automatic run of safe files in Safari (Scored) - - id: 14029 + - id: 8529 title: "Disable the automatic run of safe files in Safari" description: "Safari will automatically run or execute what it considers safe files. This can include installers and other files that execute on the operating system. Safari bases file safety by using a list of filetypes maintained by Apple. The list of files include text, image, video and archive formats that would be run in the context of the OS rather than the browser." rationale: "Hackers have taken advantage of this setting via drive-by attacks. These attacks occur when a user visits a legitimate website that has been corrupted. The user unknowingly downloads a malicious file either by closing an infected pop-up or hovering over a malicious banner. An attacker can create a malicious file that will fall within Safari's safe file list that will download and execute without user input." diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 4254db195..d5fb2c065 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -30,7 +30,7 @@ checks: # 2 Filesystem Configuration - - id: 10500 + - id: 1000 title: "Create Separate Partition for /tmp" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." @@ -43,7 +43,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s' - - id: 10501 + - id: 1001 title: "Set nodev option for /tmp Partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -55,7 +55,7 @@ checks: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nodev' - - id: 10502 + - id: 1002 title: "Set nosuid option for /tmp Partition" description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." @@ -67,7 +67,7 @@ checks: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:nosuid' - - id: 10503 + - id: 1003 title: "Set noexec option for /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." @@ -79,7 +79,7 @@ checks: - 'not c:mount -> r:\s/tmp\s' - 'c:mount -> r:\s/tmp\s && r:noexec' - - id: 10504 + - id: 1004 title: "Create Separate Partition for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -92,7 +92,7 @@ checks: rules: - 'c:mount -> r:\s/var\s' - - id: 10505 + - id: 1005 title: "Bind mount the /var/tmp directory to /tmp" description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be write to tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." @@ -104,7 +104,7 @@ checks: - 'c:findmnt -> r:/var/tmp && r:[/tmp]' - 'f:/etc/fstab -> r:^/tmp && r:\s*/var/tmp\s* && r:bind' - - id: 10506 + - id: 1006 title: "Create Separate Partition for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -117,7 +117,7 @@ checks: rules: - 'c:mount -> r:\s/var/log\s' - - id: 10507 + - id: 1007 title: "Create Separate Partition for /var/log/audit" description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." @@ -130,7 +130,7 @@ checks: rules: - 'c:mount -> r:\s/var/log/audit\s' - - id: 10508 + - id: 1008 title: "Create Separate Partition for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -143,7 +143,7 @@ checks: rules: - 'c:mount -> r:\s/home\s' - - id: 10509 + - id: 1009 title: "Add nodev Option to /home" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." @@ -155,7 +155,7 @@ checks: - 'not c:mount -> r:\s/home\s' - 'c:mount -> r:\s/home\s && r:nodev' - - id: 10510 + - id: 1010 title: "Add nodev Option to /run/shm Partition" description: "The nodev mount option specifies that the /run/shm (temporary filesystem stored in memory) cannot contain block or character special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /run/shm partitions." @@ -167,7 +167,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nodev' - - id: 10511 + - id: 1011 title: "Add nosuid Option to /run/shm Partition" description: "The nosuid mount option specifies that the /run/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -179,7 +179,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:nosuid' - - id: 10512 + - id: 1012 title: "Add noexec Option to /run/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -191,7 +191,7 @@ checks: - 'not c:mount -> r:\s/run/shm\s' - 'c:mount -> r:\s/run/shm\s && r:noexec' - - id: 10513 + - id: 1013 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -204,7 +204,7 @@ checks: # 3 Secure Boot Settings - - id: 10514 + - id: 1014 title: "Set Boot Loader Password" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -216,7 +216,7 @@ checks: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - - id: 10515 + - id: 1015 title: "Require authentication for Single-User mode" description: "Setting a password for the root user will force authentication in single user mode." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -228,7 +228,7 @@ checks: - 'f:/etc/shadow -> r:^root:*:|^root:!:' # 4 Additional Process Hardening - - id: 10516 + - id: 1016 title: "Restrict Core Dumps" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -240,7 +240,7 @@ checks: - 'c:sysctl fs.suid_dumpable -> r:=\s*0$' - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s0$|\t0$' - - id: 10517 + - id: 1017 title: "Enable Randomized Virtual Memory Region Placement" description: "Set the system flag to force randomized virtual memory region placement." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -253,7 +253,7 @@ checks: # 5 OS Services - - id: 10518 + - id: 1018 title: "Ensure NIS is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -264,7 +264,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 10519 + - id: 1019 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." @@ -275,7 +275,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:^shell|^login|^exec' - - id: 10520 + - id: 1020 title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -286,7 +286,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:^talk|^ntalk' - - id: 10521 + - id: 1021 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." @@ -297,7 +297,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:telnet' - - id: 10522 + - id: 1022 title: "Ensure tftp-server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -308,7 +308,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:tftp' - - id: 10523 + - id: 1023 title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Note: Several other services recommended to be disabled in this benchmark have xinetd versions as well, if xinetd is required in your environment ensure they are disabled in xinetd configuration as well." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." @@ -319,7 +319,7 @@ checks: rules: - 'c:find /etc/rc* -name *xinetd* -> r:S\.' - - id: 10524 + - id: 1024 title: "Ensure chargen is not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -330,7 +330,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:chargen' - - id: 10525 + - id: 1025 title: "Ensure daytime is not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -341,7 +341,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:daytime' - - id: 10526 + - id: 1026 title: "Ensure echo is not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -352,7 +352,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:echo' - - id: 10527 + - id: 1027 title: "Ensure discard is not enabled" description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -363,7 +363,7 @@ checks: rules: - 'f:/etc/inetd.conf -> !r:^# && r:discard' - - id: 10528 + - id: 1028 title: "Ensure time is not enabled" description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -376,7 +376,7 @@ checks: # 6 Special Purpose Services - - id: 10529 + - id: 1029 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface." @@ -387,7 +387,7 @@ checks: rules: - 'c:find /etc/rc* -name *avahi-daemon* -> r:S\.' - - id: 10530 + - id: 1030 title: "Ensure print server is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -398,7 +398,7 @@ checks: rules: - 'c:find /etc/rc* -name *cups* -> r:S\.' - - id: 10531 + - id: 1031 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a server is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface." @@ -411,7 +411,7 @@ checks: rules: - 'c:find /etc/rc* -name *isc-dhcp-server* -> r:S\.' - - id: 10532 + - id: 1032 title: "Configure Network Time Protocol (NTP)" description: "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." rationale: "It is recommended that physical systems and virtual guests lacking direct access to the physical host's clock be configured as NTP clients to synchronize their clocks (especially to support time sensitive security mechanisms like Kerberos). This also ensures log files have consistent time records across the enterprise, which aids in forensic investigations." @@ -428,7 +428,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/ntp.conf -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 10533 + - id: 1033 title: "Ensure LDAP is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the server will not need to act as an LDAP client or server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -441,7 +441,7 @@ checks: rules: - 'c:dpkg -s slapd -> install ok installed' - - id: 10534 + - id: 1034 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -453,7 +453,7 @@ checks: - 'c:find /etc/rc* -name *rpcbind* -> r:S\.' - 'c:find /etc/rc* -name *nfs-kernel-server* -> r:S\.' - - id: 10535 + - id: 1035 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a server is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -464,7 +464,7 @@ checks: rules: - 'c:find /etc/rc* -name *bind9* -> r:S\.' - - id: 10536 + - id: 1036 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -475,7 +475,7 @@ checks: rules: - 'c:find /etc/rc* -name *vsftpd* -> r:S\.' - - id: 10537 + - id: 1037 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -486,7 +486,7 @@ checks: rules: - 'c:find /etc/rc* -name *apache2* -> r:S\.' - - id: 10538 + - id: 1038 title: "Ensure IMAP and POP server is not enabled" description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." @@ -497,7 +497,7 @@ checks: rules: - 'c:find /etc/rc* -name *dovecot* -> r:S\.' - - id: 10539 + - id: 1039 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -508,7 +508,7 @@ checks: rules: - 'c:find /etc/rc* -name *smb* -> r:S\.' - - id: 10540 + - id: 1040 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -519,7 +519,7 @@ checks: rules: - 'c:find /etc/rc* -name *squid3* -> r:S\.' - - id: 10541 + - id: 1041 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." @@ -530,7 +530,7 @@ checks: rules: - 'c:find /etc/rc* -name *snmpd* -> r:S\.' - - id: 10542 + - id: 1042 title: "Configure Mail Transfer Agent for Local-Only Mode" description: "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail." rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems. Note: The remediation given here provides instructions for configuring the postfix mail server, depending on your environment you may have an alternative MTA installed such as sendmail. If this is the case consult the documentation for your installed MTA to configure the recommended state." @@ -541,7 +541,7 @@ checks: rules: - 'f:/etc/exim4/update-exim4.conf.conf -> r:^dc_local_interfaces= && r:\p127.0.0.1\s*\p\s*::1\p$|\p::1\s*\p\s*127.0.0.1\p$|\p127.0.0.1\p$|\p::1\p$' - - id: 10543 + - id: 1043 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -555,7 +555,7 @@ checks: # 7 Network Configuration and Firewall - - id: 10544 + - id: 1044 title: "Disable IP Forwarding" description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -566,7 +566,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' - - id: 10545 + - id: 1045 title: "Disable Send Packet Redirects" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -578,7 +578,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.send_redirects -> r:=\s*\t*0$' - - id: 10546 + - id: 1046 title: "Disable Source Routed Packet Acceptance" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -590,7 +590,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*\t*0$' - - id: 10547 + - id: 1047 title: "Disable ICMP Redirect Acceptance" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -602,7 +602,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*\t*0$' - - id: 10548 + - id: 1048 title: "Disable Secure ICMP Redirect Acceptance" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -614,7 +614,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*\t*0$' - - id: 10549 + - id: 1049 title: "Log Suspicious Packets" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -626,7 +626,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*\t*1$' - - id: 10550 + - id: 1050 title: "Enable Ignore Broadcast Requests" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -637,7 +637,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - - id: 10551 + - id: 1051 title: "Enable Bad Error Message Protection" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -648,7 +648,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - - id: 10552 + - id: 1052 title: "Enable RFC-recommended Source Route Validation" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing." @@ -660,7 +660,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*\t*1$' - - id: 10553 + - id: 1053 title: "Enable TCP SYN Cookies" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack." @@ -671,7 +671,7 @@ checks: rules: - 'c:/sbin/sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - - id: 10554 + - id: 1054 title: "Disable IPv6 Router Advertisements" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -683,7 +683,7 @@ checks: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv6.conf.default.accept_ra -> r:=\s*\t*0$' - - id: 10555 + - id: 1055 title: "Disable IPv6 Redirect Acceptance" description: "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." rationale: "It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -695,7 +695,7 @@ checks: - 'c:/sbin/sysctl net.ipv6.conf.all.accept_redirects -> r:=\s*\t*0$' - 'c:/sbin/sysctl net.ipv6.conf.default.accept_redirects -> r:=\s*\t*0$' - - id: 10556 + - id: 1056 title: "Disable IPv6" description: "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." rationale: "If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system." @@ -711,7 +711,7 @@ checks: - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.default.disable_ipv6\s*\t*=\s*\t*1' - 'f:/etc/sysctl.conf -> r:^net.ipv6.conf.lo.disable_ipv6\s*\t*=\s*\t*1' - - id: 10557 + - id: 1057 title: "Create /etc/hosts.allow" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server." @@ -722,7 +722,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 10558 + - id: 1058 title: "Create /etc/hosts.deny" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -734,7 +734,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 10559 + - id: 1059 title: "Disable DCCP" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -745,7 +745,7 @@ checks: rules: - 'c:lsmod -> r:dccp' - - id: 10560 + - id: 1060 title: "Disable SCTP" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -756,7 +756,7 @@ checks: rules: - 'c:lsmod -> r:sctp' - - id: 10561 + - id: 1061 title: "Disable RDS" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -767,7 +767,7 @@ checks: rules: - 'c:lsmod -> r:rds' - - id: 10562 + - id: 1062 title: "Disable TIPC" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -778,7 +778,7 @@ checks: rules: - 'c:lsmod -> r:tipc' - - id: 10563 + - id: 1063 title: "Ensure Firewall is active" description: "IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. The iptables-persistent package in Debian provides one way to ensure iptables rules are reapplied on reboot. Note: the audit and remediation included provide instructions for using iptables-persistent to reapply iptables rules. Other methods are available which may be in use in your environment and may conflict with these steps." rationale: "IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports." @@ -793,7 +793,7 @@ checks: # 8 Logging and Auditing - - id: 10564 + - id: 1064 title: "Ensure the rsyslog Service is activated" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -804,7 +804,7 @@ checks: rules: - 'c:find /etc/rc* -name *rsyslog* -> r:S\.' - - id: 10565 + - id: 1065 title: "Configure rsyslog to Send Logs to a Remote Log Host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system" @@ -817,7 +817,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 10566 + - id: 1066 title: "Accept Remote rsyslog Messages Only on Designated Log Hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -833,7 +833,7 @@ checks: # 9 System Access, Authentication and Authorization - - id: 10567 + - id: 1067 title: "Enable cron Daemon" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run and cron is used to execute them." @@ -845,7 +845,7 @@ checks: - 'c:find /etc/rc* -name *cron* -> r:S\.' - 'c:find /etc/rc* -name *anacron* -> r:S\.' - - id: 10568 + - id: 1068 title: "Restrict at/cron to Authorized Users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -861,7 +861,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 10569 + - id: 1069 title: "Set Password Creation Requirement Parameters Using pam_cracklib" description: "The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. # retry=3 - Allow 3 tries before sending back a failure. # minlen=14 - password must be 14 characters or more # dcredit=-1 - provide at least one digit # ucredit=-1 - provide at least one uppercase character # ocredit=-1 - provide at least one special character # lcredit=-1 - provide at least one lowercase character The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -873,7 +873,7 @@ checks: - 'c:dpkg -s libpam-cracklib -> install ok installed' - 'f:/etc/pam.d/common-password -> !r:^# && r:password\s*\t*required\s*\t*pam_cracklib.so && r:retry=\d && n:minlen=(\d+) compare >= 14 && r:dcredit=-\d+ && r:ucredit=-\d+ && r:ocredit=-\d+ && r:lcredit=-\d+' - - id: 10570 + - id: 1070 title: "Set Lockout for Failed Password Attempts" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration file /etc/pam.d/login. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out userIDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -884,7 +884,7 @@ checks: rules: - 'f:/etc/pam.d/login -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny=\d && r:unlock_time=\d\d\d+' - - id: 10571 + - id: 1071 title: "Limit Password Reuse" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -895,7 +895,7 @@ checks: rules: - 'f:/etc/pam.d/common-password -> !r:^# && r:password && r:pam_unix.so && n:remember\s*\t*=\s*\t*(\d+) compare >= 5' - - id: 10572 + - id: 1072 title: "Set SSH Protocol to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -906,7 +906,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 10573 + - id: 1073 title: "Set LogLevel to INFO" description: "The INFO parameter specifices that record login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -917,7 +917,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:^\s*\t*LogLevel\s+INFO' - - id: 10574 + - id: 1074 title: "Disable SSH X11 Forwarding" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -928,7 +928,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s+no' - - id: 10575 + - id: 1075 title: "Set SSH MaxAuthTries to 4 or Less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, it is set the number based on site policy." @@ -939,7 +939,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 10576 + - id: 1076 title: "Set SSH IgnoreRhosts to Yes" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -950,7 +950,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 10577 + - id: 1077 title: "Set SSH HostbasedAuthentication to No" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -961,7 +961,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 10578 + - id: 1078 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -972,7 +972,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' - - id: 10579 + - id: 1079 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." @@ -983,7 +983,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 10580 + - id: 1080 title: "Do Not Allow Users to Set Environment Options" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -994,7 +994,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 10581 + - id: 1081 title: "Set Idle Timeout Interval for User Login" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1006,7 +1006,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300' - 'f:/etc/ssh/sshd_config -> !r:^# && r:ClientAliveCountMax\s+0' - - id: 10582 + - id: 1082 title: "Limit Access via SSH" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1017,7 +1017,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 10583 + - id: 1083 title: "Set SSH Banner" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Consult with your legal department for the appropriate warning banner for your site." @@ -1028,7 +1028,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*\t*/etc/issue.net|^Banner\s\t*/etc/issue' - - id: 10584 + - id: 1084 title: "Restrict Access to the su Command" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1042,7 +1042,7 @@ checks: # 10 User Accounts and Environment - - id: 10585 + - id: 1085 title: "Set Password Expiration Days" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1053,7 +1053,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+) compare <= 90' - - id: 10586 + - id: 1086 title: "Set Password Change Minimum Number of Days" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1064,7 +1064,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - - id: 10587 + - id: 1087 title: "Set Password Expiring Warning Days" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1075,7 +1075,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - - id: 10588 + - id: 1088 title: "Set Default Group for root Account" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1086,7 +1086,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 10589 + - id: 1089 title: "Set Default umask for Users" description: "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories." rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system. Note: The directives in this section apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked." @@ -1098,7 +1098,7 @@ checks: - 'c:grep -Rh ^umask[[:space:]][[:space:]]*077 /etc/profile.d/ -> !r:^# && r:umask\s*\t*077' - 'f:/etc/bash.bashrc -> !r:^# && r:umask\s*\t*077' - - id: 10590 + - id: 1090 title: "Lock Inactive User Accounts" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1110,7 +1110,7 @@ checks: - 'f:/etc/default/useradd -> n:^INACTIVE=(\d+) compare <= 35' # 11 Warning Banners - - id: 10591 + - id: 1091 title: "Set Warning Banner for Standard Login Services" description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Consult with your organization's legal counsel for the appropriate wording for your specific organization." @@ -1126,7 +1126,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/issue -> 0-0-644' - 'c:stat -c%u-%g-%a /etc/issue.net -> 0-0-644' - - id: 10592 + - id: 1092 title: "Remove OS Information from Login Warning Banners" description: "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform." rationale: "Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \"uname -a\" command once they have logged in." @@ -1141,7 +1141,7 @@ checks: # 13 Review User and Group Settings - - id: 10593 + - id: 1093 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1152,7 +1152,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 10594 + - id: 1094 title: "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1163,7 +1163,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 10595 + - id: 1095 title: "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1173,7 +1173,7 @@ checks: condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 10596 + - id: 1096 title: "Verify No Legacy \"+\" Entries Exist in /etc/group File" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1184,7 +1184,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 10597 + - id: 1097 title: "Verify No UID 0 Accounts Exist Other Than root" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 9.4 Restrict root Login to System Console." @@ -1195,7 +1195,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 10603 + - id: 1098 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index de64b8610..6e99766eb 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -30,7 +30,7 @@ checks: # 2 Filesystem Configuration - - id: 15000 + - id: 1500 title: "Disable Mounting of cramfs Filesystems" description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -42,7 +42,7 @@ checks: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:cramfs' - - id: 15001 + - id: 1501 title: "Disable Mounting of freevxfs Filesystems" description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -54,7 +54,7 @@ checks: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:freevxfs' - - id: 15002 + - id: 1502 title: "Disable Mounting of jffs2 Filesystems" description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -66,7 +66,7 @@ checks: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:jffs2' - - id: 15003 + - id: 1503 title: "Disable Mounting of hfs Filesystems" description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -78,7 +78,7 @@ checks: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:hfs' - - id: 15004 + - id: 1504 title: "Disable Mounting of hfsplus Filesystems" description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -90,7 +90,7 @@ checks: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:hfsplus' - - id: 15005 + - id: 1505 title: "Disable Mounting of squashfs Filesystems" description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -102,7 +102,7 @@ checks: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:squashfs' - - id: 15006 + - id: 1506 title: "Disable Mounting of udf Filesystems" description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -116,7 +116,7 @@ checks: # 4 Additional Process Hardening - - id: 15007 + - id: 1507 title: "Activate AppArmor" description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model." rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." @@ -130,7 +130,7 @@ checks: - 'c:apparmor_status -> r:^0\s*processes are unconfined' # 8.1 Configure System Accounting (auditd) - - id: 15008 + - id: 1508 title: "Configure Audit Log Storage Size" description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." @@ -143,7 +143,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' - - id: 15009 + - id: 1509 title: "Disable System on Audit Log Full" description: "The auditd daemon can be configured to halt the system when the audit logs are full." rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." @@ -158,7 +158,7 @@ checks: - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' - - id: 15010 + - id: 1510 title: "Keep All Auditing Information" description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." @@ -171,7 +171,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' - - id: 15011 + - id: 1511 title: "Install and Enable auditd Service" description: "Install and turn on the auditd daemon to record system events." rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." @@ -183,7 +183,7 @@ checks: - 'c:dpkg -s auditd -> r:install ok installed' - 'c:find /etc/rc* -name *auditd* -> r:S\.' - - id: 15012 + - id: 1512 title: "Enable Auditing for Processes That Start Prior to auditd" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." @@ -194,7 +194,7 @@ checks: rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\p*audit\s*=\s*1\p*' - - id: 15013 + - id: 1513 title: "Record Events That Modify Date and Time Information" description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." @@ -211,7 +211,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime && r:-p wa && r:-k time-change' - - id: 15014 + - id: 1514 title: "Record Events That Modify User/Group Information" description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." @@ -228,7 +228,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow && r:-p wa && r:-k identity' - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd && r:-p wa && r:-k identity' - - id: 15015 + - id: 1515 title: "Record Events That Modify the System's Network Environment" description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" @@ -246,7 +246,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w /etc/network && r:-p wa && r:-k system-locale' - - id: 15016 + - id: 1516 title: "Record Events That Modify the System's Mandatory Access Controls" description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." @@ -259,7 +259,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ && r:-p wa && r:-k MAC-policy' - - id: 15017 + - id: 1517 title: "Collect Login and Logout Events" description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." @@ -274,7 +274,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog && r:-p wa && r:-k logins' - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog && r:-p wa && r:-k logins' - - id: 15018 + - id: 1518 title: "Collect Session Initiation Information" description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." @@ -289,7 +289,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp && r:-p wa && r:-k session' - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp && r:-p wa && r:-k session' - - id: 15019 + - id: 1519 title: "Collect Discretionary Access Control Permission Modification Events" description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permis&& r:sions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." @@ -307,7 +307,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - - id: 15020 + - id: 1520 title: "Collect Unsuccessful Unauthorized Access Attempts to Files" description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." @@ -323,7 +323,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - - id: 15021 + - id: 1521 title: "Collect Successful File System Mounts" description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." @@ -337,7 +337,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - - id: 15022 + - id: 1522 title: "Collect File Deletion Events by User" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." @@ -351,7 +351,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - - id: 15023 + - id: 1523 title: "Collect Changes to System Administration Scope (sudoers)" description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." @@ -364,7 +364,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers && r:-p wa && r:-k scope' - - id: 15024 + - id: 1524 title: "Collect System Administrator Actions (sudolog)" description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." @@ -377,7 +377,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log && r:-p wa && r:-k actions' - - id: 15025 + - id: 1525 title: "Collect Kernel Module Loading and Unloading" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." @@ -393,7 +393,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe && r:-p x && r:-k modules' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S init_module && r:-S delete_module && r:-k modules' - - id: 15026 + - id: 1526 title: "Make the Audit Configuration Immutable" description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." @@ -407,7 +407,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-e 2$' # 8.3 Advanced Intrusion Detection Environment (AIDE) - - id: 15027 + - id: 1527 title: "Install AIDE" description: "In some installations, AIDE is not installed automatically" rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." @@ -418,7 +418,7 @@ checks: rules: - 'c:dpkg -s aide -> r:install ok installed' - - id: 15028 + - id: 1528 title: "Implement Periodic Execution of File Integrity" description: "Implement periodic file checking, in compliance with site policy" rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index efa37e521..40c4f75cd 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -28,7 +28,7 @@ requirements: checks: # 1.1.1 Disable unused filesystems - - id: 11000 + - id: 2000 title: "Ensure mounting of cramfs filesystems is disabled" description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -41,7 +41,7 @@ checks: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' - 'not c:lsmod -> r:cramfs' - - id: 11001 + - id: 2001 title: "Ensure mounting of freevxfs filesystems is disabled" description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -54,7 +54,7 @@ checks: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' - 'not c:lsmod -> r:freevxfs' - - id: 11002 + - id: 2002 title: "Ensure mounting of jffs2 filesystems is disabled" description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -67,7 +67,7 @@ checks: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' - 'not c:lsmod -> r:jffs2' - - id: 11003 + - id: 2003 title: "Ensure mounting of hfs filesystems is disabled" description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -80,7 +80,7 @@ checks: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' - 'not c:lsmod -> r:hfs' - - id: 11004 + - id: 2004 title: "Ensure mounting of hfsplus filesystems is disabled" description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -93,7 +93,7 @@ checks: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' - 'not c:lsmod -> r:hfsplus' - - id: 11005 + - id: 2005 title: "Ensure mounting of squashfs filesystems is disabled" description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs ). A squashfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -106,7 +106,7 @@ checks: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' - 'not c:lsmod -> r:squashfs' - - id: 11006 + - id: 2006 title: "Ensure mounting of udf filesystems is disabled" description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -120,7 +120,7 @@ checks: - 'not c:lsmod -> r:udf' # 2 Filesystem Configuration - - id: 11007 + - id: 2007 title: "Ensure /tmp is configured" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." @@ -135,7 +135,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s' - - id: 11008 + - id: 2008 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -147,7 +147,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nodev' - - id: 11009 + - id: 2009 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." @@ -159,7 +159,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' - - id: 11010 + - id: 2010 title: "Ensure nodev option set on /var/tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." @@ -171,7 +171,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' - - id: 11011 + - id: 2011 title: "Ensure nosuid option set on /var/tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." @@ -183,7 +183,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' - - id: 11012 + - id: 2012 title: "Ensure noexec option set on /var/tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." @@ -195,7 +195,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' - - id: 11013 + - id: 2013 title: "Ensure nodev option set on /home partition" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." @@ -207,7 +207,7 @@ checks: rules: - 'c:mount -> r:\s/home\s && r:nodev' - - id: 11014 + - id: 2014 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -219,7 +219,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' - - id: 11015 + - id: 2015 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -231,7 +231,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - - id: 11016 + - id: 2016 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -243,7 +243,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' - - id: 11017 + - id: 2017 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -256,7 +256,7 @@ checks: - 'c:systemctl is-enabled autofs -> r:^enabled' # 1.3 Filesystem Integrity Checking - - id: 11018 + - id: 2018 title: "Ensure AIDE is installed" description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system." rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." @@ -268,7 +268,7 @@ checks: rules: - 'c:dpkg -s aide -> r:install ok installed' - - id: 11019 + - id: 2019 title: "Ensure filesystem integrity is regularly checked" description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem." rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." @@ -281,7 +281,7 @@ checks: - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+' # 1.4 Secure Boot Settings - - id: 11020 + - id: 2020 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -294,7 +294,7 @@ checks: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - - id: 11021 + - id: 2021 title: "Ensure authentication required for single user mode" description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -307,7 +307,7 @@ checks: - 'f:/etc/shadow -> r:^root:*:|^root:!:' # 1.5 Additional Process Hardening - - id: 11022 + - id: 2022 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -321,7 +321,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - - id: 11023 + - id: 2023 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -335,7 +335,7 @@ checks: - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' # 1.7 Warning Banners - - id: 11024 + - id: 2024 title: "Ensure local login warning banner is configured properly" description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version" rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." @@ -347,7 +347,7 @@ checks: rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' - - id: 11025 + - id: 2025 title: "Ensure GDM login banner is configured" description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." @@ -363,7 +363,7 @@ checks: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' # 2 Services - - id: 11026 + - id: 2026 title: "Ensure xinetd is not installed" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." @@ -375,7 +375,7 @@ checks: rules: - 'c:dpkg -s xinetd -> r:install ok installed' - - id: 11027 + - id: 2027 title: "Ensure inetd is not installed" description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no inetd services required, it is recommended that the daemon be removed." @@ -388,7 +388,7 @@ checks: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - id: 11028 + - id: 2028 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -406,7 +406,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 11029 + - id: 2029 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." @@ -418,7 +418,7 @@ checks: rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' - - id: 11030 + - id: 2030 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." @@ -430,7 +430,7 @@ checks: rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' - - id: 11031 + - id: 2031 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -444,7 +444,7 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' - - id: 11032 + - id: 2032 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -459,7 +459,7 @@ checks: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' - - id: 11033 + - id: 2033 title: "Ensure LDAP server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -473,7 +473,7 @@ checks: rules: - 'c:systemctl is-enabled slapd -> r:^enabled' - - id: 11034 + - id: 2034 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -486,7 +486,7 @@ checks: - 'c:systemctl is-enabled nfs-server -> r:^enabled' - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - id: 11035 + - id: 2035 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -498,7 +498,7 @@ checks: rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' - - id: 11036 + - id: 2036 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -510,7 +510,7 @@ checks: rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' - - id: 11037 + - id: 2037 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -522,7 +522,7 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' - - id: 11038 + - id: 2038 title: "Ensure IMAP and POP3 server is not enabled" description: "exim is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." @@ -535,7 +535,7 @@ checks: rules: - 'c:dpkg -s exim4 -> install ok installed' - - id: 11039 + - id: 2039 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -547,7 +547,7 @@ checks: rules: - 'c:systemctl is-enabled smbd -> r:^enabled' - - id: 11040 + - id: 2040 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -559,7 +559,7 @@ checks: rules: - 'c:systemctl is-enabled squid -> r:^enabled' - - id: 11041 + - id: 2041 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -571,7 +571,7 @@ checks: rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' - - id: 11042 + - id: 2042 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -583,7 +583,7 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 11043 + - id: 2043 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" @@ -596,7 +596,7 @@ checks: rules: - 'c:systemctl is-enabled nis -> r:^enabled' - - id: 11044 + - id: 2044 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -608,7 +608,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 11045 + - id: 2045 title: "Ensure rsh client is not installed" description: "The rshpackage contains the client commands for the rsh services." rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." @@ -621,7 +621,7 @@ checks: - 'c:dpkg -s rsh-client -> r:install ok installed' - 'c:dpkg -s rsh-redone-client -> r:install ok installed' - - id: 11046 + - id: 2046 title: "Ensure talk client is not installed" description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -633,7 +633,7 @@ checks: rules: - 'c:dpkg -s talk -> r:install ok installed' - - id: 11047 + - id: 2047 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -646,7 +646,7 @@ checks: - 'c:dpkg -s telnet -> r:install ok installed' # 3 Network Configuration - - id: 11048 + - id: 2048 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -661,7 +661,7 @@ checks: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' - - id: 11049 + - id: 2049 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -676,7 +676,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - id: 11050 + - id: 2050 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -695,7 +695,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - id: 11051 + - id: 2051 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -714,7 +714,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' - - id: 11052 + - id: 2052 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -729,7 +729,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - id: 11053 + - id: 2053 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -744,7 +744,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - id: 11054 + - id: 2054 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -757,7 +757,7 @@ checks: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - id: 11055 + - id: 2055 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -770,7 +770,7 @@ checks: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - id: 11056 + - id: 2056 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -785,7 +785,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - id: 11057 + - id: 2057 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -798,7 +798,7 @@ checks: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' - - id: 11058 + - id: 2058 title: "Ensure IPv6 router advertisements are not accepted" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -813,7 +813,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' - - id: 11059 + - id: 2059 title: "Ensure /etc/hosts.allow is configured" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." @@ -825,7 +825,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 11060 + - id: 2060 title: "Ensure /etc/hosts.deny is configured" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -838,7 +838,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 11061 + - id: 2061 title: "Ensure DCCP is disabled" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -851,7 +851,7 @@ checks: - 'not c:modprobe -n -v dccp -> r:install /bin/true' - 'c:lsmod -> r:dccp' - - id: 11062 + - id: 2062 title: "Ensure SCTP is disabled" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -864,7 +864,7 @@ checks: - 'not c:modprobe -n -v sctp -> r:install /bin/true' - 'c:lsmod -> r:sctp' - - id: 11063 + - id: 2063 title: "Ensure RDS is disabled" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -877,7 +877,7 @@ checks: - 'not c:modprobe -n -v rds -> r:install /bin/true' - 'c:lsmod -> r:rds' - - id: 11064 + - id: 2064 title: "Ensure TIPC is disabled" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -892,7 +892,7 @@ checks: # 3.5 Firewall configuration - - id: 11065 + - id: 2065 title: "Ensure default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -906,7 +906,7 @@ checks: - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 11066 + - id: 2066 title: "Ensure IPv6 default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -920,7 +920,7 @@ checks: - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 11067 + - id: 2067 title: "Ensure iptables is installed" description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." rationale: "iptables is required for firewall management and configuration." @@ -933,7 +933,7 @@ checks: - 'c:dpkg -s iptables -> r:install ok installed' # 4 Logging and Auditing - - id: 11068 + - id: 2068 title: "Ensure rsyslog Service is enabled" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -945,7 +945,7 @@ checks: rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' - - id: 11069 + - id: 2069 title: "Ensure rsyslog is configured to send logs to a remote log host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." @@ -959,7 +959,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 11070 + - id: 2070 title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -975,7 +975,7 @@ checks: - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' # 5 Access, Authentication and Authorization - - id: 11071 + - id: 2071 title: "Ensure cron daemon is enabled" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." @@ -987,7 +987,7 @@ checks: rules: - 'c:systemctl is-enabled cron -> r:^enabled$' - - id: 11072 + - id: 2072 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -1004,7 +1004,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 11073 + - id: 2073 title: "Ensure permissions on /etc/ssh/sshd_config are configured" description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." @@ -1016,7 +1016,7 @@ checks: rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' - - id: 11074 + - id: 2074 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -1028,7 +1028,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 11075 + - id: 2075 title: "Ensure SSH LogLevel is appropriate" description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -1042,7 +1042,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' - - id: 11076 + - id: 2076 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -1054,7 +1054,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - - id: 11077 + - id: 2077 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -1066,7 +1066,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 11078 + - id: 2078 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -1078,7 +1078,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 11079 + - id: 2079 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -1090,7 +1090,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 11080 + - id: 2080 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -1104,7 +1104,7 @@ checks: # 5.2 SSH Server Configuration - - id: 11081 + - id: 2081 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -1116,7 +1116,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 11082 + - id: 2082 title: "Ensure SSH PermitUserEnvironment is disabled" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -1128,7 +1128,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 11083 + - id: 2083 title: "Ensure SSH Idle Timeout Interval is configured" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1141,7 +1141,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' - - id: 11084 + - id: 2084 title: "Ensure SSH access is limited" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1153,7 +1153,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 11085 + - id: 2085 title: "Ensure SSH warning banner is configured" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." @@ -1167,7 +1167,7 @@ checks: # 5.3 Configure PAM - - id: 11086 + - id: 2086 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -1185,7 +1185,7 @@ checks: - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' - - id: 11087 + - id: 2087 title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -1197,7 +1197,7 @@ checks: rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' - - id: 11088 + - id: 2088 title: "Ensure password reuse is limited" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -1211,7 +1211,7 @@ checks: # 5.4 User Accounts and Environment - - id: 11089 + - id: 2089 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1223,7 +1223,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' - - id: 11090 + - id: 2090 title: "Ensure minimum days between password changes is 7 or more" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1235,7 +1235,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - - id: 11091 + - id: 2091 title: "Ensure password expiration warning days is 7 or more" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1247,7 +1247,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - - id: 11092 + - id: 2092 title: "Ensure inactive password lock is 30 days or less" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1259,7 +1259,7 @@ checks: rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' - - id: 11093 + - id: 2093 title: "Ensure default group for the root account is GID 0" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1271,7 +1271,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 11094 + - id: 2094 title: "Ensure access to the su command is restricted" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1286,7 +1286,7 @@ checks: # 6.2 User and Group Settings - - id: 11095 + - id: 2095 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1298,7 +1298,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 11096 + - id: 2096 title: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1310,7 +1310,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 11097 + - id: 2097 title: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1322,7 +1322,7 @@ checks: rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 11098 + - id: 2098 title: "Ensure no legacy \"+\" entries exist in /etc/group" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1334,7 +1334,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 11099 + - id: 2099 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -1346,7 +1346,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - - id: 11100 + - id: 2100 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 353e0863c..1e1f03508 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -28,7 +28,7 @@ requirements: checks: - - id: 10500 + - id: 2500 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -42,7 +42,7 @@ checks: rules: - 'c:mount -> r:\s/var\s' - - id: 10501 + - id: 2501 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." @@ -56,7 +56,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s' - - id: 10502 + - id: 2502 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -70,7 +70,7 @@ checks: rules: - 'c:mount -> r:\s/var/log\s' - - id: 10503 + - id: 2503 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." @@ -84,7 +84,7 @@ checks: rules: - 'c:mount -> r:\s/var/log/audit\s' - - id: 10504 + - id: 2504 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -98,7 +98,7 @@ checks: rules: - 'c:mount -> r:\s/home\s' - - id: 10505 + - id: 2505 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -111,7 +111,7 @@ checks: - 'c:systemctl is-enabled autofs -> r:^enabled' # 4 Additional Process Hardening - - id: 10506 + - id: 2506 title: "Ensure SELinux or AppArmor are installed" description: "SELinux and AppArmor provide Mandatory Access Controls." rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." @@ -126,7 +126,7 @@ checks: # 2 Services - - id: 10507 + - id: 2507 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -142,7 +142,7 @@ checks: # 4 Logging and Auditing - - id: 10508 + - id: 2508 title: "Ensure audit log storage size is configured" description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." @@ -156,7 +156,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+' - - id: 10509 + - id: 2509 title: "Ensure system is disabled when audit logs are full" description: "The auditd daemon can be configured to halt the system when the audit logs are full." rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." @@ -172,7 +172,7 @@ checks: - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt' - - id: 10510 + - id: 2510 title: "Ensure audit logs are not automatically deleted" description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs." rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." @@ -186,7 +186,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs' - - id: 10511 + - id: 2511 title: "Ensure auditd service is enabled" description: "Turn on the auditd daemon to record system events." rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." @@ -198,7 +198,7 @@ checks: rules: - 'c:systemctl is-enabled auditd -> r:^enabled' - - id: 10512 + - id: 2512 title: "Ensure auditing for processes that start prior to auditd is enabled" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." @@ -210,7 +210,7 @@ checks: rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' - - id: 10513 + - id: 2513 title: "Ensure events that modify date and time information are collected" description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." @@ -228,7 +228,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change' - - id: 10514 + - id: 2514 title: "Ensure events that modify user/group information are collected" description: "Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." @@ -246,7 +246,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity' - - id: 10515 + - id: 2515 title: "Ensure events that modify the system's network environment are collected" description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files." rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" @@ -265,7 +265,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale' - - id: 10516 + - id: 2516 title: "Ensure events that modify the system's Mandatory Access Controls are collected (SELinux)" description: "Monitor SELinux mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." @@ -280,7 +280,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/ && r:-p wa && r:-k MAC-policy' - 'f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/ && r:-p wa && r:-k MAC-policy' - - id: 10517 + - id: 2517 title: "Ensure events that modify the system's Mandatory Access Controls are collected (AppArmor)" description: "Monitor AppArmor mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor and /etc/apparmor.d directories." rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." @@ -295,7 +295,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy' - - id: 10518 + - id: 2518 title: "Ensure login and logout events are collected" description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." @@ -311,7 +311,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins' - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins' - - id: 10519 + - id: 2519 title: "Ensure session initiation information is collected" description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier \"logins.\"" rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." @@ -327,7 +327,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins' - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins' - - id: 10520 + - id: 2520 title: "Ensure discretionary access control permission modification events are collected" description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." @@ -346,7 +346,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - - id: 10521 + - id: 2521 title: "Ensure unsuccessful unauthorized file access attempts are collected" description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." @@ -363,7 +363,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - - id: 10522 + - id: 2522 title: "Ensure successful file system mounts are collected" description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user." rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." @@ -378,7 +378,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - - id: 10523 + - id: 2523 title: "Ensure file deletion events by users are collected" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." @@ -393,7 +393,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - - id: 10524 + - id: 2524 title: "Ensure changes to system administration scope (sudoers) is collected" description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." @@ -408,7 +408,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope' - - id: 10525 + - id: 2525 title: "Ensure system administrator actions (sudolog) are collected" description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." @@ -422,7 +422,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions' - - id: 10526 + - id: 2526 title: "Ensure kernel module loading and unloading is collected" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." @@ -439,7 +439,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S init_module && r:-S delete_module && r:-k modules' - - id: 10527 + - id: 2527 title: "Ensure the audit configuration is immutable" description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot." rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." @@ -453,7 +453,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^\s*\t*-e 2$' - - id: 10528 + - id: 2528 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 48c3b0c18..a38650eeb 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -28,7 +28,7 @@ requirements: checks: # 1.1.1 Disable unused filesystems - - id: 16000 + - id: 3000 title: "Ensure mounting of freevxfs filesystems is disabled" description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -41,7 +41,7 @@ checks: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' - 'not c:lsmod -> r:freevxfs' - - id: 16001 + - id: 3001 title: "Ensure mounting of jffs2 filesystems is disabled" description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -54,7 +54,7 @@ checks: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' - 'not c:lsmod -> r:jffs2' - - id: 16002 + - id: 3002 title: "Ensure mounting of hfs filesystems is disabled" description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -67,7 +67,7 @@ checks: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' - 'not c:lsmod -> r:hfs' - - id: 16003 + - id: 3003 title: "Ensure mounting of hfsplus filesystems is disabled" description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -80,7 +80,7 @@ checks: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' - 'not c:lsmod -> r:hfsplus' - - id: 16004 + - id: 3004 title: "Ensure mounting of udf filesystems is disabled" description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it." @@ -94,7 +94,7 @@ checks: - 'not c:lsmod -> r:udf' # 2 Filesystem Configuration - - id: 16005 + - id: 3005 title: "Ensure /tmp is configured" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." @@ -109,7 +109,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s' - - id: 16006 + - id: 3006 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -121,7 +121,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nodev' - - id: 16007 + - id: 3007 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp." @@ -133,7 +133,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' - - id: 16008 + - id: 3008 title: "Ensure nodev option set on /var/tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp." @@ -145,7 +145,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' - - id: 16009 + - id: 3009 title: "Ensure nosuid option set on /var/tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp." @@ -157,7 +157,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' - - id: 16010 + - id: 3010 title: "Ensure noexec option set on /var/tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." @@ -169,7 +169,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' - - id: 16011 + - id: 3011 title: "Ensure nodev option set on /home partition" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices. Note: The actions in the item refer to the /home partition, which is the default user partition that is defined in many distributions. If you have created other user partitions, it is recommended that the Remediation and Audit steps be applied to these partitions as well." @@ -181,7 +181,7 @@ checks: rules: - 'c:mount -> r:\s/home\s && r:nodev' - - id: 16012 + - id: 3012 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -193,7 +193,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' - - id: 16013 + - id: 3013 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -205,7 +205,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' - - id: 16014 + - id: 3014 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -217,7 +217,7 @@ checks: rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' - - id: 16015 + - id: 3015 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -230,7 +230,7 @@ checks: - 'c:systemctl is-enabled autofs -> r:^enabled' # 1.3 Filesystem Integrity Checking - - id: 16016 + - id: 3016 title: "Ensure AIDE is installed" description: "AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system." rationale: "By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries." @@ -242,7 +242,7 @@ checks: rules: - 'c:dpkg -s aide -> r:install ok installed' - - id: 16017 + - id: 3017 title: "Ensure filesystem integrity is regularly checked" description: "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem." rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." @@ -255,7 +255,7 @@ checks: - 'f:/etc/crontab -> r:\s*\t*/usr/sbin/aide\s*\t*|\s*\t*/usr/bin/aide\s*\t* && r:\s*\t*--check' # 1.4 Secure Boot Settings - - id: 16018 + - id: 3018 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -268,7 +268,7 @@ checks: - 'f:/boot/grub/grub.cfg -> r:^\s*\t*set superusers' - 'f:/boot/grub/grub.cfg -> r:^\s*\t*password' - - id: 16019 + - id: 3019 title: "Ensure authentication required for single user mode" description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -281,7 +281,7 @@ checks: - 'f:/etc/shadow -> r:^root:*:|^root:!:' # 1.5 Additional Process Hardening - - id: 16020 + - id: 3020 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -295,7 +295,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - - id: 16021 + - id: 3021 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -309,7 +309,7 @@ checks: - 'c:sysctl kernel.randomize_va_space -> r:^kernel.randomize_va_space\s*\t*=\s*\t*2' # 1.7 Warning Banners - - id: 16022 + - id: 3022 title: "Ensure local login warning banner is configured properly" description: "The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \\m - machine architecture \\r - operating system release \\s - operating system name \\v - operating system version" rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in." @@ -321,7 +321,7 @@ checks: rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' - - id: 16023 + - id: 3023 title: "Ensure GDM login banner is configured" description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." @@ -337,7 +337,7 @@ checks: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' # 2 Services - - id: 16024 + - id: 3024 title: "Ensure xinetd is not installed" description: "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetddaemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetdservices required, it is recommended that the daemon be disabled." @@ -349,7 +349,7 @@ checks: rules: - 'c:dpkg -s xinetd -> r:install ok installed' - - id: 16025 + - id: 3025 title: "Ensure openbsd-inetd is not installed" description: "The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no inetd services required, it is recommended that the daemon be removed." @@ -362,7 +362,7 @@ checks: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' - 'c:dpkg -s inetutils-inetd -> r:install ok installed' - - id: 16026 + - id: 3026 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -380,7 +380,7 @@ checks: - 'f:/etc/ntp.conf -> r:^server\s\.+' - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - - id: 16027 + - id: 3027 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly. This recommendation only applies if chrony is in use on the system." @@ -392,7 +392,7 @@ checks: rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' - - id: 16028 + - id: 3028 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface." @@ -404,7 +404,7 @@ checks: rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' - - id: 16029 + - id: 3029 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -418,7 +418,7 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' - - id: 16030 + - id: 3030 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -433,7 +433,7 @@ checks: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' - 'c:systemctl is-enabled isc-dhcp-server6 -> r:^enabled' - - id: 16031 + - id: 3031 title: "Ensure LDAP server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -447,7 +447,7 @@ checks: rules: - 'c:systemctl is-enabled slapd -> r:^enabled' - - id: 16032 + - id: 3032 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -460,7 +460,7 @@ checks: - 'c:systemctl is-enabled nfs-server -> r:^enabled' - 'c:systemctl is-enabled rpcbind -> r:^enabled' - - id: 16033 + - id: 3033 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -472,7 +472,7 @@ checks: rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' - - id: 16034 + - id: 3034 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -484,7 +484,7 @@ checks: rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' - - id: 16035 + - id: 3035 title: "Ensure HTTP Server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -496,7 +496,7 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' - - id: 16036 + - id: 3036 title: "Ensure IMAP and POP3 server is not enabled" description: "exim is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." @@ -509,7 +509,7 @@ checks: rules: - 'c:dpkg -s exim4 -> install ok installed' - - id: 16037 + - id: 3037 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -521,7 +521,7 @@ checks: rules: - 'c:systemctl is-enabled smbd -> r:^enabled' - - id: 16038 + - id: 3038 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -533,7 +533,7 @@ checks: rules: - 'c:systemctl is-enabled squid -> r:^enabled' - - id: 16039 + - id: 3039 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -545,7 +545,7 @@ checks: rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' - - id: 16040 + - id: 3040 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -557,7 +557,7 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 16041 + - id: 3041 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" @@ -570,7 +570,7 @@ checks: rules: - 'c:systemctl is-enabled nis -> r:^enabled' - - id: 16042 + - id: 3042 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -582,7 +582,7 @@ checks: rules: - 'c:dpkg -s nis -> r:install ok installed' - - id: 16043 + - id: 3043 title: "Ensure rsh client is not installed" description: "The rshpackage contains the client commands for the rsh services." rationale: "These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rshpackage removes the clients for rsh, rcpand rlogin." @@ -595,7 +595,7 @@ checks: - 'c:dpkg -s rsh-client -> r:install ok installed' - 'c:dpkg -s rsh-redone-client -> r:install ok installed' - - id: 16044 + - id: 3044 title: "Ensure talk client is not installed" description: "The talksoftware makes it possible for users to send and receive messages across systems through a terminal session. The talkclient, which allows initialization of talk sessions, is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -607,7 +607,7 @@ checks: rules: - 'c:dpkg -s talk -> r:install ok installed' - - id: 16045 + - id: 3045 title: "Ensure telnet client is not installed" description: "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Linux distributions." @@ -620,7 +620,7 @@ checks: - 'c:dpkg -s telnet -> r:install ok installed' # 3 Network Configuration - - id: 16046 + - id: 3046 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward and net.ipv6.conf.all.forwarding flags are used to tell the system whether it can forward packets or not." rationale: "Setting the flags to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -635,7 +635,7 @@ checks: - 'c:sysctl net.ipv6.conf.all.forwarding -> r:=\s*\t*0$' - 'c:grep -Rh net\.ipv6\.conf\.all\.forwarding /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.forwarding\s*=\s*0$' - - id: 16047 + - id: 3047 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -650,7 +650,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.send_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.send_redirects\s*=\s*0$' - - id: 16048 + - id: 3048 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route, net.ipv4.conf.default.accept_source_route, net.ipv6.conf.all.accept_source_route and net.ipv6.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -669,7 +669,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_source_route\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_source_route\s*=\s*0$' - - id: 16049 + - id: 3049 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -688,7 +688,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_redirects\s*=\s*0$' - - id: 16050 + - id: 3050 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -703,7 +703,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - id: 16051 + - id: 3051 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -718,7 +718,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' - - id: 16052 + - id: 3052 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -731,7 +731,7 @@ checks: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' - - id: 16053 + - id: 3053 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -744,7 +744,7 @@ checks: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' - - id: 16054 + - id: 3054 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing. @@ -759,7 +759,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' - - id: 16055 + - id: 3055 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -772,7 +772,7 @@ checks: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' - - id: 16056 + - id: 3056 title: "Ensure IPv6 router advertisements are not accepted" description: "This setting disables the systems ability to accept router advertisements" rationale: "It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes." @@ -787,7 +787,7 @@ checks: - 'c:grep -Rh net\.ipv6\.conf\.all\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.all.accept_ra\s*=\s*0$' - 'c:grep -Rh net\.ipv6\.conf\.default\.accept_ra /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv6.conf.default.accept_ra\s*=\s*0$' - - id: 16057 + - id: 3057 title: "Ensure /etc/hosts.allow is configured" description: "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." rationale: "The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the system." @@ -799,7 +799,7 @@ checks: rules: - 'f:/etc/hosts.allow' - - id: 16058 + - id: 3058 title: "Ensure /etc/hosts.deny is configured" description: "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." rationale: "The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server." @@ -812,7 +812,7 @@ checks: - 'f:/etc/hosts.deny' - 'f:/etc/hosts.deny -> r:^ALL:\s*ALL' - - id: 16059 + - id: 3059 title: "Ensure DCCP is disabled" description: "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in- sequence delivery." rationale: "If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface." @@ -825,7 +825,7 @@ checks: - 'not c:modprobe -n -v dccp -> r:install /bin/true' - 'c:lsmod -> r:dccp' - - id: 16060 + - id: 3060 title: "Ensure SCTP is disabled" description: "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -838,7 +838,7 @@ checks: - 'not c:modprobe -n -v sctp -> r:install /bin/true' - 'c:lsmod -> r:sctp' - - id: 16061 + - id: 3061 title: "Ensure RDS is disabled" description: "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -851,7 +851,7 @@ checks: - 'not c:modprobe -n -v rds -> r:install /bin/true' - 'c:lsmod -> r:rds' - - id: 16062 + - id: 3062 title: "Ensure TIPC is disabled" description: "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." rationale: "If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface." @@ -866,7 +866,7 @@ checks: # 3.5 Firewall configuration - - id: 16063 + - id: 3063 title: "Ensure default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -880,7 +880,7 @@ checks: - 'c:iptables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:iptables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 16064 + - id: 3064 title: "Ensure IPv6 default deny firewall policy" description: "A default deny all policy on connections ensures that any unconfigured network usage will be rejected." rationale: "With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage." @@ -894,7 +894,7 @@ checks: - 'c:ip6tables -L -> r:^Chain FORWARD && r:policy DROP' - 'c:ip6tables -L -> r:^Chain OUTPUT && r:policy DROP' - - id: 16065 + - id: 3065 title: "Ensure iptables is installed" description: "iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables." rationale: "iptables is required for firewall management and configuration." @@ -907,7 +907,7 @@ checks: - 'c:dpkg -s iptables -> r:install ok installed' # 4 Logging and Auditing - - id: 16066 + - id: 3066 title: "Ensure rsyslog Service is enabled" description: "Once the rsyslog package is installed it needs to be activated." rationale: "If the rsyslog service is not activated the system will not have a syslog service running." @@ -919,7 +919,7 @@ checks: rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' - - id: 16067 + - id: 3067 title: "Ensure rsyslog is configured to send logs to a remote log host" description: "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." rationale: "Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system." @@ -933,7 +933,7 @@ checks: rules: - 'c:grep -Rh ^*.*[^I][^I]*@ /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^*.* @@\.+' - - id: 16068 + - id: 3068 title: "Ensure remote rsyslog messages are only accepted on designated log hosts" description: "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." rationale: "The guidance in the section ensures that remote log hosts are configured to only accept rsyslog data from hosts within the specified domain and that those systems that are not designed to be log hosts do not accept any remote rsyslog messages. This provides protection from spoofed log data and ensures that system administrators are reviewing reasonably complete syslog data in a central location." @@ -949,7 +949,7 @@ checks: - 'c:grep -Rh ^\$InputTCPServerRun /etc/rsyslog.conf /etc/rsyslog.d/ -> r:^\$InputTCPServerRun\s*\t*514' # 5 Access, Authentication and Authorization - - id: 16069 + - id: 3069 title: "Ensure cron daemon is enabled" description: "The cron daemon is used to execute batch jobs on the system." rationale: "While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them." @@ -961,7 +961,7 @@ checks: rules: - 'c:systemctl is-enabled cron -> r:^enabled$' - - id: 16070 + - id: 3070 title: "Ensure at/cron is restricted to authorized users" description: "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." rationale: "On many systems, only the system administrator is authorized to schedule cronjobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files." @@ -978,7 +978,7 @@ checks: - 'c:stat -c%u-%g-%a /etc/cron.allow -> r:^0-0-600' - 'c:stat -c%u-%g-%a /etc/at.allow -> r:^0-0-600' - - id: 16071 + - id: 3071 title: "Ensure permissions on /etc/ssh/sshd_config are configured" description: "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." rationale: "The /etc/ssh/sshd_config file needs to be protected from unauthorized changes by non- privileged users." @@ -990,7 +990,7 @@ checks: rules: - 'c:stat -c%u-%g-%a /etc/ssh/sshd_config -> r:^0-0-600' - - id: 16072 + - id: 3072 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -1002,7 +1002,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' - - id: 16073 + - id: 3073 title: "Ensure SSH LogLevel is appropriate" description: "INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. VERBOSE level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -1016,7 +1016,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' - - id: 16074 + - id: 3074 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." @@ -1028,7 +1028,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - - id: 16075 + - id: 3075 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -1040,7 +1040,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 16076 + - id: 3076 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhostsand .shostsfiles will not be used in RhostsRSAAuthenticationor HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -1052,7 +1052,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - - id: 16077 + - id: 3077 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -1064,7 +1064,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' - - id: 16078 + - id: 3078 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -1078,7 +1078,7 @@ checks: # 5.2 SSH Server Configuration - - id: 16079 + - id: 3079 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -1090,7 +1090,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - - id: 16080 + - id: 3080 title: "Ensure SSH PermitUserEnvironment is disabled" description: "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." rationale: "Permitting users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls (e.g. setting an execution path that has ssh executing trojan'd programs)" @@ -1102,7 +1102,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' - - id: 16081 + - id: 3081 title: "Ensure SSH Idle Timeout Interval is configured" description: "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." rationale: "Having no timeout value associated with a connection could allow an unauthorized user access to another user's ssh session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening. While the recommended setting is 300 seconds (5 minutes), set this timeout value based on site policy. The recommended setting for ClientAliveCountMax is 0. In this case, the client session will be terminated after 5 minutes of idle time and no keepalive messages will be sent." @@ -1115,7 +1115,7 @@ checks: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveCountMax\s*\t*(\d+) compare <= 3' - - id: 16082 + - id: 3082 title: "Ensure SSH access is limited" description: "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers, AllowGroups, DenyUsers, DenyGroups." rationale: "Restricting which users can remotely access the system via SSH will help ensure that only authorized users access the system." @@ -1127,7 +1127,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' - - id: 16083 + - id: 3083 title: "Ensure SSH warning banner is configured" description: "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." rationale: "Banners are used to warn connecting users of the particular site's policy regarding connection. Presenting a warning message prior to the normal user login may assist the prosecution of trespassers on the computer system." @@ -1141,7 +1141,7 @@ checks: # 5.3 Configure PAM - - id: 16084 + - id: 3084 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options: - retry=3 (Allow 3 tries before sending back a failure). The following options are set in the /etc/security/pwquality.conf file: - minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1 (The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.)" rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -1159,7 +1159,7 @@ checks: - 'f:/etc/security/pwquality.conf -> !r:^# && r:ocredit' - 'f:/etc/security/pwquality.conf -> !r:^# && r:lcredit' - - id: 16085 + - id: 3085 title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM. Set the lockout number to the policy in effect at your site." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -1171,7 +1171,7 @@ checks: rules: - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' - - id: 16086 + - id: 3086 title: "Ensure password reuse is limited" description: "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." rationale: "Forcing users not to reuse their past 5 passwords make it less likely that an attacker will be able to guess the password. Note that these change only apply to accounts configured on the local system." @@ -1185,7 +1185,7 @@ checks: # 5.4 User Accounts and Environment - - id: 16087 + - id: 3087 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -1197,7 +1197,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' - - id: 16088 + - id: 3088 title: "Ensure minimum days between password changes is 7 or more" description: "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." rationale: "By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls." @@ -1209,7 +1209,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' - - id: 16089 + - id: 3089 title: "Ensure password expiration warning days is 7 or more" description: "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." rationale: "Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered." @@ -1221,7 +1221,7 @@ checks: rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' - - id: 16090 + - id: 3090 title: "Ensure inactive password lock is 30 days or less" description: "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled." rationale: "Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies." @@ -1233,7 +1233,7 @@ checks: rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' - - id: 16091 + - id: 3091 title: "Ensure default group for the root account is GID 0" description: "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." rationale: "Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users." @@ -1245,7 +1245,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' - - id: 16092 + - id: 3092 title: "Ensure access to the su command is restricted" description: "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the sudo group to execute su." rationale: "Restricting the use of su, and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo, whereas su can only record that a user executed the su program." @@ -1260,7 +1260,7 @@ checks: # 6.2 User and Group Settings - - id: 16093 + - id: 3093 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." @@ -1272,7 +1272,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 16094 + - id: 3094 title: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1284,7 +1284,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && r:^+:' - - id: 16095 + - id: 3095 title: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1296,7 +1296,7 @@ checks: rules: - 'f:/etc/shadow -> !r:^# && r:^+:' - - id: 16096 + - id: 3096 title: "Ensure no legacy \"+\" entries exist in /etc/group" description: "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms." rationale: "These entries may provide an avenue for attackers to gain privileged access on the system." @@ -1308,7 +1308,7 @@ checks: rules: - 'f:/etc/group -> !r:^# && r:^+:' - - id: 16097 + - id: 3097 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -1320,7 +1320,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && !r:^root: && r:^\w+:\w+:0:' - - id: 16098 + - id: 3098 title: "Ensure shadow group is empty" description: "The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group." rationale: "Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts." diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index 32193c90a..64c9b0e6d 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -28,7 +28,7 @@ requirements: checks: - - id: 16500 + - id: 3500 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -42,7 +42,7 @@ checks: rules: - 'c:mount -> r:\s/var\s' - - id: 16501 + - id: 3501 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." @@ -54,7 +54,7 @@ checks: rules: - 'c:mount -> r:\s/var/tmp\s' - - id: 16502 + - id: 3502 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -68,7 +68,7 @@ checks: rules: - 'c:mount -> r:\s/var/log\s' - - id: 16503 + - id: 3503 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd, stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." @@ -82,7 +82,7 @@ checks: rules: - 'c:mount -> r:\s/var/log/audit\s' - - id: 16504 + - id: 3504 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -96,7 +96,7 @@ checks: rules: - 'c:mount -> r:\s/home\s' - - id: 16505 + - id: 3505 title: "Disable Automounting" description: "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives." rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." @@ -109,7 +109,7 @@ checks: - 'c:systemctl is-enabled autofs -> r:^enabled' # 4 Additional Process Hardening - - id: 16506 + - id: 3506 title: "Ensure SELinux or AppArmor are installed" description: "SELinux and AppArmor provide Mandatory Access Controls." rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." @@ -124,7 +124,7 @@ checks: # 2 Services - - id: 16507 + - id: 3507 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -140,7 +140,7 @@ checks: # 4 Logging and Auditing - - id: 16508 + - id: 3508 title: "Ensure audit log storage size is configured" description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." @@ -154,7 +154,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file\s*\t*=\s*\t*\d+' - - id: 16509 + - id: 3509 title: "Ensure system is disabled when audit logs are full" description: "The auditd daemon can be configured to halt the system when the audit logs are full." rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." @@ -170,7 +170,7 @@ checks: - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*\t*=\s*\t*email' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*\t*=\s*\t*halt' - - id: 16510 + - id: 3510 title: "Ensure audit logs are not automatically deleted" description: "The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs." rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." @@ -184,7 +184,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*\t*=\s*\t*keep_logs' - - id: 16511 + - id: 3511 title: "Ensure auditd service is enabled" description: "Turn on the auditd daemon to record system events." rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." @@ -196,7 +196,7 @@ checks: rules: - 'c:systemctl is-enabled auditd -> r:^enabled' - - id: 16512 + - id: 3512 title: "Ensure auditing for processes that start prior to auditd is enabled" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." @@ -208,7 +208,7 @@ checks: rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' - - id: 16513 + - id: 3513 title: "Ensure events that modify date and time information are collected" description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." @@ -226,7 +226,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/localtime && r:-p wa && r:-k time-change' - - id: 16514 + - id: 3514 title: "Ensure events that modify user/group information are collected" description: "Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." @@ -244,7 +244,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/shadow && r:-p wa && r:-k identity' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/security/opasswd && r:-p wa && r:-k identity' - - id: 16515 + - id: 3515 title: "Ensure events that modify the system's network environment are collected" description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files." rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" @@ -263,7 +263,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/hosts && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sysconfig/network && r:-p wa && r:-k system-locale' - - id: 16516 + - id: 3516 title: "Ensure events that modify the system's Mandatory Access Controls are collected (SELinux)" description: "Monitor SELinux mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." @@ -278,7 +278,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/selinux/ && r:-p wa && r:-k MAC-policy' - 'f:/etc/audit/audit.rules -> r:^-w && r:/usr/share/selinux/ && r:-p wa && r:-k MAC-policy' - - id: 16517 + - id: 3517 title: "Ensure events that modify the system's Mandatory Access Controls are collected (AppArmor)" description: "Monitor AppArmor mandatory access control. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/apparmor and /etc/apparmor.d directories." rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." @@ -293,7 +293,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor/ && r:-p wa && r:-k MAC-policy' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/apparmor.d/ && r:-p wa && r:-k MAC-policy' - - id: 16518 + - id: 3518 title: "Ensure login and logout events are collected" description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." @@ -309,7 +309,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/lastlog && r:-p wa && r:-k logins' - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/tallylog && r:-p wa && r:-k logins' - - id: 16519 + - id: 3519 title: "Ensure session initiation information is collected" description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. All audit records will be tagged with the identifier \"session.\" The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier \"logins.\"" rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." @@ -325,7 +325,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/wtmp && r:-p wa && r:-k logins' - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/btmp && r:-p wa && r:-k logins' - - id: 16520 + - id: 3520 title: "Ensure discretionary access control permission modification events are collected" description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod , fchmod and fchmodat system calls affect the permissions associated with a file. The chown , fchown , fchownat and lchown system calls affect owner and group attributes on a file. The setxattr , lsetxattr , fsetxattr (set extended file attributes) and removexattr , lremovexattr , fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." @@ -344,7 +344,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - - id: 16521 + - id: 3521 title: "Ensure unsuccessful unauthorized file access attempts are collected" description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( creat ), opening ( open , openat ) and truncation ( truncate , ftruncate ) of files. An audit log record will only be written if the user is a non- privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." @@ -361,7 +361,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - - id: 16522 + - id: 3522 title: "Ensure successful file system mounts are collected" description: "Monitor the use of the mount system call. The mount (and umount ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user." rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." @@ -376,7 +376,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - - id: 16523 + - id: 3523 title: "Ensure file deletion events by users are collected" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." @@ -391,7 +391,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - - id: 16524 + - id: 3524 title: "Ensure changes to system administration scope (sudoers) is collected" description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." @@ -406,7 +406,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers && r:-p wa && r:-k scope' - 'f:/etc/audit/audit.rules -> r:^-w && r:/etc/sudoers.d/ && r:-p wa && r:-k scope' - - id: 16525 + - id: 3525 title: "Ensure system administrator actions (sudolog) are collected" description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log . Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." @@ -420,7 +420,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w && r:/var/log/sudo.log && r:-p wa && r:-k actions' - - id: 16526 + - id: 3526 title: "Ensure kernel module loading and unloading is collected" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." @@ -437,7 +437,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w && r:/sbin/modprobe && r:-p x && r:-k modules' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S init_module && r:-S delete_module && r:-k modules' - - id: 16527 + - id: 3527 title: "Ensure the audit configuration is immutable" description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot." rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." @@ -451,7 +451,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^\s*\t*-e 2$' - - id: 16528 + - id: 3528 title: "Ensure SSH X11 forwarding is disabled" description: "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index f6eabbd98..69367f4e6 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -30,7 +30,7 @@ variables: $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd checks: - - id: 1500 + - id: 4000 title: "SSH Hardening - 1: Port should not be 22" description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." @@ -41,7 +41,7 @@ checks: rules: - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22\s\t*$' - - id: 1501 + - id: 4001 title: "SSH Hardening - 2: Protocol should be set to 2" description: "The SSH protocol should not be 1." rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." @@ -52,7 +52,7 @@ checks: rules: - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2\s*\t*$' - - id: 1502 + - id: 4002 title: "SSH Hardening - 3: Root account should not be able to log in" description: "The option PermitRootLogin should be set to no." rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." @@ -61,7 +61,7 @@ checks: rules: - 'f:$sshd_file -> r:^\s*PermitRootLogin\s*\t*no' - - id: 1503 + - id: 4003 title: "SSH Hardening - 4: No Public Key authentication" description: "The option PubkeyAuthentication should be set yes." rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." @@ -72,7 +72,7 @@ checks: rules: - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\s*\t*yes' - - id: 1504 + - id: 4004 title: "SSH Hardening - 5: Password Authentication should be disabled" description: "The option PasswordAuthentication should be set to no." rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." @@ -83,7 +83,7 @@ checks: rules: - 'f:$sshd_file -> r:^\s*PasswordAuthentication\s*\t*no' - - id: 1505 + - id: 4005 title: "SSH Hardening - 6: Empty passwords should not be allowed" description: "The option PermitEmptyPasswords should be set to no." rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." @@ -94,7 +94,7 @@ checks: rules: - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\s*\t*no' - - id: 1506 + - id: 4006 title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" description: "The option IgnoreRhosts should be set to yes." rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." @@ -105,7 +105,7 @@ checks: rules: - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\s*\t*yes' - - id: 1507 + - id: 4007 title: "SSH Hardening - 8: Grace Time should be one minute or less." description: "The option LoginGraceTime should be set to 60 or less." rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." @@ -116,7 +116,7 @@ checks: rules: - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+)s compare <= 60' - - id: 1508 + - id: 4008 title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" description: "The option MaxAuthTries should be set to 4 or less." rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." @@ -127,7 +127,7 @@ checks: rules: - 'f:$sshd_file -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4' - - id: 1509 + - id: 4009 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -140,7 +140,7 @@ checks: rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\s*\t*no' - - id: 1510 + - id: 4010 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -154,7 +154,7 @@ checks: - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' - - id: 1511 + - id: 4011 title: "Ensure passwords are longer than 14 characters" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -167,7 +167,7 @@ checks: rules: - 'f:$pam_d_files -> r:pam_cracklib.so && n:minlen=(\d+) compare >= 14' - - id: 1512 + - id: 4012 title: "Ensure passwords contain at least one digit" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -180,7 +180,7 @@ checks: rules: - 'f:$pam_d_files-> r:pam_cracklib.so && r:dcredit=-1' - - id: 1513 + - id: 4013 title: "Ensure passwords contain at least one lowercase character" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -193,7 +193,7 @@ checks: rules: - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=-1' - - id: 1514 + - id: 4014 title: "Ensure passwords contain at least one uppercase character" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -206,7 +206,7 @@ checks: rules: - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit=-1' - - id: 1515 + - id: 4015 title: "Ensure passwords contain at least one special character" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." @@ -219,7 +219,7 @@ checks: rules: - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit=-1' - - id: 1516 + - id: 4016 title: "Ensure lockout for failed password attempts is configured" description: "Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users." rationale: "Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems." @@ -228,7 +228,7 @@ checks: rules: - 'f:/etc/pam.d/common-auth -> r:^auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d+\s*\t*unlock_time=\d+$' - - id: 1517 + - id: 4017 title: "Ensure password hashing algorithm is SHA-512" description: "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords. Note that these change only apply to accounts configured on the local system." @@ -239,7 +239,7 @@ checks: rules: - 'f:$pam_d_files -> r:^password\.+pam_unix.so\.+sha512' - - id: 1518 + - id: 4018 title: "Ensure passwords in /etc/shadow are hashed with SHA-512 or SHA-256" description: "SHA-512 and SHA-256 are much stronger hashing algorithms than MD5." rationale: "The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords." @@ -251,7 +251,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+:\$1\$|^\w+:\$2\$|^\w+:\$md5\$|^\w+:\$md5\$|^\w+:\$__unix__\$' - - id: 1519 + - id: 4019 title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." @@ -265,7 +265,7 @@ checks: - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' - - id: 1520 + - id: 4020 title: "Ensure SELinux or AppArmor are installed" description: "SELinux and AppArmor provide Mandatory Access Controls." rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." @@ -277,7 +277,7 @@ checks: - 'c:dpkg -s selinux-basics -> r:install ok installed' - 'c:dpkg -s apparmor -> r:install ok installed' - - id: 1521 + - id: 4021 title: "Ensure CUPS is not enabled" description: "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." @@ -290,7 +290,7 @@ checks: rules: - 'c:systemctl is-enabled cups -> r:^enabled' - - id: 1522 + - id: 4022 title: "Ensure auditd service is enabled" description: "Turn on the auditd daemon to record system events." rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index b1195ffdc..df4c931e3 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -35,7 +35,7 @@ variables: checks: # 1.1.1 /tmp: partition - - id: 5500 + - id: 4500 title: "Create Separate Partition for /tmp" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." @@ -50,7 +50,7 @@ checks: - 'c:mount -> r:\s/tmp\s' # 1.1.2 /tmp: nodev - - id: 5501 + - id: 4501 title: "Set nodev option for /tmp Partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -65,7 +65,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nodev' # 1.1.3 /tmp: nosuid - - id: 5502 + - id: 4502 title: "Set nosuid option for /tmp Partition" description: "The nosuid mount option specifies that the filesystem cannot contain set userid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp ." @@ -80,7 +80,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.4 /tmp: noexec - - id: 5503 + - id: 4503 title: "Set noexec option for /tmp Partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." @@ -95,7 +95,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.5 Build considerations - Partition scheme. - - id: 5504 + - id: 4504 title: "Create Separate Partition for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -110,7 +110,7 @@ checks: - 'c:mount -> r:\s/var\s' # 1.1.6 bind mount /var/tmp to /tmp - - id: 5505 + - id: 4505 title: "Bind Mount the /var/tmp directory to /tmp" description: "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same /tmp is protected." rationale: "All programs that use /var/tmp and /tmp to read/write temporary files will always be written to the /tmp file system, preventing a user from running the /var file system out of space or trying to perform operations that have been blocked in the /tmp filesystem." @@ -124,7 +124,7 @@ checks: - 'c:mount -> r:\s/var/tmp\s' # 1.1.7 /var/log: partition - - id: 5506 + - id: 4506 title: "Create Separate Partition for /var/log" description: "The /var/log directory is used by system services to store log data ." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -139,7 +139,7 @@ checks: - 'c:mount -> r:\s/var/log\s' # 1.1.8 /var/log/audit: partition - - id: 5507 + - id: 4507 title: "Create Separate Partition for /var/log/audit" description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." @@ -154,7 +154,7 @@ checks: - 'c:mount -> r:\s/var/log/audit\s' # 1.1.9 /home: partition - - id: 5508 + - id: 4508 title: "Create Separate Partition for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -169,7 +169,7 @@ checks: - 'c:mount -> r:\s/home\s' # 1.1.10 /home: nodev - - id: 5509 + - id: 4509 title: "Add nodev Option to /home" description: "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." @@ -184,7 +184,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.14 /dev/shm: nodev - - id: 5510 + - id: 4510 title: "Add nodev Option to /dev/shm Partition" description: "The nodev mount option specifies that the /dev/shm (temporary filesystem stored in memory) cannot contain block or character special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -199,7 +199,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.15 /dev/shm: nosuid - - id: 5511 + - id: 4511 title: "Add nosuid Option to /dev/shm Partition" description: "The nosuid mount option specifies that the /dev/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -214,7 +214,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.16 /dev/shm: noexec - - id: 5512 + - id: 4512 title: "Add noexec Option to /dev/shm Partition" description: "Set noexec on the shared memory partition to prevent programs from executing from there." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -232,7 +232,7 @@ checks: # 1.2 Software Updates ########################################## # 1.2.5 Disable yum-updatesd (Scored) - - id: 5513 + - id: 4513 title: "Disable yum-updatesd" description: "The yum-updatesd utility provides notification of updates that are available for your system." rationale: "The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly." @@ -251,7 +251,7 @@ checks: # 1.4 Configure SELinux ############################################### # 1.4.1 enable selinux in /etc/grub.conf - - id: 5514 + - id: 4514 title: "Enable SELinux in /etc/grub.conf" description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters" rationale: "SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten." @@ -266,7 +266,7 @@ checks: - 'f:/boot/grub/grub.conf -> r:selinux=0|enforcing=0' # 1.4.2 Set selinux state - - id: 5515 + - id: 4515 title: "Set the SELinux State" description: "Set SELinux to enable when the system is booted." rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." @@ -281,7 +281,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' # 1.4.3 Set seliux policy - - id: 5516 + - id: 4516 title: "Set the SELinux Policy" description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." @@ -296,7 +296,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' # 1.4.4 Remove SETroubleshoot - - id: 5517 + - id: 4517 title: "Remove SETroubleshoot" description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." @@ -309,7 +309,7 @@ checks: - 'c:/sbin/chkconfig --list -> r:setroubleshoot && r::on' # 1.4.5 Disable MCS Translation service mcstrans - - id: 5518 + - id: 4518 title: "Disable MCS Translation Service (mcstrans)" description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" rationale: "Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system." @@ -327,7 +327,7 @@ checks: # 1.5 Secure Boot Settings ############################################### # 1.5.3 Set Boot Loader Password (Scored) - - id: 5519 + - id: 4519 title: "Set Boot Loader Password" description: "Setting the boot loader password will require that the person who is rebooting system the must enter a password before being able to set command line boot parameters" rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -342,7 +342,7 @@ checks: - 'f:/boot/grub/grub.conf -> !r:^# && r:password --md5' # 1.5.4 Require Authentication for Single-User Mode (Scored) - - id: 5520 + - id: 4520 title: "Require Authentication for Single-User Mode" description: "Since /etc/init determines what run state the system is in, setting the entry in /etc/inittab will force single user authentication." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -357,7 +357,7 @@ checks: - 'f:/etc/inittab -> r:^~:S:wait:/sbin/sulogin' # 1.5.5 Disable Interactive Boot (Scored) - - id: 5521 + - id: 4521 title: "Disable Interactive Boot" description: "The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." @@ -375,7 +375,7 @@ checks: # 1.6 Additional Process Hardening ############################################### # 1.6.1 Restrict Core Dumps (Scored) - - id: 5522 + - id: 4522 title: "Restrict Core Dumps" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid.dumpable variable to 0 will prevent setuid programs from dumping core." @@ -390,7 +390,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.6.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 5523 + - id: 4523 title: "Enable Randomized Virtual Memory Region Placement" description: "Set the system flag to force randomized virtual memory region placement." rationale: "Randomly placing virtual memory regions will make it difficult for to write memory page exploits as the memory placement will be consistently shifting." @@ -406,7 +406,7 @@ checks: - 'c:/sbin/sysctl kernel.randomize_va_space -> r:^\s*kernel.randomize_va_space\s*=\s*2' # 1.6.2 Configure ExecShield (Scored) - - id: 5524 + - id: 4524 title: "Configure ExecShield" description: "Execshield is made up of a number of kernel features to provide protection against buffer overflow attacks. These features include prevention of execution in memory data space, and special handling of text buffers." rationale: "Enabling any feature that can protect against buffer overflow attacks enhances the security of the system." @@ -423,7 +423,7 @@ checks: # 1.6.4 Enable XD/NX Support on 32-bit x86 Systems (Scored) # TODO # 1.6.5 Disable Prelink (Scored) - - id: 5525 + - id: 4525 title: "Disable Prelink" description: "Prelinking is a performance enhancing feature that decreases process start up time. It loads shared libraries into addresses for which the linking of required symbols has already been performed. After a binary has been prelinked, the addresses at which shared libraries is not changed, even if kernel.randomize_va_space is set to 1." rationale: "There is a bug in prelink that interferes with AIDE, the Linux file integrity checker. This has been fixed in RHEL6 (so prelink does not need to be disabled in RHEL6 systems)." @@ -441,7 +441,7 @@ checks: # 2.1 Remove Legacy Services ############################################### # 2.1.1 Remove telnet-server (Scored) - - id: 5526 + - id: 4526 title: "Remove telnet-server" description: "The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security and is included in most Red Hat Linux distributions." @@ -458,7 +458,7 @@ checks: - 'c:rpm -qa telnet-server -> r:\.' # Remove rsh-server (Scored) - - id: 5527 + - id: 4527 title: "Remove rsh-server" description: "The Berkeley rsh-server ( rsh , rlogin , rcp ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy service contain numerous security exposures and have been replaced with the more secure SSH package." @@ -473,7 +473,7 @@ checks: rules: - 'c:rpm -qa rsh-server -> r:\.' - - id: 5528 + - id: 4528 title: "Remove NIS Client" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files" rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -490,7 +490,7 @@ checks: - 'c:rpm -qa ypbind -> r:\.' # 2.1.6 Remove NIS Server (Scored) - - id: 5529 + - id: 4529 title: "Remove NIS Server" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." @@ -507,7 +507,7 @@ checks: - 'c:rpm -qa ypserv -> r:\.' # 2.1.7 Remove tftp (Scored) - - id: 5530 + - id: 4530 title: "Remove tftp-server" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is the server package used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality of integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -524,7 +524,7 @@ checks: - 'c:rpm -qa tftpd -> r:\.' # 2.1.9 Remove talk (Scored) - - id: 5531 + - id: 4531 title: "Remove talk-server" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -541,7 +541,7 @@ checks: # 3 Special Purpose Services ############################################### # 3.2 Set Daemon umask (Scored) - - id: 5532 + - id: 4532 title: "Set Daemon umask" description: "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." rationale: "Setting the umask to 027 will make sure that files created by daemons will not be readable, writable or executable by any other than the group and owner of the daemon process and will not be writable by the group of the daemon process. The daemon process can manually override these settings if these files need additional permission." @@ -553,7 +553,7 @@ checks: - 'f:/etc/sysconfig/init -> umask 027' # 3.3 Remove X Windows (Scored) - - id: 5533 + - id: 4533 title: "Remove X Windows" description: "The X Windows system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -567,7 +567,7 @@ checks: - 'not c:yum grouplist X?Window?System -> r:Installed Groups' # 3.1.1 Disable Avahi Server (Scored) - - id: 5534 + - id: 4534 title: "Disable Avahi Server" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." rationale: "Since servers are not normally used for printing, this service is not needed unless dependencies require it. If this is the case, disable the service to reduce the potential attack surface. If for some reason the service is required on the server, follow the recommendations in sub-sections 3.2.1 - 3.2.5 to secure it." @@ -580,7 +580,7 @@ checks: - 'c:/sbin/chkconfig --list -> r:avahi-daemon && r::on' # 3.8 Disable NFS and RPC (Not Scored) - - id: 5535 + - id: 4535 title: "Disable NFS and RPC" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the server does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -593,7 +593,7 @@ checks: - 'c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on' # 3.10 Remove FTP Server (Not Scored) - - id: 5536 + - id: 4536 title: "Remove FTP Server" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the package be deleted to reduce the potential attack surface." @@ -607,7 +607,7 @@ checks: - 'c:rpm -qa vsftpd -> r:\.' # 3.11 Remove HTTP Server (Not Scored) - - id: 5537 + - id: 4537 title: "Remove HTTP Server" description: "HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with Red Hat Linux is Apache." rationale: "Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface." @@ -620,7 +620,7 @@ checks: - 'c:rpm -qa httpd -> r:\.' # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) - - id: 5538 + - id: 4538 title: "Remove Dovecot" description: "Dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that the service be deleted to reduce the potential attack surface." @@ -633,7 +633,7 @@ checks: - 'c:rpm -qa dovecot -> r:\.' # 3.13 Remove Samba (Not Scored) - - id: 5539 + - id: 4539 title: "Remove Samba" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be deleted to reduce the potential attack surface." @@ -646,7 +646,7 @@ checks: - 'c:rpm -qa samba -> r:\.' # 3.14 Remove HTTP Proxy Server (Not Scored) - - id: 5540 + - id: 4540 title: "Remove HTTP Proxy Server" description: "The default HTTP proxy package shipped with Red Hat Linux is squid." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface." @@ -659,7 +659,7 @@ checks: - 'c:rpm -qa squid -> r:\.' # 3.15 Remove SNMP Server (Not Scored) - - id: 5541 + - id: 4541 title: "Remove SNMP Server" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server communicates using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." @@ -678,7 +678,7 @@ checks: # 4.1 Modify Network Parameters (Host Only) ############################################### # 4.1.1 Disable IP Forwarding (Scored) - - id: 5542 + - id: 4542 title: "Disable IP Forwarding" description: "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." rationale: "Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -694,7 +694,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 4.1.2 Disable Send Packet Redirects (Scored) - - id: 5543 + - id: 4543 title: "Disable Send Packet Redirects" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -716,7 +716,7 @@ checks: # 4.2 Modify Network Parameters (Host and Router) ############################################### # 4.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 5544 + - id: 4544 title: "Disable Source Routed Packet Acceptance" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." @@ -735,7 +735,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 4.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 5545 + - id: 4545 title: "Disable ICMP Redirect Acceptance" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -754,7 +754,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 4.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 5546 + - id: 4546 title: "Disable Secure ICMP Redirect Acceptance" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -773,7 +773,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 4.2.4 Log Suspicious Packets (Scored) - - id: 5547 + - id: 4547 title: "Log Suspicious Packets" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server." @@ -791,7 +791,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 4.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 5548 + - id: 4548 title: "Enable Ignore Broadcast Requests" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -807,7 +807,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 4.2.6 Enable Bad Error Message Protection (Scored) - - id: 5549 + - id: 4549 title: "Enable Bad Error Message Protection" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -823,7 +823,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 4.2.7 Enable RFC-recommended Source Route Validation (Scored) - - id: 5550 + - id: 4550 title: "Enable RFC-recommended Source Route Validation" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." @@ -842,7 +842,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 4.2.8 Enable TCP SYN Cookies (Scored) - - id: 5551 + - id: 4551 title: "Enable TCP SYN Cookies" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding." @@ -864,7 +864,7 @@ checks: # 6.1 Configure SSH ############################################### # 6.2.1 Set SSH Protocol to 2 (Scored) - - id: 5552 + - id: 4552 title: "Set SSH Protocol to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -882,7 +882,7 @@ checks: - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' # 6.2.2 Set LogLevel to INFO (Scored) - - id: 5553 + - id: 4553 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -898,7 +898,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 6.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 5554 + - id: 4554 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -912,7 +912,7 @@ checks: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 6.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 5555 + - id: 4555 title: "Set SSH IgnoreRhosts to Yes" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication ." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh ." @@ -929,7 +929,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 6.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 5556 + - id: 4556 title: "Set SSH HostbasedAuthentication to No" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -946,7 +946,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 6.2.8 Disable SSH Root Login (Scored) - - id: 5557 + - id: 4557 title: "Disable SSH Root Login" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1) . The default is no." rationale: "Disallowing root logins over SSH requires server admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -963,7 +963,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 6.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 5558 + - id: 4558 title: "Set SSH PermitEmptyPasswords to No" description: "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -986,7 +986,7 @@ checks: # 9.2 Review User and Group Settings ############################################### # 9.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 5559 + - id: 4559 title: "Verify No UID 0 Accounts Exist Other Than root" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 7.5 Restrict root Login to System Console." diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index 257d5598b..f5a0fea63 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -36,7 +36,7 @@ variables: checks: # 1.1.2 /tmp: partition - - id: 6000 + - id: 5000 title: "Ensure separate partition exists for /tmp" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." @@ -50,7 +50,7 @@ checks: - 'c:mount -> r:\s/tmp\s' # 1.1.3 /tmp: nodev - - id: 6001 + - id: 5001 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -63,7 +63,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nodev' # 1.1.4 /tmp: nosuid - - id: 6002 + - id: 5002 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp ." @@ -76,7 +76,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - - id: 6003 + - id: 5003 title: "Ensure noexec option set on /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp ." @@ -90,7 +90,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 6004 + - id: 5004 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -104,7 +104,7 @@ checks: - 'c:mount -> r:\s/var\s' - - id: 6005 + - id: 5005 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." @@ -116,7 +116,7 @@ checks: - 'c:mount -> r:\s/var/tmp\s' # 1.1.11 /var/log: partition - - id: 6006 + - id: 5006 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data ." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -131,7 +131,7 @@ checks: - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - - id: 6007 + - id: 5007 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." @@ -146,7 +146,7 @@ checks: - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - - id: 6008 + - id: 5008 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -160,7 +160,7 @@ checks: - 'c:mount -> r:\s/home\s' # 1.1.14 /home: nodev - - id: 6009 + - id: 5009 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." @@ -173,7 +173,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - - id: 6010 + - id: 5010 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -186,7 +186,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 6011 + - id: 5011 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -199,7 +199,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 6012 + - id: 5012 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -216,7 +216,7 @@ checks: # 1.4 Configure SELinux ############################################### # 1.6.1.1 enable selinux in /etc/grub.conf - - id: 6013 + - id: 5013 title: "Ensure SELinux is not disabled in bootloader configuration" description: "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters." rationale: "SELinux must be enabled at boot time in your grub configuration to ensure that the controls it provides are not overridden." @@ -230,7 +230,7 @@ checks: - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' # 1.6.1.2 Set selinux state - - id: 6014 + - id: 5014 title: "Ensure the SELinux state is enforcing" description: "Set SELinux to enable when the system is booted." rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." @@ -244,7 +244,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' # 1.6.1.3 Set selinux policy - - id: 6015 + - id: 5015 title: "Ensure SELinux policy is configured" description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." @@ -257,7 +257,7 @@ checks: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' # 1.6.1.4 Remove SETroubleshoot - - id: 6016 + - id: 5016 title: "Ensure SETroubleshoot is not installed" description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user- friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." @@ -270,7 +270,7 @@ checks: - 'c:rpm -qa setroubleshoot -> r:\.' # 1.6.1.5 Disable MCS Translation service mcstrans - - id: 6017 + - id: 5017 title: "Ensure the MCS Translation Service (mcstrans) is not installed" description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." @@ -286,7 +286,7 @@ checks: # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 6018 + - id: 5018 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security." @@ -300,7 +300,7 @@ checks: - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' # 1.4.3 Require Authentication for Single-User Mode (Scored) - - id: 6019 + - id: 5019 title: "Ensure authentication required for single user mode" description: "Single user mode is used for recovery when the system detects an issue during boot or by manual selection from the bootloader." rationale: "Requiring authentication in single user mode prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials." @@ -314,7 +314,7 @@ checks: - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' # 1.4.4 Disable Interactive Boot (Scored) - - id: 6020 + - id: 5020 title: "Ensure interactive boot is not enabled" description: "Interactive boot allows console users to interactively select which services start on boot. The PROMPT option provides console users the ability to interactively boot the system and select which services to start on boot ." rationale: "Turn off the PROMPT option on the console to prevent console users from potentially overriding established security settings." @@ -331,7 +331,7 @@ checks: # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 6021 + - id: 5021 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) )." @@ -346,7 +346,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 6022 + - id: 5022 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -366,7 +366,7 @@ checks: # 2.1 Remove Legacy Services ############################################### # 2.1.8 Remove telnet-server (Scored) - - id: 6023 + - id: 5023 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." @@ -381,7 +381,7 @@ checks: - 'c:chkconfig --list -> r:telnet-server && r::on' # 2.1.6 Remove rsh-server (Scored) - - id: 6024 + - id: 5024 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." @@ -397,7 +397,7 @@ checks: # 2.3.1 Remove NIS Client (Scored) - - id: 6025 + - id: 5025 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." @@ -412,7 +412,7 @@ checks: - 'c:rpm -qa ypbind -> r:\.' # 2.2.16 Remove NIS Server (Scored) - - id: 6026 + - id: 5026 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP)." @@ -427,7 +427,7 @@ checks: - 'c:chkconfig --list -> r:ypserv && r::on' # 2.1.9 Remove tftp-server (Scored) - - id: 6027 + - id: 5027 title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -442,7 +442,7 @@ checks: - 'c:chkconfig --list -> r:tftp && r::on' # 2.1.7 Remove talk-server (Scored) - - id: 6028 + - id: 5028 title: "Ensure talk server is disabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -461,7 +461,7 @@ checks: ############################################### # 2.2.2 Remove X Windows (Scored) - - id: 6029 + - id: 5029 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -475,7 +475,7 @@ checks: - 'c:rpm -qa xorg-x11* -> r:\.' # 2.2.3 Disable Avahi Server (Scored) - - id: 6030 + - id: 5030 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." @@ -489,7 +489,7 @@ checks: - 'c:chkconfig --list -> r:avahi-daemon && r::on' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 6031 + - id: 5031 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -503,7 +503,7 @@ checks: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' # 2.2.9 Remove FTP Server (Not Scored) - - id: 6032 + - id: 5032 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server." @@ -517,7 +517,7 @@ checks: - 'c:chkconfig --list -> r:vsftpd && r::on' # 2.2.10 Remove HTTP Server (Scored) - - id: 6033 + - id: 5033 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -530,7 +530,7 @@ checks: - 'c:chkconfig --list -> r:httpd && r::on' # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored) - - id: 6034 + - id: 5034 title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." @@ -544,7 +544,7 @@ checks: - 'c:chkconfig --list -> r:dovecot && r::on' # 2.2.12 Remove Samba (Scored) - - id: 6035 + - id: 5035 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." @@ -558,7 +558,7 @@ checks: - 'c:chkconfig --list -> r:smb && r::on' # 2.2.13 Remove HTTP Proxy Server (Scored) - - id: 6036 + - id: 5036 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." @@ -572,7 +572,7 @@ checks: - 'c:chkconfig --list -> r:squid && r::on' # 2.2.14 Remove SNMP Server (Scored) - - id: 6037 + - id: 5037 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used." @@ -592,7 +592,7 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 6038 + - id: 5038 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -607,7 +607,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 6039 + - id: 5039 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -627,7 +627,7 @@ checks: # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 6040 + - id: 5040 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface." @@ -644,7 +644,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 6041 + - id: 5041 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -661,7 +661,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 6042 + - id: 5042 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -678,7 +678,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - - id: 6043 + - id: 5043 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -695,7 +695,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6044 + - id: 5044 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -710,7 +710,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6045 + - id: 5045 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -724,7 +724,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 6046 + - id: 5046 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed." @@ -740,7 +740,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6047 + - id: 5047 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -761,7 +761,7 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6048 + - id: 5048 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -777,7 +777,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 6049 + - id: 5049 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information." @@ -793,7 +793,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 6050 + - id: 5050 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -807,7 +807,7 @@ checks: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6051 + - id: 5051 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -823,7 +823,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6052 + - id: 5052 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -839,7 +839,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 6053 + - id: 5053 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -855,7 +855,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6054 + - id: 5054 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -877,7 +877,7 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6055 + - id: 5055 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index 4cd017c88..6220b4413 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -36,7 +36,7 @@ variables: checks: # 1.1.2 /tmp: partition - - id: 6500 + - id: 5500 title: "Ensure separate partition exists for /tmp" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code." @@ -50,7 +50,7 @@ checks: - 'c:mount -> r:\s/tmp\s' # 1.1.3 /tmp: nodev - - id: 6501 + - id: 5501 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -63,7 +63,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nodev' # 1.1.4 /tmp: nosuid - - id: 6502 + - id: 5502 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." @@ -76,7 +76,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - - id: 6503 + - id: 5503 title: "Ensure noexec option set on /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." @@ -90,7 +90,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 6504 + - id: 5504 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -104,7 +104,7 @@ checks: - 'c:mount -> r:\s/var\s' # 1.1.7 bind mount /var/tmp to /tmp - - id: 6505 + - id: 5505 title: "Ensure separate partition exists for /var/tmp" description: "The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code." @@ -116,7 +116,7 @@ checks: - 'c:mount -> r:\s/var/tmp\s' # 1.1.11 /var/log: partition - - id: 6506 + - id: 5506 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data ." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -131,7 +131,7 @@ checks: - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - - id: 6507 + - id: 5507 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data." @@ -146,7 +146,7 @@ checks: - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - - id: 6508 + - id: 5508 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -160,7 +160,7 @@ checks: - 'c:mount -> r:\s/home\s' # 1.1.14 /home: nodev - - id: 6509 + - id: 5509 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." @@ -173,7 +173,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - - id: 6510 + - id: 5510 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -186,7 +186,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 6511 + - id: 5511 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -199,7 +199,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 6512 + - id: 5512 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -216,7 +216,7 @@ checks: # 1.6 Configure SELinux ############################################### # 1.6.1.2 Set selinux state - - id: 6513 + - id: 5513 title: "Ensure the SELinux state is enforcing" description: "Set SELinux to enable when the system is booted." rationale: "SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times." @@ -233,7 +233,7 @@ checks: - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing' # 1.6.1.3 Set selinux policy - - id: 6514 + - id: 5514 title: "Ensure SELinux policy is configured" description: "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." rationale: "Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met." @@ -247,7 +247,7 @@ checks: - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls' # 1.6.1.4 Remove SETroubleshoot - - id: 6515 + - id: 5515 title: "Ensure SETroubleshoot is not installed" description: "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." rationale: "The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is disabled." @@ -260,7 +260,7 @@ checks: - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' # 1.6.1.5 Disable MCS Translation service mcstrans - - id: 6516 + - id: 5516 title: "Ensure the MCS Translation Service (mcstrans) is not installed" description: "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" rationale: "Since this service is not used very often, remove it to reduce the amount of potentially vulnerable code running on the system." @@ -276,7 +276,7 @@ checks: # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 6517 + - id: 5517 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -293,7 +293,7 @@ checks: # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 6518 + - id: 5518 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -308,7 +308,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 6519 + - id: 5519 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -328,7 +328,7 @@ checks: # 2.2 Remove Legacy Services ############################################### # 2.2.16 Remove NIS Server (Scored) - - id: 6520 + - id: 5520 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" @@ -343,7 +343,7 @@ checks: - 'c:systemctl is-enabled ypserv -> r:^enabled' # 2.2.17 Remove rsh-server (Scored) - - id: 6521 + - id: 5521 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." @@ -360,7 +360,7 @@ checks: - 'c:systemctl is-enabled rexec.socket -> r:^enabled' # 2.2.18 Remove talk server (Scored) - - id: 6522 + - id: 5522 title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -375,7 +375,7 @@ checks: - 'c:systemctl is-enabled ntalk -> r:^enabled' # 2.2.19 Remove telnet-server (Scored) - - id: 6523 + - id: 5523 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." @@ -390,7 +390,7 @@ checks: - 'c:systemctl is-enabled telnet.socket -> r:^enabled' # 2.2.20 Remove tftp server (Scored) - - id: 6524 + - id: 5524 title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -405,7 +405,7 @@ checks: - 'c:systemctl is-enabled tftp.socket -> r:^enabled' # 2.2.21 Remove rsync service (Scored) - - id: 6525 + - id: 5525 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -420,7 +420,7 @@ checks: - 'c:systemctl is-enabled rsyncd -> r:^enabled' # 2.3.1 Remove NIS Client (Scored) - - id: 6526 + - id: 5526 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -435,7 +435,7 @@ checks: - 'c:rpm -q ypbind -> r:^package ypbind is not installed$' # 2.1.7 Remove xinetd (Scored) - - id: 6527 + - id: 5527 title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." @@ -450,7 +450,7 @@ checks: - 'c:systemctl is-enabled xinetd -> r:^enabled' # 2.1.1 Disable chargen services (Scored) - - id: 6528 + - id: 5528 title: "Ensure chargen services are not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -466,7 +466,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*chargen-stream:\s*\t*on' # 2.1.2 Disable daytime services (Scored) - - id: 6529 + - id: 5529 title: "Ensure daytime services are not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -480,7 +480,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*daytime-stream:\s*\t*on' # 2.1.3 Disable discard services (Scored) - - id: 6530 + - id: 5530 title: "Ensure discard services are not enabled" description: "discardis a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -496,7 +496,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*discard-stream:\s*\t*on' # 2.1.4 Disable echo-dgram (Scored) - - id: 6531 + - id: 5531 title: "Ensure echo services are not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -512,7 +512,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*echo-stream:\s*\t*on' # 2.1.5 Disable time-stream (Scored) - - id: 6532 + - id: 5532 title: "Ensure time services are not enabled" description: "time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -528,7 +528,7 @@ checks: - 'c:chkconfig --list -> r:^\s*\t*time-stream:\s*\t*on' # 2.2.2 Remove X Windows (Scored) - - id: 6533 + - id: 5533 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -542,7 +542,7 @@ checks: - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' # 2.2.3 Disable Avahi Server (Scored) - - id: 6534 + - id: 5534 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." @@ -556,7 +556,7 @@ checks: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' # 2.2.5 Remove DHCP Server (Scored) - - id: 6535 + - id: 5535 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -572,7 +572,7 @@ checks: - 'c:systemctl is-enabled dhcpd -> r:^enabled' # 2.2.6 Remove LDAP Server (Scored) - - id: 6536 + - id: 5536 title: "Ensure LDAP Server is not enabled" description: "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database." rationale: "If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface." @@ -588,7 +588,7 @@ checks: - 'c:systemctl is-enabled sladp -> r:^enabled' # 2.2.1.2 Configure Network Time Protocol (NTP) (Scored) - - id: 6537 + - id: 5537 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -606,7 +606,7 @@ checks: - 'f:/usr/lib/systemd/system/ntpd.service -> r:^Execstart\s*=\s*/usr/sbin/ntpd\s+-u\s+ntp:ntp' # 2.2.1.2 Configure Network Time Protocol (Chrony) (Scored) - - id: 6538 + - id: 5538 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://www.ntp.org. ntp can be configured to be a client and/or a server." rationale: "If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -621,7 +621,7 @@ checks: - 'f:/etc/sysconfig/chronyd -> r:^OPTIONS\s*=\s* && r:-u chrony' # 2.2.7 Disable NFS and RPC (Scored) - - id: 6539 + - id: 5539 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -637,7 +637,7 @@ checks: - 'c:systemctl is-enabled rpcbind -> r:^enabled' # 2.2.9 Remove FTP Server (Scored) - - id: 6540 + - id: 5540 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." @@ -651,7 +651,7 @@ checks: - 'c:systemctl is-enabled vsftpd -> r:^enabled' # 2.2.10 Remove HTTP Server (Scored) - - id: 6541 + - id: 5541 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -664,7 +664,7 @@ checks: - 'c:systemctl is-enabled httpd -> r:^enabled' # 2.2.11 Remove Dovecot (IMAP and POP3 services) (Scored) - - id: 6542 + - id: 5542 title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." @@ -678,7 +678,7 @@ checks: - 'c:systemctl is-enabled dovecot -> r:^enabled' # 2.2.12 Remove Samba (Scored) - - id: 6543 + - id: 5543 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." @@ -692,7 +692,7 @@ checks: - 'c:systemctl is-enabled smb -> r:^enabled' # 2.2.13 Remove HTTP Proxy Server (Scored) - - id: 6544 + - id: 5544 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." @@ -706,7 +706,7 @@ checks: - 'c:systemctl is-enabled squid -> r:^enabled' # 2.2.14 Remove SNMP Server (Not Scored) - - id: 6545 + - id: 5545 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -726,7 +726,7 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 6546 + - id: 5546 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -741,7 +741,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 6547 + - id: 5547 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -761,7 +761,7 @@ checks: # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 6548 + - id: 5548 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -778,7 +778,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 6549 + - id: 5549 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -795,7 +795,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 6550 + - id: 5550 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -812,7 +812,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' # 3.2.4 Log Suspicious Packets (Scored) - - id: 6551 + - id: 5551 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -829,7 +829,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 6552 + - id: 5552 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address." @@ -844,7 +844,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 6553 + - id: 5553 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -859,7 +859,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Enable RFC-recommended Source Route Validation (Scored) - - id: 6554 + - id: 5554 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: "Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." @@ -876,7 +876,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 6555 + - id: 5555 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -897,7 +897,7 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 6556 + - id: 5556 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -913,7 +913,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 6557 + - id: 5557 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -929,7 +929,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 6558 + - id: 5558 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -943,7 +943,7 @@ checks: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 6559 + - id: 5559 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -959,7 +959,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 6560 + - id: 5560 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -975,7 +975,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 6561 + - id: 5561 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh. The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su . This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident." @@ -991,7 +991,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 6562 + - id: 5562 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system." @@ -1013,7 +1013,7 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 6563 + - id: 5563 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 528deebd2..6ef94e4dc 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -32,7 +32,7 @@ variables: checks: # Section 1.1 - Filesystem Configuration - - id: 7000 + - id: 6000 title: "Ensure separate partition exists for /tmp" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." @@ -45,7 +45,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s' - - id: 7001 + - id: 6001 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -57,7 +57,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nodev' - - id: 7002 + - id: 6002 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." @@ -70,7 +70,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - - id: 7003 + - id: 6003 title: "Ensure noexec option set on /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." @@ -84,7 +84,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 7004 + - id: 6004 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -97,7 +97,7 @@ checks: rules: - 'c:mount -> r:\s/var\s' - - id: 7005 + - id: 6005 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -112,7 +112,7 @@ checks: - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - - id: 7006 + - id: 6006 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." @@ -127,7 +127,7 @@ checks: - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - - id: 7007 + - id: 6007 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -140,7 +140,7 @@ checks: rules: - 'c:mount -> r:\s/home\s' - - id: 7008 + - id: 6008 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." @@ -153,7 +153,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - - id: 7009 + - id: 6009 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -166,7 +166,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 7010 + - id: 6010 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -179,7 +179,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 7011 + - id: 6011 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -196,7 +196,7 @@ checks: # 1.4 Secure Boot Settings ############################################### # 1.4.2 Set Boot Loader Password (Scored) - - id: 7015 + - id: 6012 title: "Ensure bootloader password is set" description: "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters." rationale: "Requiring a boot password upon execution of the boot loader will prevent an unauthorized user from entering boot parameters or changing the boot partition. This prevents users from weakening security (e.g. turning off SELinux at boot time)." @@ -213,7 +213,7 @@ checks: # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 7016 + - id: 6013 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -228,7 +228,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 7017 + - id: 6014 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -248,7 +248,7 @@ checks: # 2.1 Remove Legacy Services ############################################### # Section 2.1 - inetd Services - - id: 7018 + - id: 6015 title: "Ensure chargen services are not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -260,7 +260,7 @@ checks: rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' - - id: 7019 + - id: 6016 title: "Ensure daytime services are not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -273,7 +273,7 @@ checks: - 'c:chkconfig --list -> r:daytime:|daytime-udp: && r::on' - - id: 7020 + - id: 6017 title: "Ensure discard services are not enabled" description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -285,7 +285,7 @@ checks: rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' - - id: 7021 + - id: 6018 title: "Ensure echo services are not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -297,7 +297,7 @@ checks: rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' - - id: 7022 + - id: 6019 title: "Ensure time services are not enabled" description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -309,7 +309,7 @@ checks: rules: - 'c:chkconfig --list -> r:time:|time-udp: && r::on' - - id: 7023 + - id: 6020 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server ( rsh , rlogin , rexec ) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." @@ -323,7 +323,7 @@ checks: rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' - - id: 7024 + - id: 6021 title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -337,7 +337,7 @@ checks: rules: - 'c:chkconfig --list -> r:talk: && r::on' - - id: 7025 + - id: 6022 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." @@ -351,7 +351,7 @@ checks: rules: - 'c:chkconfig --list -> r:telnet: && r::on' - - id: 7026 + - id: 6023 title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -365,7 +365,7 @@ checks: rules: - 'c:chkconfig --list -> r:tftp: && r::on' - - id: 7027 + - id: 6024 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -380,7 +380,7 @@ checks: ############################################### # 2 Special Purpose Services ############################################### - - id: 7028 + - id: 6025 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -397,7 +397,7 @@ checks: - 'f:/etc/sysconfig/ntp -> r:NTPD_OPTIONS= && r:-u && r:ntp:ntp' # 2.2.2 Remove X Windows (Scored) - - id: 7029 + - id: 6026 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -411,7 +411,7 @@ checks: - 'c:rpm -qa xorg-x11* -> r:\.' # 2.2.3 Disable Avahi Server (Scored) - - id: 7030 + - id: 6027 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." @@ -424,7 +424,7 @@ checks: rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' - - id: 7031 + - id: 6028 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -437,7 +437,7 @@ checks: - 'c:chkconfig --list -> r:dhcpd && r::on' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 7032 + - id: 6029 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -450,7 +450,7 @@ checks: rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' - - id: 7033 + - id: 6030 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -463,7 +463,7 @@ checks: rules: - 'c:chkconfig --list -> r:named && r::on' - - id: 7034 + - id: 6031 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." @@ -477,7 +477,7 @@ checks: - 'c:chkconfig --list -> r:vsftpd && r::on' # 2.2.10 Remove HTTP Server (Not Scored) - - id: 7035 + - id: 6032 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface. Notes: Several httpd servers exist and can use other service names. apache, apache2, lighttpd, and nginx are example services that provide an HTTP server. These and other services should also be audited." @@ -489,7 +489,7 @@ checks: rules: - 'c:chkconfig --list -> r:apache2 && r::on' - - id: 7036 + - id: 6033 title: "Ensure IMAP and POP3 server is not enabled" description: "cyrus is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." @@ -503,7 +503,7 @@ checks: - 'c:chkconfig --list cyrus -> r:cyrus && r::on' # 2.2.12 Remove Samba (Not Scored) - - id: 7037 + - id: 6034 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." @@ -516,7 +516,7 @@ checks: rules: - 'c:chkconfig --list -> r:smb && r::on' - - id: 7038 + - id: 6035 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." @@ -529,7 +529,7 @@ checks: rules: - 'c:chkconfig --list -> r:squid && r::on' - - id: 7039 + - id: 6036 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -542,7 +542,7 @@ checks: rules: - 'c:chkconfig --list -> r:snmpd && r::on' - - id: 7040 + - id: 6037 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used." @@ -557,7 +557,7 @@ checks: - 'c:chkconfig --list -> r:ypserv && r::on' # Section 2.3 - Service Clients - - id: 7041 + - id: 6038 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -578,7 +578,7 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 7042 + - id: 6039 title: "Ensure IPv4 forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -593,7 +593,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 7044 + - id: 6040 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -613,7 +613,7 @@ checks: # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 7045 + - id: 6041 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -630,7 +630,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.default.accept_source_route -> r:=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 7046 + - id: 6042 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -647,7 +647,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.default.accept_redirects -> r:=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 7047 + - id: 6043 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -663,7 +663,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*0$' - 'c:/sbin/sysctl net.ipv4.conf.default.secure_redirects -> r:=\s*0$' - - id: 7048 + - id: 6044 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -680,7 +680,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.default.log_martians -> r:=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 7049 + - id: 6045 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -695,7 +695,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 7050 + - id: 6046 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -710,7 +710,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 7051 + - id: 6047 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." @@ -727,7 +727,7 @@ checks: - 'c:/sbin/sysctl net.ipv4.conf.default.rp_filter -> r:=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 7052 + - id: 6048 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -748,7 +748,7 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 7053 + - id: 6049 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -764,7 +764,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:^\s*\t*Protocol\s*\t*2' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 7054 + - id: 6050 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -780,7 +780,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:LogLevel\.+INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 7055 + - id: 6051 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -794,7 +794,7 @@ checks: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 7056 + - id: 6052 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with ssh." @@ -810,7 +810,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 7057 + - id: 6053 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -826,7 +826,7 @@ checks: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\.+no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 7058 + - id: 6054 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no. Rationale: Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -842,7 +842,7 @@ checks: - 'f:$sshd_file -> r:^\s*\t*PermitRootLogin\.+no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 7059 + - id: 6055 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -864,7 +864,7 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 7061 + - id: 6056 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -879,7 +879,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 7060 + - id: 6057 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index ae5ff89c1..1128d275a 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -30,7 +30,7 @@ variables: checks: # Section 1.1 - Filesystem Configuration - - id: 7500 + - id: 6500 title: "Ensure separate partition exists for /tmp" description: "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." rationale: "Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw." @@ -43,7 +43,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s' - - id: 7501 + - id: 6501 title: "Ensure nodev option set on /tmp partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp." @@ -55,7 +55,7 @@ checks: rules: - 'c:mount -> r:\s/tmp\s && r:nodev' - - id: 7502 + - id: 6502 title: "Ensure nosuid option set on /tmp partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp." @@ -68,7 +68,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:nosuid' # 1.1.5 /tmp: noexec - - id: 7503 + - id: 6503 title: "Ensure noexec option set on /tmp partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp." @@ -82,7 +82,7 @@ checks: - 'c:mount -> r:\s/tmp\s && r:noexec' # 1.1.6 Build considerations - Partition scheme. - - id: 7504 + - id: 6504 title: "Ensure separate partition exists for /var" description: "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." @@ -95,7 +95,7 @@ checks: rules: - 'c:mount -> r:\s/var\s' - - id: 7505 + - id: 6505 title: "Ensure separate partition exists for /var/log" description: "The /var/log directory is used by system services to store log data." rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." @@ -110,7 +110,7 @@ checks: - 'c:mount -> r:\s/var/log\s' # 1.1.12 /var/log/audit: partition - - id: 7506 + - id: 6506 title: "Ensure separate partition exists for /var/log/audit" description: "The auditing daemon, auditd , stores log data in the /var/log/audit directory." rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd, it may not perform as desired." @@ -125,7 +125,7 @@ checks: - 'c:mount -> r:\s/var/log/audit\s' # 1.1.13 /home: partition - - id: 7507 + - id: 6507 title: "Ensure separate partition exists for /home" description: "The /home directory is used to support disk storage needs of local users." rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." @@ -139,7 +139,7 @@ checks: - 'c:mount -> r:\s/home\s' # 1.1.14 /home: nodev - - id: 7508 + - id: 6508 title: "Ensure nodev option set on /home partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices." @@ -152,7 +152,7 @@ checks: - 'c:mount -> r:\s/home\s && r:nodev' # 1.1.15 /dev/shm: nodev - - id: 7509 + - id: 6509 title: "Ensure nodev option set on /dev/shm partition" description: "The nodev mount option specifies that the filesystem cannot contain special devices." rationale: "Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions." @@ -165,7 +165,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nodev' # 1.1.16 /dev/shm: nosuid - - id: 7510 + - id: 6510 title: "Ensure nosuid option set on /dev/shm partition" description: "The nosuid mount option specifies that the filesystem cannot contain setuid files." rationale: "Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them." @@ -178,7 +178,7 @@ checks: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' # 1.1.17 /dev/shm: noexec - - id: 7511 + - id: 6511 title: "Ensure noexec option set on /dev/shm partition" description: "The noexec mount option specifies that the filesystem cannot contain executable binaries." rationale: "Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system." @@ -195,7 +195,7 @@ checks: # 1.5 Additional Process Hardening ############################################### # 1.5.1 Restrict Core Dumps (Scored) - - id: 7516 + - id: 6512 title: "Ensure core dumps are restricted" description: "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." rationale: "Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5) ). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -210,7 +210,7 @@ checks: - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:^\s*fs.suid_dumpable\s*=\s*0\s*$' # 1.5.3 Enable Randomized Virtual Memory Region Placement (Scored) - - id: 7517 + - id: 6513 title: "Ensure address space layout randomization (ASLR) is enabled" description: "Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process." rationale: "Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting." @@ -231,7 +231,7 @@ checks: # 2.1 Remove Legacy Services ############################################### # Section 2.1 - inetd Services - - id: 7518 + - id: 6514 title: "Ensure chargen services are not enabled" description: "chargen is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -243,7 +243,7 @@ checks: rules: - 'c:chkconfig --list -> r:chargen:|chargen-udp: && r::on' - - id: 7519 + - id: 6515 title: "Ensure daytime services are not enabled" description: "daytime is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -255,7 +255,7 @@ checks: rules: - 'c:chkconfig --list -> r:daytime:|daytime-udp && r::on' - - id: 7520 + - id: 6516 title: "Ensure discard services are not enabled" description: "discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -267,7 +267,7 @@ checks: rules: - 'c:chkconfig --list -> r:discard:|discard-udp: && r::on' - - id: 7521 + - id: 6517 title: "Ensure echo services are not enabled" description: "echo is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -279,7 +279,7 @@ checks: rules: - 'c:chkconfig --list -> r:echo:|echo-udp: && r::on' - - id: 7522 + - id: 6518 title: "Ensure time services are not enabled" description: "timeis a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." rationale: "Disabling this service will reduce the remote attack surface of the system." @@ -291,7 +291,7 @@ checks: rules: - 'c:chkconfig --list -> r:time:|time-udp && r::on' - - id: 7523 + - id: 6519 title: "Ensure rsh server is not enabled" description: "The Berkeley rsh-server (rsh, rlogin, rexec) package contains legacy services that exchange credentials in clear-text." rationale: "These legacy services contain numerous security exposures and have been replaced with the more secure SSH package." @@ -305,7 +305,7 @@ checks: rules: - 'c:chkconfig --list -> r:rexec:|rlogin:|rsh: && r::on' - - id: 7524 + - id: 6520 title: "Ensure talk server is not enabled" description: "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." rationale: "The software presents a security risk as it uses unencrypted protocols for communication." @@ -319,7 +319,7 @@ checks: rules: - 'c:chkconfig --list -> r:talk: && r::on' - - id: 7525 + - id: 6521 title: "Ensure telnet server is not enabled" description: "The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh package provides an encrypted session and stronger security." @@ -333,7 +333,7 @@ checks: rules: - 'c:chkconfig --list -> r:telnet: && r::on' - - id: 7526 + - id: 6522 title: "Ensure tftp server is not enabled" description: "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package atftp is used to define and support a TFTP server." rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." @@ -347,7 +347,7 @@ checks: rules: - 'c:chkconfig --list -> r:tftp: && r::on' - - id: 7527 + - id: 6523 title: "Ensure rsync service is not enabled" description: "The rsyncd service can be used to synchronize files between systems over network links." rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." @@ -359,7 +359,7 @@ checks: rules: - 'c:chkconfig --list -> r:rsync: && r::on' - - id: 7528 + - id: 6524 title: "Ensure xinetd is not enabled" description: "The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." rationale: "If there are no xinetd services required, it is recommended that the daemon be disabled." @@ -374,7 +374,7 @@ checks: ############################################### # 2 Special Purpose Services ############################################### - - id: 7529 + - id: 6525 title: "Ensure ntp is configured" description: "ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at https://tools.ietf.org/html/rfc958. ntp can be configured to be a client and/or a server. This recommendation only applies if ntp is in use on the system." rationale: "If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly." @@ -391,7 +391,7 @@ checks: - 'f:/etc/sysconfig/ntp -> r:NTPD_OPTIONS= && r:-u && r:ntp:ntp' # 2.2.2 Remove X Windows (Scored) - - id: 7530 + - id: 6526 title: "Ensure X Window System is not installed" description: "The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login." rationale: "Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface." @@ -405,7 +405,7 @@ checks: - 'c:rpm -qa xorg-x11* -> r:\.' # 2.2.3 Disable Avahi Server (Scored) - - id: 7531 + - id: 6527 title: "Ensure Avahi Server is not enabled" description: "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." rationale: "Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface." @@ -418,7 +418,7 @@ checks: rules: - 'c:systemctl is-enabled avahi-daemon -> r:enabled' - - id: 7532 + - id: 6528 title: "Ensure DHCP Server is not enabled" description: "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." rationale: "Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be disabled to reduce the potential attack surface." @@ -431,7 +431,7 @@ checks: - 'c:systemctl is-enabled dhcpd -> r:enabled' # 2.2.7 Disable NFS and RPC (Not Scored) - - id: 7533 + - id: 6529 title: "Ensure NFS and RPC are not enabled" description: "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." rationale: "If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface." @@ -445,7 +445,7 @@ checks: - 'c:systemctl is-enabled nfs -> r:enabled' - 'c:systemctl is-enabled rpcbind -> r:enabled' - - id: 7534 + - id: 6530 title: "Ensure DNS Server is not enabled" description: "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." rationale: "Unless a system is specifically designated to act as a DNS server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -458,7 +458,7 @@ checks: rules: - 'c:systemctl is-enabled named -> r:enabled' - - id: 7535 + - id: 6531 title: "Ensure FTP Server is not enabled" description: "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." rationale: "FTP does not protect the confidentiality of data or authentication credentials. It is recommended sftp be used if file transfer is required. Unless there is a need to run the system as a FTP server (for example, to allow anonymous downloads), it is recommended that the service be disabled to reduce the potential attack surface." @@ -472,7 +472,7 @@ checks: - 'c:systemctl is-enabled vsftpd -> r:enabled' # 2.2.10 Remove HTTP Server (Not Scored) - - id: 7536 + - id: 6532 title: "Ensure HTTP server is not enabled" description: "HTTP or web servers provide the ability to host web site content." rationale: "Unless there is a need to run the system as a web server, it is recommended that the service be disabled to reduce the potential attack surface." @@ -484,7 +484,7 @@ checks: rules: - 'c:systemctl is-enabled apache2 -> r:enabled' - - id: 7537 + - id: 6533 title: "Ensure IMAP and POP3 server is not enabled" description: "dovecot is an open source IMAP and POP3 server for Linux based systems." rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the service be disabled to reduce the potential attack surface." @@ -498,7 +498,7 @@ checks: - 'c:systemctl is-enabled dovecot -> r:enabled' # 2.2.12 Remove Samba (Not Scored) - - id: 7538 + - id: 6534 title: "Ensure Samba is not enabled" description: "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." rationale: "If there is no need to mount directories and file systems to Windows systems, then this service can be disabled to reduce the potential attack surface." @@ -511,7 +511,7 @@ checks: rules: - 'c:systemctl is-enabled smb -> r:enabled' - - id: 7539 + - id: 6535 title: "Ensure HTTP Proxy Server is not enabled" description: "Squid is a standard proxy server used in many distributions and environments." rationale: "If there is no need for a proxy server, it is recommended that the squid proxy be disabled to reduce the potential attack surface." @@ -524,7 +524,7 @@ checks: rules: - 'c:systemctl is-enabled squid -> r:enabled' - - id: 7540 + - id: 6536 title: "Ensure SNMP Server is not enabled" description: "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." rationale: "The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it is recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1." @@ -537,7 +537,7 @@ checks: rules: - 'c:systemctl is-enabled snmpd -> r:enabled' - - id: 7541 + - id: 6537 title: "Ensure NIS Server is not enabled" description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" @@ -552,7 +552,7 @@ checks: - 'c:systemctl is-enabled ypserv -> r:enabled' # Section 2.3 - Service Clients - - id: 7542 + - id: 6538 title: "Ensure NIS Client is not installed" description: "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files." rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed." @@ -573,7 +573,7 @@ checks: # 3.1 Modify Network Parameters (Host Only) ############################################### # 3.1.1 Disable IP Forwarding (Scored) - - id: 7543 + - id: 6539 title: "Ensure IP forwarding is disabled" description: "The net.ipv4.ip_forward flag is used to tell the system whether it can forward packets or not." rationale: "Setting the flag to 0 ensures that a system with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router." @@ -588,7 +588,7 @@ checks: - 'c:grep -Rh net\.ipv4\.ip_forward /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.ip_forward\s*=\s*0$' # 3.1.2 Disable Send Packet Redirects (Scored) - - id: 7545 + - id: 6540 title: "Ensure packet redirect sending is disabled" description: "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." rationale: "An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system." @@ -608,7 +608,7 @@ checks: # 3.2 Modify Network Parameters (Host and Router) ############################################### # 3.2.1 Disable Source Routed Packet Acceptance (Scored) - - id: 7546 + - id: 6541 title: "Ensure source routed packets are not accepted" description: "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." rationale: "Setting net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this system was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the system as a way to reach the private address systems. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing." @@ -625,7 +625,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_source_route /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_source_route\s*=\s*0$' # 3.2.2 Disable ICMP Redirect Acceptance (Scored) - - id: 7547 + - id: 6542 title: "Ensure ICMP redirects are not accepted" description: "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." rationale: "Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured." @@ -642,7 +642,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.accept_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.accept_redirects\s*=\s*0$' # 3.2.3 Disable Secure ICMP Redirect Acceptance (Scored) - - id: 7548 + - id: 6543 title: "Ensure secure ICMP redirects are not accepted" description: "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." rationale: "It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways." @@ -658,7 +658,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' - 'c:grep -Rh net\.ipv4\.conf\.default\.secure_redirects /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.secure_redirects\s*=\s*0$' - - id: 7549 + - id: 6544 title: "Ensure suspicious packets are logged" description: "When enabled, this feature logs packets with un-routable source addresses to the kernel log." rationale: "Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system." @@ -675,7 +675,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.log_martians /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.log_martians\s*=\s*1$' # 3.2.5 Enable Ignore Broadcast Requests (Scored) - - id: 7550 + - id: 6545 title: "Ensure broadcast ICMP requests are ignored" description: "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." rationale: "Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied." @@ -690,7 +690,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.6 Enable Bad Error Message Protection (Scored) - - id: 7551 + - id: 6546 title: "Ensure bogus ICMP responses are ignored" description: "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." rationale: "Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages." @@ -705,7 +705,7 @@ checks: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' # 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) - - id: 7552 + - id: 6547 title: "Ensure Reverse Path Filtering is enabled" description: "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." rationale: "Setting these flags is a good way to deter attackers from sending your system bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your system, you will not be able to enable this feature without breaking the routing." @@ -722,7 +722,7 @@ checks: - 'c:grep -Rh net\.ipv4\.conf\.default\.rp_filter /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.conf.default.rp_filter\s*=\s*1$' # 3.2.8 Enable TCP SYN Cookies (Scored) - - id: 7553 + - id: 6548 title: "Ensure TCP SYN Cookies is enabled" description: "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." rationale: "Attackers use SYN flood attacks to perform a denial of service attacked on a system by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel's half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the system to keep accepting valid connections, even if under a denial of service attack." @@ -743,7 +743,7 @@ checks: # 5.2 Configure SSH ############################################### # 5.2.2 Set SSH Protocol to 2 (Scored) - - id: 7554 + - id: 6549 title: "Ensure SSH Protocol is set to 2" description: "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." rationale: "SSH v1 suffers from insecurities that do not affect SSH v2." @@ -759,7 +759,7 @@ checks: - 'f:$sshd_file -> !r:^\s*\t*# && r:Protocol\s*\t*2$' # 5.2.3 Set LogLevel to INFO (Scored) - - id: 7555 + - id: 6550 title: "Ensure SSH LogLevel is set to INFO" description: "The INFO parameter specifies that login and logout activity will be logged." rationale: "SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field." @@ -775,7 +775,7 @@ checks: - 'f:$sshd_file -> !r:^\s*\t*# && r:LogLevel\s*\t*INFO' # 5.2.5 Set SSH MaxAuthTries to 4 or Less (Scored) - - id: 7556 + - id: 6551 title: "Ensure SSH MaxAuthTries is set to 4 or less" description: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." rationale: "Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. While the recommended setting is 4, set the number based on site policy." @@ -789,7 +789,7 @@ checks: - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' # 5.2.6 Set SSH IgnoreRhosts to Yes (Scored) - - id: 7557 + - id: 6552 title: "Ensure SSH IgnoreRhosts is enabled" description: "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" @@ -805,7 +805,7 @@ checks: - 'f:$sshd_file -> !r:^\s*\t*# && r:IgnoreRhosts\s*\t*yes' # 5.2.7 Set SSH HostbasedAuthentication to No (Scored) - - id: 7558 + - id: 6553 title: "Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." @@ -821,7 +821,7 @@ checks: - 'f:$sshd_file -> !r:^\s*\t*# && r:HostbasedAuthentication\s*\t*no' # 5.2.8 Disable SSH Root Login (Scored) - - id: 7559 + - id: 6554 title: "Ensure SSH root login is disabled" description: "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." rationale: "Disallowing root logins over SSH requires system admins to authenticate using their own individual account, then escalating to root via sudo or su. This in turn limits opportunity for non-repudiation and provides a clear audit trail in the event of a security incident" @@ -837,7 +837,7 @@ checks: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitRootLogin\s*\t*no' # 5.2.9 Set SSH PermitEmptyPasswords to No (Scored) - - id: 7560 + - id: 6555 title: "Ensure SSH PermitEmptyPasswords is disabled" description: "The PermitEmptyPasswords parameter specifies if the SSH server allows login to accounts with empty password strings." rationale: "Disallowing remote shell access to accounts that have an empty password reduces the probability of unauthorized access to the system" @@ -859,7 +859,7 @@ checks: # 6.2 Review User and Group Settings ############################################### # 6.2.5 Verify No UID 0 Accounts Exist Other Than root (Scored) - - id: 7562 + - id: 6556 title: "Ensure root is the only UID 0 account" description: "Any account with UID 0 has superuser privileges on the system." rationale: "This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 Ensure access to the su command is restricted." @@ -874,7 +874,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 7561 + - id: 6557 title: "Ensure password fields are not empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password." rationale: "All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user." diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 56b16ef84..e2680c7ad 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -27,7 +27,7 @@ requirements: checks: # 2 Disable Unnecessary Services - - id: 11500 + - id: 7000 title: "Disable Local-only Graphical Login Environment" description: "The graphical login service provides the capability of logging into the system using an X- windows type interface from the console. If graphical login access for the console is required, leave the service in local-only mode." rationale: "This service should be disabled if it is not required." @@ -39,7 +39,7 @@ checks: - 'p:gdm' - 'p:cde' - - id: 11501 + - id: 7001 title: "Configure sendmail Service for Local-Only Mode" description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it." rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems." @@ -50,7 +50,7 @@ checks: rules: - 'c:netstat -an -> r:.25\s*\t* && !r:127.0.0.1.25|::1' - - id: 11502 + - id: 7002 title: "Disable RPC Encryption Key" description: "The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is \"secure NFS\", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. (\"Secure NFS\" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. \"Kerberized\" NFS does not require the keyserv service to be running.)" rationale: "This service should be disabled if it is not required." @@ -61,7 +61,7 @@ checks: rules: - 'p:keyserv' - - id: 11503 + - id: 7003 title: "Disable NIS Server Services" description: "The NIS server software is not installed by default and is only required on systems that are acting as an NIS server for the local site. Typically there are only a small number of NIS servers on any given network. These services are disabled by default unless the system has been previously configured to act as a NIS server." rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based services, this service should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." @@ -77,7 +77,7 @@ checks: - 'p:rpc.ypupdated' - 'f:/etc/init.d/nis' - - id: 11504 + - id: 7004 title: "Disable NIS Client Services" description: "If the local site is not using the NIS naming service to distribute system and user configuration information, this service may be disabled. This service is disabled by default unless the NIS service has been installed and configured on the system." rationale: "As RPC-based services such as NIS may use non-secure authentication and share sensitive network object information with systems and applications using RPC-based service, NIS client daemons should be disabled. Users are encouraged to use LDAP as a name service in place of NIS." @@ -93,7 +93,7 @@ checks: - 'p:rpc.ypupdated' - 'f:/etc/init.d/nis' - - id: 11505 + - id: 7005 title: "Disable Kerberos TGT Expiration Warning" description: "The Kerberos TGT warning service is used to warn users when their Kerberos tickets are about expire or to renew those tickets before they expire. This service is not used if Kerberos has not been configured. This service is configured to be \"local only\" by default." rationale: "This service should be disabled if it is not required." @@ -104,7 +104,7 @@ checks: rules: - 'p:ktkt_warnd' - - id: 11506 + - id: 7006 title: "Disable Generic Security Services (GSS)" description: "The GSS API is a security abstraction layer that is designed to make it easier for developers to integrate with different authentication schemes. It is most commonly used in applications for sites that use Kerberos for network authentication, though it can also allow applications to interoperate with other authentication schemes." rationale: "GSS does not expose anything external to the system as it is configured to use TLI (protocol = ticotsord) by default. This service should be disabled if it is not required." @@ -115,7 +115,7 @@ checks: rules: - 'p:gssd' - - id: 11507 + - id: 7007 title: "Disable Removable Volume Manager" description: "The HAL-aware removable volume manager in the Solaris 11 OS automatically mounts external devices for users whenever the device is attached to the system. These devices include CD-R, CD-RW, floppies, DVD, USB and 1394 mass storage devices. See the rmvolmgr(1M) manual page for more details." rationale: "Allowing users to mount and access data from removable media devices makes it easier for malicious programs and data to be imported onto the network. It also introduces the risk that sensitive data may be transferred off the system without a log record. By adding rmvolmgr to the .xinitrc file, user-isolated instances of rmvolmgr can be run via a session startup script. In such cases, the rmvolmgr instance will not allow management of volumes that belong to other than the owner of the startup script. When a user logs onto the workstation console (/dev/console), any instance of user-initiated rmvolmgr will only own locally connected devices, such as CD-ROMs or flash memory hardware, locally connected to USB or FireWire ports." @@ -126,7 +126,7 @@ checks: rules: - 'p:smserverd' - - id: 11508 + - id: 7008 title: "Disable automount Service" description: "The automount daemon is normally used to automatically mount NFS file systems from remote file servers when needed. However, the automount daemon can also be configured to mount local (loopback) file systems as well, which may include local user home directories, depending on the system configuration." rationale: "This service should be disabled if it is not required." @@ -137,7 +137,7 @@ checks: rules: - 'p:automountd' - - id: 11509 + - id: 7009 title: "Disable Apache Service" description: "The Apache service provides an instance of the Apache web server." rationale: "This service should be disabled if it is not required." @@ -151,7 +151,7 @@ checks: - 'p:apache' - 'p:httpd' - - id: 11510 + - id: 7010 title: "Disable Local-only RPC Port Mapping Service" description: "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS). By default, the Solaris 11 OS configures this service to be local only." rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled." @@ -162,7 +162,7 @@ checks: rules: - 'p:rpcbind' - - id: 11511 + - id: 7011 title: "Configure TCP Wrappers" description: "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections." rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts." @@ -177,7 +177,7 @@ checks: - 'f:/etc/hosts.allow' - 'f:/etc/hosts.deny' - - id: 11512 + - id: 7012 title: "Disable Telnet Service" description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access." rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." @@ -189,7 +189,7 @@ checks: - 'p:telnet' # 3 Kernel Tuning - - id: 11513 + - id: 7013 title: "Restrict Core Dumps to Protected Directory" description: "The action described in this section creates a protected directory to store core dumps and also causes the system to create a log entry whenever a regular process dumps core." rationale: "Core dumps, particularly those from set-UID and set-GID processes, may contain sensitive data." @@ -209,7 +209,7 @@ checks: - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_SETID_ENABLED\pno' - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_LOG_ENABLED\pyes' - - id: 11514 + - id: 7014 title: "Enable Stack Protection" description: "Buffer overflow exploits have been the basis for many highly publicized compromises and defacements of large numbers of Internet connected systems. Many of the automated tools in use by system attackers exploit well-known buffer overflow problems in vendor- supplied and third party software." rationale: "Enabling stack protection prevents certain classes of buffer overflow attacks and is a significant security enhancement. However, this does not protect against buffer overflow attacks that do not execute code on the stack (such as return-to-libc exploits). While most of the Solaris OS is already configured to employ a non-executable stack, this setting is still recommended to provide a more comprehensive solution for both Solaris and other software that may be installed." @@ -222,7 +222,7 @@ checks: - 'f:/etc/system -> r:^\s*\t*noexec_user_stack\p1' - 'f:/etc/system -> r:^\s*\t*noexec_user_stack_log\p1' - - id: 11515 + - id: 7015 title: "Enable Strong TCP Sequence Number Generation" description: "The variable TCP_STRONG_ISS defines the mechanism used for TCP initial sequence number generation. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session." rationale: "The RFC 1948 method is widely accepted as the strongest mechanism for TCP packet generation. This makes remote session hijacking attacks more difficult, as well as any other network-based attack that relies on predicting TCP sequence number information. It is theoretically possible that there may be a small performance hit in connection setup time when this setting is used, but there are no publicly available benchmarks that establish this." @@ -234,7 +234,7 @@ checks: - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' # 4 Auditing and Logging - - id: 11516 + - id: 7016 title: "Create CIS Audit Class" description: "To group a set of related audit events, the Solaris Audit service provides the ability for sites to define their own audit classes that contain just those events that the site wants to audit." rationale: "To simplify administration, a CIS specific audit class should be created." @@ -245,7 +245,7 @@ checks: rules: - 'f:/etc/security/audit_class -> 0x0100000000000000:cis:CIS Solaris Benchmark' - - id: 11517 + - id: 7017 title: "Enable Auditing of Incoming Network Connections" description: "The Solaris Audit service can be configured to record incoming network connections to any listening service running on the system." rationale: "This recommendation will provide an audit trail that contains information related to incoming network connections. While this functionality can be enabled using service- specific mechanisms, using the Solaris Audit service provides a more centralized and complete window into incoming network activity." @@ -260,7 +260,7 @@ checks: - 'f:/etc/security/audit_event -> r:^\d+:AUE_SOCKCONNECT:\.+cis\.*' - 'f:/etc/security/audit_event -> r:^\d+:AUE_inetd_connect:\.+cis\.*' - - id: 11518 + - id: 7018 title: "Enable Auditing of File Metadata Modification Events" description: "The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed." rationale: "This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." @@ -277,7 +277,7 @@ checks: - 'f:/etc/security/audit_event -> r:^\d+:AUE_ACLSET:\.+cis\.*' - 'f:/etc/security/audit_event -> r:^\d+:AUE_FACLSET:\.+cis\.*' - - id: 11519 + - id: 7019 title: "Enable Auditing of Process and Privilege Events" description: "The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2)." rationale: "This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these." @@ -301,7 +301,7 @@ checks: - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETSID:\.+cis\.*' - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPGID:\.+cis\.*' - - id: 11520 + - id: 7020 title: "Configure Solaris Auditing" description: "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis)." rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls." @@ -319,7 +319,7 @@ checks: - 'd:/var/spool/cron/crontabs -> r:/usr/sbin/audit -n' # 5 File/Directory Permissions/Access - - id: 11521 + - id: 7021 title: "Default Service File Creation Mask" description: "The default system file creation mask applies to processes that are started by init - including most system services. To ensure that files are not created with write access to anyone other than their owner, the default file creation mask should be set to 022. Some sites with more stringent security requirements may prefer to set this value to 077 to eliminate all permissions for group and world. Note that changing this value from the Solaris default of 022 may negatively impact services that may not be able to operate with a stricter setting." rationale: "The default file creation mask should be set to 022 to avoid unnecessarily giving files write access to group or world." @@ -331,7 +331,7 @@ checks: - 'c:svcprop -p umask/umask svc:/system/environment:init -> 022' # 6 System Access, Authentication, and Authorization - - id: 11522 + - id: 7022 title: "Disable \"nobody\" Access for RPC Encryption Key Storage Service" description: "This action listed prevents keyserv from using default keys for the nobody user, effectively stopping the nobody user from accessing information via Secure RPC." rationale: "If login by the user nobody is allowed for secure RPC, there is an increased risk of system compromise. If keyserv holds a private key for the nobody user, it will be used by key_encryptsession to compute a magic phrase which can be easily recovered by a malicious user." @@ -343,7 +343,7 @@ checks: - 'f:/etc/default/keyserv' - 'f:/etc/default/keyserv -> r:^ENABLE\sNOBODY\sKEYS\pNO' - - id: 11523 + - id: 7023 title: "Disable X11 Forwarding for SSH" description: "The 'X11 Forwarding' parameter defined within the /etc/ssh/sshd_config file specifies whether or not X11 Forwarding via SSH is enabled on the server: The Secure Shell service provides an encrypted 'tunnel' for the data traffic passing through it. While commonly used to substitute for clear-text, CLI-based remote connections such as telnet, Secure Shell can be used to forward an 'X Window' session through the encrypted tunnel, allowing the remote user to have a GUI interface." rationale: "As enabling X11Forwarding on the host can permit a malicious user to secretly open another X11 connection to another remote client during the session and perform unobtrusive activities such as keystroke monitoring, if the X11 services are not required for the system's intended function, it should be disabled or restricted as appropriate to the user's needs." @@ -354,7 +354,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' - - id: 11524 + - id: 7024 title: "Limit Consecutive Login Attempts for SSH" description: "The 'MaxAuthTries' parameter in the /etc/ssh/sshd_config file specifies the maximum number of authentication attempts permitted per connection. By restricting the number of failed authentication attempts before the server terminates the connection, malicious users are blocked from gaining access to the host by using repetitive brute-force login exploits." rationale: "By setting the authentication login limit to a low value this will disconnect the attacker and force a reconnect, which severely limits the speed of such brute force attacks." @@ -365,7 +365,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' - - id: 11525 + - id: 7025 title: "Disable Rhost-based Authentication for SSH" description: "The IgnoreRhosts parameter specifies that existing .rhosts and .shosts files, which may apply to application rather than user logins, will not be used in RhostsRSAAuthentication or HostbasedAuthentication." rationale: "Setting this parameter forces users to enter a password when authenticating with SSH." @@ -376,7 +376,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' - - id: 11526 + - id: 7026 title: "Disable root login for SSH" description: "The PermitRootLogin value (in /etc/ssh/sshd_config) allows for direct root login by a remote user/application to resources on the local host." rationale: "By default, it is not possible for the root account to log directly into the system console because the account is configured as a role. This setting therefore does not significantly alter the security posture of the system unless the root account is changed from this default and configured to be a normal user." @@ -387,7 +387,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' - - id: 11527 + - id: 7027 title: "Blocking Authentication Using Empty/Null Passwords for SSH" description: "The PermitEmptyPasswords value allows for direct login through SSH without a password by a remote user/application to resources on the local host in the same way a standard remote login would." rationale: "Permitting login without a password is inherently risky." @@ -398,7 +398,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' - - id: 11528 + - id: 7028 title: "Disable Host-based Authentication for Login-based Services" description: "The .rhosts files are used for automatic login to remote hosts and contain username and hostname combinations. The .rhosts files are unencrypted (usually group- or world- readable) and present a serious risk in that a malicious user could use the information within to gain access to a remote host with the privileges of the original application or user." rationale: "The use of .rhosts authentication is an old and insecure protocol and can be replaced with public-key authentication using Secure Shell. As automatic authentication settings in the .rhosts files can provide a malicious user with sensitive system credentials, the use of .rhosts files should be disabled. It should be noted that by default the Solaris services that use this file, including rsh and rlogin, are disabled by default." @@ -410,7 +410,7 @@ checks: - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' - 'f:/etc/pam.conf -> r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' - - id: 11529 + - id: 7029 title: "Restrict FTP Use" description: "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP." rationale: "FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default." @@ -440,7 +440,7 @@ checks: - 'f:/etc/ftpd/ftpusers -> r:^nobody4' - 'f:/etc/ftpd/ftpusers -> r:^noaccess' - - id: 11530 + - id: 7030 title: "Set Delay between Failed Login Attempts to 4" description: "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the \"login incorrect\" message when a bad password is provided." rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user." @@ -451,7 +451,7 @@ checks: rules: - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' - - id: 11531 + - id: 7031 title: "Remove Autologin Capabilities from the GNOME desktop" description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password." rationale: "As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)." @@ -462,7 +462,7 @@ checks: rules: - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' - - id: 11532 + - id: 7032 title: "Set Default Screen Lock for GNOME Users" description: "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment." rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user." @@ -476,7 +476,7 @@ checks: - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*0:00:00' - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true' - - id: 11533 + - id: 7033 title: "Restrict at/cron to Authorized Users" description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals." rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." @@ -492,7 +492,7 @@ checks: - 'f:/etc/cron.d/at.allow' - 'not f:/etc/cron.d/at.allow -> !r:^# && r:\w' - - id: 11534 + - id: 7034 title: "Restrict root Login to System Console" description: "Privileged access to the system via root must be accountable to a particular user." rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems." @@ -503,7 +503,7 @@ checks: rules: - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' - - id: 11535 + - id: 7035 title: "Set Retry Limit for Account Lockout" description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name." rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." @@ -515,7 +515,7 @@ checks: - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' - 'f:/etc/security/policy.conf -> r:^LOCK_AFTER_RETRIES\pyes' - - id: 11536 + - id: 7036 title: "Secure the GRUB Menu (Intel)" description: "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console." rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password." @@ -528,7 +528,7 @@ checks: - 'f:/rpool/boot/grub/menu.lst -> r:^password\s*--md5' # 7 User Accounts and Environment - - id: 11537 + - id: 7037 title: "Set Password Expiration Parameters on Active Accounts" description: "The characteristics of an operating system that make 'user identification' via password a secure and workable solution is the combination of settings chosen. By requiring that a series of password-choices be security-centric, it reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based upon 'social engineering.' A basic password security strategy is requiring a new password to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force tactics will fail when a new password is chosen, which requires starting over again to break the new password." rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)." @@ -541,7 +541,7 @@ checks: - 'f:/etc/default/passwd -> r:^minweeks\p1' - 'f:/etc/default/passwd -> !r:^warnweeks\p4' - - id: 11538 + - id: 7038 title: "Set Strong Password Creation Policies" description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user." rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." @@ -563,7 +563,7 @@ checks: - 'f:/etc/default/passwd -> r:^dictiondbdir\p/var/passwd' - 'f:/etc/default/passwd -> r:^dictionlist\p/usr/share/lib/dict/words' - - id: 11539 + - id: 7039 title: "Set Default umask for users" description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories." rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." @@ -574,7 +574,7 @@ checks: rules: - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' - - id: 11540 + - id: 7040 title: "Set Default File Creation Mask for FTP Users" description: "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server." rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask." @@ -585,7 +585,7 @@ checks: rules: - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' - - id: 11541 + - id: 7041 title: "Set \"mesg n\" as Default for All Users" description: "The \"mesg n\" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device." rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality." @@ -598,7 +598,7 @@ checks: - 'f:/etc/profile -> !r:^mesg\s*n' # 8 Warning Banners - - id: 11542 + - id: 7042 title: "Create Warnings for Standard Login Services" description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices and also prior to logins via telnet and Secure Shell. The contents of the /etc/motd file are generally displayed after all successful logins, regardless from where the user is logging in." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only." @@ -610,7 +610,7 @@ checks: - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' - 'f:/etc/motd -> r:Authorized users only. All activity may be monitored and reported' - - id: 11543 + - id: 7043 title: "Enable a Warning Banner for the SSH Service" description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" @@ -620,7 +620,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' - - id: 11544 + - id: 7044 title: "Enable a Warning Banner for the GNOME Service" description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user- or group specific." rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." @@ -632,7 +632,7 @@ checks: - 'f:/etc/gdm/Init/Default' - 'f:/etc/gdm/Init/Default -> r:^/usr/bin/zenity\s\.' - - id: 11545 + - id: 7045 title: "Enable a Warning Banner for the FTP service" description: "The action for this item sets a warning message for FTP users before they log in." rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording." @@ -643,7 +643,7 @@ checks: rules: - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' - - id: 11546 + - id: 7046 title: "Check that the Banner Setting for telnet is Null" description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system." rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." @@ -655,7 +655,7 @@ checks: - 'f:/etc/default/telnetd -> r:BANNER=$' # 9 System Maintenance - - id: 11547 + - id: 7047 title: "Verify System Account Default Passwords" description: "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts." rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled." @@ -693,7 +693,7 @@ checks: - 'f:/etc/shadow -> r:upnp && !r::NL:|:NP:' - 'f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:' - - id: 11548 + - id: 7048 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)." rationale: "All accounts must have passwords, be configured as \"Non-login,\" or be locked." @@ -704,7 +704,7 @@ checks: rules: - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' - - id: 11549 + - id: 7049 title: "Verify No UID 0 Accounts Exist Other than root" description: "Any account with UID 0 has superuser rights on the system." rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC." @@ -715,7 +715,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' - - id: 11550 + - id: 7050 title: "Ensure root PATH Integrity" description: "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly." rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program." @@ -740,7 +740,7 @@ checks: - 'f:/.bash_profile -> r::$' - 'f:/.bashrc -> r::$' - - id: 11552 + - id: 7051 title: "Check That Users Are Assigned Home Directories" description: "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set." rationale: "All users must be assigned a home directory in passwd(4)." diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 6c7e25b19..9883a0415 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -27,7 +27,7 @@ requirements: checks: # 2.3 Security Options - - id: 12000 + - id: 13000 title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." @@ -41,7 +41,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> r:^3$' - - id: 12001 + - id: 13001 title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." @@ -55,7 +55,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - - id: 12002 + - id: 13002 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." @@ -69,7 +69,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - - id: 12003 + - id: 13003 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." @@ -83,7 +83,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - id: 12004 + - id: 13004 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." @@ -96,7 +96,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - id: 12005 + - id: 13005 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -110,7 +110,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 12006 + - id: 13006 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -124,7 +124,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 12007 + - id: 13007 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -138,7 +138,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 12008 + - id: 13008 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled" rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." @@ -152,7 +152,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 12009 + - id: 13009 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" @@ -166,7 +166,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 12010 + - id: 13010 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -180,7 +180,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 12011 + - id: 13011 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit" rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." @@ -195,7 +195,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - id: 12012 + - id: 13012 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -209,7 +209,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare => 5 && n:^(\d+) compare <= 14' - - id: 12013 + - id: 13013 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -223,7 +223,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' - - id: 12014 + - id: 13014 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the \"Microsoft network client and server: Digitally sign communications (four related settings)\" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -237,7 +237,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 12015 + - id: 13015 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -251,7 +251,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 12016 + - id: 13016 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -265,7 +265,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 12017 + - id: 13017 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -279,7 +279,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 12018 + - id: 13018 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -293,7 +293,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 12019 + - id: 13019 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -307,7 +307,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 12020 + - id: 13020 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." @@ -321,7 +321,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - id: 12021 + - id: 13021 title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark." rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." @@ -335,7 +335,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - - id: 12022 + - id: 13022 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -349,7 +349,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - - id: 12023 + - id: 13023 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers" rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -363,7 +363,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - id: 12024 + - id: 13024 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." @@ -377,7 +377,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - - id: 12025 + - id: 13025 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." @@ -391,7 +391,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - id: 12026 + - id: 13026 title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None)." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." @@ -405,7 +405,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> None' - - id: 12027 + - id: 13027 title: "Ensure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)." rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." @@ -419,7 +419,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion' - - id: 12028 + - id: 13028 title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog" rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." @@ -433,7 +433,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog' - - id: 12029 + - id: 13029 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled" rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." @@ -447,7 +447,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - id: 12030 + - id: 13030 title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" description: "This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy." rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -461,7 +461,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)' - - id: 12031 + - id: 13031 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" @@ -475,7 +475,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' - - id: 12032 + - id: 13032 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." @@ -489,7 +489,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - id: 12033 + - id: 13033 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." @@ -503,7 +503,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - - id: 12034 + - id: 13034 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled" rationale: "NULL sessions are less secure because by definition they are unauthenticated." @@ -517,7 +517,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - - id: 12035 + - id: 13035 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." @@ -531,7 +531,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - - id: 12036 + - id: 13036 title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting" rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." @@ -545,7 +545,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - - id: 12037 + - id: 13037 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled" rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." @@ -559,7 +559,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - id: 12038 + - id: 13038 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." @@ -572,7 +572,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - id: 12039 + - id: 13039 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." @@ -586,7 +586,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 12040 + - id: 13040 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." @@ -600,7 +600,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - - id: 12041 + - id: 13041 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." @@ -614,7 +614,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - id: 12042 + - id: 13042 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." @@ -628,7 +628,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - id: 12043 + - id: 13043 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" @@ -641,7 +641,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - id: 12044 + - id: 13044 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." @@ -655,7 +655,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - id: 12045 + - id: 13045 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." @@ -669,7 +669,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - - id: 12046 + - id: 13046 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." @@ -683,7 +683,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - - id: 12047 + - id: 13047 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." @@ -697,7 +697,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - - id: 12048 + - id: 13048 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." @@ -711,7 +711,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - - id: 12049 + - id: 13049 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" @@ -725,7 +725,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - - id: 12050 + - id: 13050 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:  …\\Program Files\\, including subfolders  …\\Windows\\system32\\  …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." @@ -739,7 +739,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - - id: 12051 + - id: 13051 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." @@ -753,7 +753,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - - id: 12052 + - id: 13052 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." @@ -767,7 +767,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - - id: 12053 + - id: 13053 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:  %ProgramFiles%  %Windir%  %Windir%\\system32  HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." @@ -781,7 +781,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # 5 System Services - - id: 12054 + - id: 13054 title: "Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'" description: "Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. The recommended state for this setting is: Disabled or Not Installed. Note: In Windows 8.1 and Windows 10, this service is bundled with the SMB 1.0/CIFS File Sharing Support optional feature. As a result, removing that feature (highly recommended unless backward compatibility is needed to XP/2003 and older Windows OSes - see Stop using SMB1 | Storage at Microsoft) will also remediate this recommendation. The feature is not installed by default starting with Windows 10 R1709." rationale: "This is a legacy service - its sole purpose is to maintain a list of computers and their network shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it generates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \"master browser\". This noisy traffic could also aid malicious attackers in discovering online machines, because the service also allows anyone to \"browse\" for shared resources without any authentication. This service used to be running by default in older Windows versions (e.g. Windows XP), but today it only remains for backward compatibility for very old software that requires it." @@ -794,7 +794,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser -> Start -> 4' - - id: 12055 + - id: 13055 title: "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'" description: "Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." @@ -807,7 +807,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN -> Start -> 4' - - id: 12056 + - id: 13056 title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'" description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled" rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." @@ -821,7 +821,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4' - - id: 12057 + - id: 13057 title: "Ensure 'Internet Connection Sharing (ICS) (SharedAccess) ' is set to 'Disabled'" description: "Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. The recommended state for this setting is: Disabled." rationale: "Internet Connection Sharing (ICS) is a feature that allows someone to \"share\" their Internet connection with other machines on the network - it was designed for home or small office environments where only one machine has Internet access - it effectively turns that machine into an Internet router. This feature causes the bridging of networks and likely bypassing other, more secure pathways. It should not be used on any enterprise-managed system." @@ -835,7 +835,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' - - id: 12058 + - id: 13058 title: "Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'" description: "The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsystem for Linux)." rationale: "The Linux SubSystem (LXSS) Manager allows full system access to Linux applications on Windows, including the file system. While this can certainly have some functionality and performance benefits for running those applications, it also creates new security risks in the event that a hacker injects malicious code into a Linux application. For best security, it is preferred to run Linux applications on Linux, and Windows applications on Windows." @@ -848,7 +848,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager -> Start -> 4' - - id: 12059 + - id: 13059 title: "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'" description: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" rationale: "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. Note: This security concern applies to any FTP server application installed on a workstation, not just IIS." @@ -861,7 +861,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC -> Start -> 4' - - id: 12060 + - id: 13060 title: "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'" description: "In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. The recommended state for this setting is: Disabled." rationale: "This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it." @@ -875,7 +875,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' - - id: 12061 + - id: 13061 title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled." rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." @@ -889,7 +889,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4' - - id: 12062 + - id: 13062 title: "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'" description: "Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc))." rationale: "The Simple TCP/IP Services have very little purpose in a modern enterprise environment - allowing them might increase exposure and risk for attack." @@ -902,7 +902,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp -> Start -> 4' - - id: 12063 + - id: 13063 title: "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'" description: "Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. The recommended state for this setting is: Disabled." rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." @@ -916,7 +916,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4' - - id: 12064 + - id: 13064 title: "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'" description: "Allows UPnP devices to be hosted on this computer. The recommended state for this setting is: Disabled." rationale: "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automatically discovering and connecting to networked services) in a security-conscious enterprise managed environment." @@ -930,7 +930,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4' - - id: 12065 + - id: 13065 title: "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'" description: "The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service)." rationale: "Remote web administration of IIS on a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly." @@ -943,7 +943,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc -> Start -> 4' - - id: 12066 + - id: 13066 title: "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'" description: "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. The recommended state for this setting is: Disabled or Not Installed" rationale: "Network sharing of media from Media Player has no place in an enterprise managed environment." @@ -956,7 +956,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc -> Start -> 4' - - id: 12067 + - id: 13067 title: "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'" description: "Provides the ability to share a cellular data connection with another device. The recommended state for this setting is: Disabled." rationale: "The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers." @@ -970,7 +970,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4' - - id: 12068 + - id: 13068 title: "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'" description: "Provides Web connectivity and administration through the Internet Information Services Manager. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: An organization may choose to selectively grant exceptions to web developers to allow IIS (or another web server) on their workstation, in order for them to locally test & develop web pages. However, the organization should track those machines and ensure the security controls and mitigations are kept up to date, to reduce risk of compromise." rationale: "Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS." @@ -983,7 +983,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC -> Start -> 4' - - id: 12069 + - id: 13069 title: "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'" description: "This service manages connected Xbox Accessories. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -997,7 +997,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4' - - id: 12070 + - id: 13070 title: "Ensure 'Xbox Game Monitoring (xbgm)' is set to 'Disabled'" description: "This service supports Xbox Game Monitoring. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -1011,7 +1011,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> 4' - - id: 12071 + - id: 13071 title: "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'" description: "Provides authentication and authorization services for interacting with Xbox Live. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -1025,7 +1025,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4' - - id: 12072 + - id: 13072 title: "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'" description: "This service syncs save data for Xbox Live save enabled games. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -1039,7 +1039,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4' - - id: 12073 + - id: 13073 title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled" rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." @@ -1054,7 +1054,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' # 9 Windows Firewall with Advanced Security - - id: 12074 + - id: 13074 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1068,7 +1068,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - id: 12075 + - id: 13075 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1082,7 +1082,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - id: 12076 + - id: 13076 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1096,7 +1096,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - id: 12077 + - id: 13077 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." @@ -1109,7 +1109,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - - id: 12078 + - id: 13078 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log" rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1123,7 +1123,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - - id: 12079 + - id: 13079 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1137,7 +1137,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 12080 + - id: 13080 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1151,7 +1151,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - id: 12081 + - id: 13081 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1165,7 +1165,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - - id: 12082 + - id: 13082 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1179,7 +1179,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - id: 12083 + - id: 13083 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1193,7 +1193,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - id: 12084 + - id: 13084 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1207,7 +1207,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - id: 12085 + - id: 13085 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." @@ -1220,7 +1220,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - id: 12086 + - id: 13086 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1234,7 +1234,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - - id: 12087 + - id: 13087 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1248,7 +1248,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 12088 + - id: 13088 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1262,7 +1262,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - id: 12089 + - id: 13089 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1276,7 +1276,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' - - id: 12090 + - id: 13090 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service" @@ -1290,7 +1290,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - id: 12091 + - id: 13091 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1304,7 +1304,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - id: 12092 + - id: 13092 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1318,7 +1318,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - id: 12093 + - id: 13093 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No" rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." @@ -1331,7 +1331,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - - id: 12094 + - id: 13094 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." @@ -1345,7 +1345,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - - id: 12095 + - id: 13095 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" @@ -1359,7 +1359,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - - id: 12096 + - id: 13096 title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1373,7 +1373,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - - id: 12097 + - id: 13097 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1387,7 +1387,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 12098 + - id: 13098 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1401,7 +1401,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - id: 12099 + - id: 13099 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1416,7 +1416,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # 18 Administrative templates (Computer) - - id: 12100 + - id: 13100 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." @@ -1429,7 +1429,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - - id: 12101 + - id: 13101 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled" rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." @@ -1442,7 +1442,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' - - id: 12102 + - id: 13102 title: "Ensure 'Allow input personalization' is set to 'Disabled'" description: "This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled." rationale: "If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft." @@ -1456,7 +1456,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' - - id: 12103 + - id: 13103 title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1470,7 +1470,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName -> C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll' - - id: 12104 + - id: 13104 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1484,7 +1484,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - - id: 12105 + - id: 13105 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1498,7 +1498,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - - id: 12106 + - id: 13106 title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1512,7 +1512,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - - id: 12107 + - id: 13107 title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1526,7 +1526,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - - id: 12108 + - id: 13108 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1540,7 +1540,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' - - id: 12109 + - id: 13109 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1." rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." @@ -1554,7 +1554,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0' - - id: 12110 + - id: 13110 title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems" rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." @@ -1568,7 +1568,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4' - - id: 12111 + - id: 13111 title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'" description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled." rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." @@ -1582,7 +1582,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' - - id: 12112 + - id: 13112 title: "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" description: "Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled." rationale: "This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option." @@ -1596,7 +1596,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' - - id: 12113 + - id: 13113 title: "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" description: "Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware." rationale: "This opt-in feature is free and could prevent malicious software from being installed." @@ -1610,7 +1610,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 1' - - id: 12114 + - id: 13114 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server." rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." @@ -1624,7 +1624,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' - - id: 12115 + - id: 13115 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." @@ -1638,7 +1638,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 12116 + - id: 13116 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes" @@ -1652,7 +1652,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - id: 12117 + - id: 13117 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -1666,7 +1666,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - id: 12118 + - id: 13118 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." @@ -1680,7 +1680,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - - id: 12119 + - id: 13119 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." @@ -1694,7 +1694,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - - id: 12120 + - id: 13120 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:  Search folders specified in the system path first, and then search the current working folder.  Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." @@ -1708,7 +1708,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - id: 12121 + - id: 13121 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds" rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." @@ -1722,7 +1722,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - id: 12122 + - id: 13122 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." @@ -1736,7 +1736,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' - - id: 12123 + - id: 13123 title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." @@ -1750,7 +1750,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' - - id: 12124 + - id: 13124 title: "Ensure 'Turn off multicast name resolution' is set to 'Enabled'" description: "LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled." rationale: "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system." @@ -1764,7 +1764,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' - - id: 12125 + - id: 13125 title: "Ensure 'Enable insecure guest logons' is set to 'Disabled'" description: "This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled." rationale: "Insecure guest logons are used by file servers to allow unauthenticated access to shared folders." @@ -1778,7 +1778,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' - - id: 12126 + - id: 13126 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled." rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." @@ -1792,7 +1792,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - - id: 12127 + - id: 13127 title: "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" description: "Although this legacy setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled." rationale: "Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices." @@ -1806,7 +1806,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0' - - id: 12128 + - id: 13128 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." rationale: "Allowing regular users to set a network location increases the risk and attack surface." @@ -1820,7 +1820,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - - id: 12129 + - id: 13129 title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'" description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing" rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." @@ -1836,7 +1836,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - - id: 12130 + - id: 13130 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. The recommended state for this setting is: Enabled." rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." @@ -1850,7 +1850,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' - - id: 12131 + - id: 13131 title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." @@ -1864,7 +1864,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' - - id: 12132 + - id: 13132 title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" description: "This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services.  Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.  Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.  Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled." rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." @@ -1878,7 +1878,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' - - id: 12133 + - id: 13133 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." @@ -1892,7 +1892,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - - id: 12134 + - id: 13134 title: "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" description: "Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled." rationale: "Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft." @@ -1906,7 +1906,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' - - id: 12135 + - id: 13135 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  Good: The driver has been signed and has not been tampered with.  Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." @@ -1920,7 +1920,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - - id: 12136 + - id: 13136 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The \"Do not apply during periodic background processing\" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1934,7 +1934,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - id: 12137 + - id: 13137 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The \"Process even if the Group Policy objects have not changed\" option updates and reapplies policies even if the policies have not changed." rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." @@ -1948,7 +1948,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - - id: 12138 + - id: 13138 title: "Ensure 'Continue experiences on this device' is set to 'Disabled'" description: "This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences)." rationale: "A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited." @@ -1962,7 +1962,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' - - id: 12139 + - id: 13139 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers." rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1976,7 +1976,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - - id: 12140 + - id: 13140 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application." rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." @@ -1990,7 +1990,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - id: 12141 + - id: 13141 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet." rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." @@ -2004,7 +2004,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - id: 12142 + - id: 13142 title: "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" description: "This policy prevents the user from showing account details (email address or user name) on the sign-in screen." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -2018,7 +2018,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' - - id: 12143 + - id: 13143 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." @@ -2032,7 +2032,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - id: 12144 + - id: 13144 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -2046,7 +2046,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - id: 12145 + - id: 13145 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -2060,7 +2060,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - id: 12146 + - id: 13146 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen." rationale: "App notifications might display sensitive business or personal data" @@ -2074,7 +2074,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - id: 12147 + - id: 13147 title: "Ensure 'Turn off picture password sign-in' is set to 'Enabled'" description: "This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled." rationale: "Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures." @@ -2088,7 +2088,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' - - id: 12148 + - id: 13148 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." @@ -2102,7 +2102,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - id: 12149 + - id: 13149 title: "Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, on battery and in a sleep state." @@ -2116,7 +2116,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' - - id: 12150 + - id: 13150 title: "Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" description: "This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems." rationale: "Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state." @@ -2130,7 +2130,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' - - id: 12151 + - id: 13151 title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" description: "Dictates whether or not Windows is allowed to use standby states when sleeping the computer." rationale: "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA)." @@ -2144,7 +2144,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - id: 12152 + - id: 13152 title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep." rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." @@ -2158,7 +2158,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - id: 12153 + - id: 13153 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests." rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -2172,7 +2172,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 12154 + - id: 13154 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -2186,7 +2186,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - - id: 12155 + - id: 13155 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." @@ -2200,7 +2200,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' - - id: 12156 + - id: 13156 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" rationale: "Unauthenticated RPC communication can create a security vulnerability." @@ -2214,7 +2214,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' - - id: 12157 + - id: 13157 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it" rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." @@ -2228,7 +2228,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - id: 12158 + - id: 13158 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones" rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -2242,7 +2242,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - id: 12159 + - id: 13159 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" @@ -2256,7 +2256,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - id: 12160 + - id: 13160 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -2269,7 +2269,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' - - id: 12161 + - id: 13161 title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" description: "This policy setting determines whether enhanced anti-spoofing is configured for devices which support it." rationale: "Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network." @@ -2283,7 +2283,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' - - id: 12162 + - id: 13162 title: "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" description: "This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account." rationale: "Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party." @@ -2297,7 +2297,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' - - id: 12163 + - id: 13163 title: "Ensure 'Require pin for pairing' is set to 'Enabled'" description: "This policy setting controls whether or not a PIN is required for pairing to a wireless display device." rationale: "If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use." @@ -2311,7 +2311,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' - - id: 12164 + - id: 13164 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." @@ -2325,7 +2325,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - id: 12165 + - id: 13165 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." @@ -2339,7 +2339,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - id: 12166 + - id: 13166 title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." @@ -2353,7 +2353,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' - - id: 12167 + - id: 13167 title: "Ensure 'Do not show feedback notifications' is set to 'Enabled'" description: "This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft." rationale: "Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment." @@ -2367,7 +2367,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' - - id: 12168 + - id: 13168 title: "Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" description: "This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under \"Get Insider builds,\" and enable users to make their devices available for downloading and installing Windows preview software." rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." @@ -2381,7 +2381,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' - - id: 12169 + - id: 13169 title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:  0 = HTTP only, no peering.  1 = HTTP blended with peering behind the same NAT.  2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.  3 = HTTP blended with Internet Peering.  99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.  100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." @@ -2395,7 +2395,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^3$' - - id: 12170 + - id: 13170 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2409,7 +2409,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - id: 12171 + - id: 13171 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2423,7 +2423,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 12172 + - id: 13172 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2437,7 +2437,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - id: 12173 + - id: 13173 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2451,7 +2451,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - id: 12174 + - id: 13174 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2465,7 +2465,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - id: 12175 + - id: 13175 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -2479,7 +2479,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 12176 + - id: 13176 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -2493,7 +2493,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - id: 12177 + - id: 13177 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -2507,7 +2507,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 12178 + - id: 13178 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." @@ -2521,7 +2521,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - id: 12179 + - id: 13179 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this." rationale: "Allowing an application to function after its session has become corrupt increases the risk posture to the system." @@ -2535,7 +2535,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - id: 12180 + - id: 13180 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -2549,7 +2549,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - id: 12181 + - id: 13181 title: "Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'" description: "By default, users can add their computer to a HomeGroup on a home network." rationale: "While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup." @@ -2563,7 +2563,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' - - id: 12182 + - id: 13182 title: "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" description: "This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs." rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." @@ -2577,7 +2577,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' - - id: 12183 + - id: 13183 title: "Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" description: "This setting lets you configure how your company deals with cookies. The recommended state for this setting is: Enabled: Block only 3rd-party cookies. Configuring this setting to Enabled: Block all cookies also conforms to the benchmark." rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" @@ -2591,7 +2591,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' - - id: 12184 + - id: 13184 title: "Ensure 'Configure Password Manager' is set to 'Disabled'" description: "This setting lets you decide whether employees can save their passwords locally, using Password Manager." rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." @@ -2605,7 +2605,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' - - id: 12185 + - id: 13185 title: "Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled'" description: "This setting controls whether Adobe Flash (within the Microsoft Edge web browser) will require the user to click on the Flash element before the browser will display the Flash content." rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. However, disabling it completely may not be a practical option for many organizations, as it is still used frequently on many websites. This feature at least makes Adobe Flash content \"opt-in\", so the user has to choose to click on each specific piece of Flash content before it will run." @@ -2619,7 +2619,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' - - id: 12186 + - id: 13186 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." @@ -2633,7 +2633,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - id: 12187 + - id: 13187 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" @@ -2647,7 +2647,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 12188 + - id: 13188 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -2661,7 +2661,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 12189 + - id: 13189 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -2675,7 +2675,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 12190 + - id: 13190 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -2689,7 +2689,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 12191 + - id: 13191 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -2703,7 +2703,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 12192 + - id: 13192 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -2717,7 +2717,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 12193 + - id: 13193 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -2731,7 +2731,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 12194 + - id: 13194 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -2745,7 +2745,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 12195 + - id: 13195 title: "Ensure 'Allow Cortana' is set to 'Disabled'" description: "This policy setting specifies whether Cortana is allowed on the device" rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." @@ -2759,7 +2759,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' - - id: 12196 + - id: 13196 title: "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" description: "This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked." rationale: "Access to any computer resource should not be allowed when the device is locked." @@ -2773,7 +2773,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' - - id: 12197 + - id: 13197 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -2787,7 +2787,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 12198 + - id: 13198 title: "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" description: "This policy setting specifies whether search and Cortana can provide location aware search and Cortana results." rationale: "In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out" @@ -2801,7 +2801,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' - - id: 12199 + - id: 13199 title: "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" description: "This setting enables or disables the automatic download and installation of Windows Store app updates." rationale: "Keeping your system properly patched can help protect against 0 day vulnerabilities." @@ -2815,7 +2815,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' - - id: 12200 + - id: 13200 title: "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" description: "Enables or disables the Windows Store offer to update to the latest version of Windows." rationale: "Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates." @@ -2829,7 +2829,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' - - id: 12201 + - id: 13201 title: "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" description: "This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". This setting can only be set by Group Policy." rationale: "The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed." @@ -2843,7 +2843,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' - - id: 12202 + - id: 13202 title: "Ensure 'Turn on behavior monitoring' is set to 'Enabled'" description: "This policy setting allows you to configure behavior monitoring for Windows Defender Antivirus." rationale: "When running an antivirus solution such as Windows Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity." @@ -2857,7 +2857,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' - - id: 12203 + - id: 13203 title: "Ensure 'Scan removable drives' is set to 'Enabled'" description: "This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan." rationale: "It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer." @@ -2871,7 +2871,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' - - id: 12204 + - id: 13204 title: "Ensure 'Turn on e-mail scanning' is set to 'Enabled'" description: "This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac)." rationale: "Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software." @@ -2885,7 +2885,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' - - id: 12205 + - id: 13205 title: "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'" description: "This policy setting controls the state for the Attack Surface Reduction (ASR) rules." rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." @@ -2899,7 +2899,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - - id: 12206 + - id: 13206 title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes)" rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." @@ -2933,7 +2933,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1' - - id: 12207 + - id: 13207 title: "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" description: "This policy setting controls Windows Defender Exploit Guard network protection." rationale: "This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet." @@ -2947,7 +2947,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' - - id: 12208 + - id: 13208 title: "Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" description: "This policy setting turns off Windows Defender Antivirus. If the setting is configured to Disabled, Windows Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software." rationale: "It is important to ensure a current, updated antivirus product is scanning each computer for malicious file activity. Microsoft provides a competent solution out of the box in Windows Defender Antivirus. Organizations that choose to purchase a reputable 3rd-party antivirus solution may choose to exempt themselves from this recommendation in lieu of the commercial alternative." @@ -2961,7 +2961,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' - - id: 12209 + - id: 13209 title: "Ensure 'Prevent users from modifying settings' is set to 'Enabled'" description: "This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Defender Security Center." rationale: "Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified." @@ -2975,7 +2975,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' - - id: 12210 + - id: 13210 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -2991,7 +2991,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block' - - id: 12211 + - id: 13211 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'" description: "This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software." rationale: "SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise." @@ -3005,7 +3005,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' - - id: 12212 + - id: 13212 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files." rationale: "SmartScreen will warn an employee if a file is potentially malicious. Enabling this setting prevents these warnings from being bypassed." @@ -3019,7 +3019,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' - - id: 12213 + - id: 13213 title: "Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'" description: "This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites." rationale: "SmartScreen will warn an employee if a website is potentially malicious. Enabling this setting prevents these warnings from being bypassed." @@ -3033,7 +3033,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' - - id: 12214 + - id: 13214 title: "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'" description: "This setting enables or disables the Windows Game Recording and Broadcasting features." rationale: "If this setting is allowed users could record and broadcast session info to external sites which is a privacy concern." @@ -3047,7 +3047,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' - - id: 12215 + - id: 13215 title: "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" description: "This policy setting determines whether Windows Ink items are allowed above the lock screen." rationale: "Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials." @@ -3061,7 +3061,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' - - id: 12216 + - id: 13216 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -3075,7 +3075,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' - - id: 12217 + - id: 13217 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -3089,7 +3089,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 12218 + - id: 13218 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -3103,7 +3103,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 12219 + - id: 13219 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-WindowsPowerShell/Operational event log." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -3117,7 +3117,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 12220 + - id: 13220 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" @@ -3131,7 +3131,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - id: 12221 + - id: 13221 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -3145,7 +3145,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 12222 + - id: 13222 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -3159,7 +3159,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 12223 + - id: 13223 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -3173,7 +3173,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 12224 + - id: 13224 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -3187,7 +3187,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 12225 + - id: 13225 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -3201,7 +3201,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 12226 + - id: 13226 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -3215,7 +3215,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 12227 + - id: 13227 title: "Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" description: "This policy setting determines whether users can access the Windows Insider Program controls in Settings -> Update and Security. These controls enable users to make their devices available for downloading and installing preview (beta) builds of Windows software." rationale: "It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds." @@ -3231,7 +3231,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' - - id: 12228 + - id: 13228 title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:  Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.  Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.  Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.  Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.  Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." @@ -3249,7 +3249,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> 32' - - id: 12229 + - id: 13229 title: "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" description: "This settings controls when Quality Updates are received." rationale: "Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible." @@ -3265,7 +3265,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0' - - id: 12230 + - id: 13230 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -3279,7 +3279,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 12231 + - id: 13231 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -3293,7 +3293,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 12232 + - id: 13232 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 391e4dbda..7066d35f1 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -27,7 +27,7 @@ requirements: checks: # 2.3 Security Options - - id: 12500 + - id: 13500 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." @@ -41,7 +41,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - id: 12501 + - id: 13501 title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)." rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." @@ -55,7 +55,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' - - id: 12502 + - id: 13502 title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark." rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." @@ -70,7 +70,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> n:^(\d+) compare >= 1' # 5 System Services - - id: 12503 + - id: 13503 title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." @@ -84,7 +84,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' - - id: 12504 + - id: 13504 title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" description: "Windows service for application access to downloaded maps. This service is started on- demand by application accessing downloaded maps." rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." @@ -98,7 +98,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4' - - id: 12505 + - id: 13505 title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -112,7 +112,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4' - - id: 12506 + - id: 13506 title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." @@ -126,7 +126,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4' - - id: 12507 + - id: 13507 title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." @@ -140,7 +140,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4' - - id: 12508 + - id: 13508 title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -154,7 +154,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4' - - id: 12509 + - id: 13509 title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -168,7 +168,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4' - - id: 12510 + - id: 13510 title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -182,7 +182,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4' - - id: 12511 + - id: 13511 title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." @@ -196,7 +196,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4' - - id: 12512 + - id: 13512 title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." @@ -210,7 +210,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4' - - id: 12513 + - id: 13513 title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address." rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." @@ -224,7 +224,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4' - - id: 12514 + - id: 13514 title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." @@ -238,7 +238,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4' - - id: 12515 + - id: 13515 title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." @@ -252,7 +252,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4' - - id: 12516 + - id: 13516 title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." @@ -266,7 +266,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4' - - id: 12517 + - id: 13517 title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." @@ -280,7 +280,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4' - - id: 12518 + - id: 13518 title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'" description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." @@ -294,7 +294,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4' - - id: 12519 + - id: 13519 title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))." rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." @@ -308,7 +308,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4' - - id: 12520 + - id: 13520 title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -322,7 +322,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4' - - id: 12521 + - id: 13521 title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." @@ -336,7 +336,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4' - - id: 12522 + - id: 13522 title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." @@ -350,7 +350,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4' - - id: 12523 + - id: 13523 title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." @@ -364,7 +364,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4' - - id: 12524 + - id: 13524 title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." @@ -379,7 +379,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4' # 18.1 Control Panel - - id: 12525 + - id: 13525 title: "Ensure 'Allow Online Tips' is set to 'Disabled'" description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -394,7 +394,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' # 18.4 MSS (Legacy) - - id: 12526 + - id: 13526 title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." @@ -410,7 +410,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' - - id: 12527 + - id: 13527 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." @@ -426,7 +426,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' - - id: 12528 + - id: 13528 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." @@ -442,7 +442,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - - id: 12529 + - id: 13529 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -458,7 +458,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 12530 + - id: 13530 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -475,7 +475,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # 18.5 Network - - id: 12531 + - id: 13531 title: "Ensure 'Enable Font Providers' is set to 'Disabled'" description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." @@ -489,7 +489,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' - - id: 12532 + - id: 13532 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -509,7 +509,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - - id: 12533 + - id: 13533 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -529,7 +529,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - - id: 12534 + - id: 13534 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." @@ -543,7 +543,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' - - id: 12535 + - id: 13535 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." @@ -557,7 +557,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' - - id: 12536 + - id: 13536 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." @@ -579,7 +579,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - - id: 12537 + - id: 13537 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." @@ -594,7 +594,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # 18.8 System - - id: 12538 + - id: 13538 title: "Ensure 'Turn off access to the Store' is set to 'Enabled'" description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled." rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." @@ -608,7 +608,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' - - id: 12539 + - id: 13539 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." rationale: "Users might download drivers that include malicious code." @@ -622,7 +622,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - id: 12540 + - id: 13540 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -636,7 +636,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - id: 12541 + - id: 13541 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -650,7 +650,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - id: 12542 + - id: 13542 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -664,7 +664,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - id: 12543 + - id: 13543 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." @@ -677,7 +677,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - id: 12544 + - id: 13544 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." @@ -691,7 +691,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 12545 + - id: 13545 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -705,7 +705,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - id: 12546 + - id: 13546 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -719,7 +719,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 12547 + - id: 13547 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -733,7 +733,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 12548 + - id: 13548 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -747,7 +747,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - id: 12549 + - id: 13549 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -764,7 +764,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - - id: 12550 + - id: 13550 title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic." rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." @@ -780,7 +780,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1' - - id: 12551 + - id: 13551 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." @@ -794,7 +794,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - id: 12552 + - id: 13552 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -808,7 +808,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - id: 12553 + - id: 13553 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." @@ -822,7 +822,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - id: 12554 + - id: 13554 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." @@ -836,7 +836,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - id: 12555 + - id: 13555 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." @@ -850,7 +850,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' - - id: 12556 + - id: 13556 title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled." rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." @@ -865,7 +865,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' # 18.9 Windows Components - - id: 12557 + - id: 13557 title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled." rationale: "Users of a system could accidentally share sensitive data with other users on the same system." @@ -879,7 +879,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' - - id: 12558 + - id: 13558 title: "Ensure 'Allow Use of Camera' is set to 'Disabled'" description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." @@ -893,7 +893,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' - - id: 12559 + - id: 13559 title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." @@ -907,7 +907,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' - - id: 12560 + - id: 13560 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -921,7 +921,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 12561 + - id: 13561 title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -935,7 +935,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' - - id: 12562 + - id: 13562 title: "Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" description: "This setting determines whether the Address bar drop-down functionality is available in Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." @@ -949,7 +949,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' - - id: 12563 + - id: 13563 title: "Ensure 'Allow Adobe Flash' is set to 'Disabled'" description: "This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." @@ -963,7 +963,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' - - id: 12564 + - id: 13564 title: "Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" description: "This setting lets you decide whether employees can browse using InPrivate website browsing. The recommended state for this setting is: Disabled." rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." @@ -977,7 +977,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' - - id: 12565 + - id: 13565 title: "Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" description: "This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop- ups to appear in secondary windows. The recommended state for this setting is: Enabled." rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." @@ -991,7 +991,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' - - id: 12566 + - id: 13566 title: "Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" description: "This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Having search suggestions sent out to be processed is considered a privacy concern." @@ -1005,7 +1005,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' - - id: 12567 + - id: 13567 title: "Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" description: "This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. The recommended state for this setting is: Enabled." rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." @@ -1019,7 +1019,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' - - id: 12568 + - id: 13568 title: "Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" description: "This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. The recommended state for this setting is: Enabled." rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." @@ -1033,7 +1033,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' - - id: 12569 + - id: 13569 title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." @@ -1047,7 +1047,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' - - id: 12570 + - id: 13570 title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled." rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." @@ -1060,7 +1060,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 0' - - id: 12571 + - id: 13571 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -1074,7 +1074,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - id: 12572 + - id: 13572 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -1088,7 +1088,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - id: 12573 + - id: 13573 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -1102,7 +1102,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - id: 12574 + - id: 13574 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." @@ -1118,7 +1118,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - - id: 12575 + - id: 13575 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." @@ -1132,7 +1132,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 12576 + - id: 13576 title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -1146,7 +1146,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' - - id: 12577 + - id: 13577 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." @@ -1159,7 +1159,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - id: 12578 + - id: 13578 title: "Ensure 'Turn off the Store application' is set to 'Enabled'" description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education." rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." @@ -1176,7 +1176,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' - - id: 12579 + - id: 13579 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  (0x0) Disabled (default)  (0x1) Basic membership  (0x2) Advanced membership. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." @@ -1189,7 +1189,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - id: 12580 + - id: 13580 title: "Ensure 'Configure Watson events' is set to 'Disabled'" description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled." rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." @@ -1203,7 +1203,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' - - id: 12581 + - id: 13581 title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled." rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." @@ -1217,7 +1217,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' - - id: 12582 + - id: 13582 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." @@ -1231,7 +1231,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - id: 12583 + - id: 13583 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -1245,7 +1245,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - id: 12584 + - id: 13584 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 705020360..70ef56c47 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -29,7 +29,7 @@ requirements: checks: # Section 1.1 - Password Policies - - id: 8000 + - id: 11000 title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." @@ -45,7 +45,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' # Section 2.3 - Security Options - - id: 8001 + - id: 11001 title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." @@ -59,7 +59,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - - id: 8002 + - id: 11002 title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." @@ -73,7 +73,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - - id: 8003 + - id: 11003 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." @@ -87,7 +87,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - - id: 8004 + - id: 11004 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." @@ -101,7 +101,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - id: 8005 + - id: 11005 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." @@ -115,7 +115,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - id: 8006 + - id: 11006 title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." @@ -129,7 +129,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0' - - id: 8007 + - id: 11007 title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." @@ -145,7 +145,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' - - id: 8008 + - id: 11008 title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." @@ -159,7 +159,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' - - id: 8009 + - id: 11009 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -173,7 +173,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 8010 + - id: 11010 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -187,7 +187,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 8011 + - id: 11011 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -201,7 +201,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 8012 + - id: 11012 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." @@ -215,7 +215,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 8013 + - id: 11013 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" @@ -229,7 +229,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 8014 + - id: 11014 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -243,7 +243,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 8015 + - id: 11015 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -257,7 +257,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 8016 + - id: 11016 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." @@ -272,7 +272,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - id: 8017 + - id: 11017 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -286,7 +286,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - - id: 8018 + - id: 11018 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -300,7 +300,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - id: 8019 + - id: 11019 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -314,7 +314,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 8020 + - id: 11020 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -328,7 +328,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 8021 + - id: 11021 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -342,7 +342,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 8022 + - id: 11022 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -357,7 +357,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 8023 + - id: 11023 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -371,7 +371,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 8024 + - id: 11024 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -385,7 +385,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 8025 + - id: 11025 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." @@ -400,7 +400,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' # Section 2.3 - Security Options - - id: 8026 + - id: 11026 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." @@ -414,7 +414,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - - id: 8027 + - id: 11027 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." @@ -428,7 +428,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - id: 8028 + - id: 11028 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." @@ -442,7 +442,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:lsarpc|netlogon|samr' - - id: 8029 + - id: 11029 title: "Configure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." @@ -456,7 +456,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - - id: 8030 + - id: 11030 title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." @@ -470,7 +470,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' - - id: 8031 + - id: 11031 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." @@ -484,7 +484,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - id: 8032 + - id: 11032 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." @@ -498,7 +498,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - - id: 8033 + - id: 11033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." @@ -512,7 +512,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - id: 8034 + - id: 11034 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." @@ -526,7 +526,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - - id: 8035 + - id: 11035 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." rationale: "NULL sessions are less secure because by definition they are unauthenticated." @@ -540,7 +540,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - - id: 8036 + - id: 11036 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." @@ -554,7 +554,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - - id: 8037 + - id: 11037 title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." @@ -568,7 +568,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - - id: 8038 + - id: 11038 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." @@ -582,7 +582,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - id: 8039 + - id: 11039 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." @@ -596,7 +596,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - id: 8040 + - id: 11040 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." @@ -610,7 +610,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 8041 + - id: 11041 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." @@ -624,7 +624,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1' - - id: 8042 + - id: 11042 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." @@ -638,7 +638,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - id: 8043 + - id: 11043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." @@ -654,7 +654,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - id: 8044 + - id: 11044 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." @@ -668,7 +668,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' - - id: 8045 + - id: 11045 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." @@ -681,7 +681,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - id: 8046 + - id: 11046 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." @@ -695,7 +695,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - id: 8047 + - id: 11047 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." @@ -709,7 +709,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - - id: 8048 + - id: 11048 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." @@ -723,7 +723,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - - id: 8049 + - id: 11049 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." @@ -737,7 +737,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - - id: 8050 + - id: 11050 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." @@ -751,7 +751,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - - id: 8051 + - id: 11051 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" @@ -765,7 +765,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - - id: 8052 + - id: 11052 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." @@ -779,7 +779,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - - id: 8053 + - id: 11053 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." @@ -793,7 +793,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - - id: 8054 + - id: 11054 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." @@ -807,7 +807,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - - id: 8055 + - id: 11055 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." @@ -821,7 +821,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # Section 9.1 - Domain Profile - - id: 8056 + - id: 11056 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -835,7 +835,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - id: 8057 + - id: 11057 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -849,7 +849,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - id: 8058 + - id: 11058 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -863,7 +863,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - id: 8059 + - id: 11059 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" @@ -876,7 +876,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' - - id: 8060 + - id: 11060 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -890,7 +890,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - - id: 8061 + - id: 11061 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -904,7 +904,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 8062 + - id: 11062 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -918,7 +918,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - id: 8063 + - id: 11063 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -933,7 +933,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile - - id: 8064 + - id: 11064 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -947,7 +947,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - id: 8065 + - id: 11065 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -961,7 +961,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - id: 8066 + - id: 11066 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -975,7 +975,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - id: 8067 + - id: 11067 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." @@ -988,7 +988,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - id: 8068 + - id: 11068 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1002,7 +1002,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - - id: 8069 + - id: 11069 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1016,7 +1016,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 8070 + - id: 11070 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1030,7 +1030,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - id: 8071 + - id: 11071 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1045,7 +1045,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile - - id: 8072 + - id: 11072 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1059,7 +1059,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - id: 8073 + - id: 11073 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1073,7 +1073,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - id: 8074 + - id: 11074 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1087,7 +1087,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - id: 8075 + - id: 11075 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." @@ -1101,7 +1101,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0' - - id: 8076 + - id: 11076 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." @@ -1115,7 +1115,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - - id: 8077 + - id: 11077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." @@ -1129,7 +1129,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - - id: 8078 + - id: 11078 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1143,7 +1143,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - - id: 8079 + - id: 11079 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1157,7 +1157,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 8080 + - id: 11080 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1171,7 +1171,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - id: 8081 + - id: 11081 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1186,7 +1186,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel - - id: 8082 + - id: 11082 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." @@ -1199,7 +1199,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - - id: 8083 + - id: 11083 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." @@ -1213,7 +1213,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' # Section 18.3 - MS Security Guide - - id: 8084 + - id: 11084 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." @@ -1232,7 +1232,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' # Section 18.4 - MSS (Legacy) - - id: 8085 + - id: 11085 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." @@ -1249,7 +1249,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 8086 + - id: 11086 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -1265,7 +1265,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - id: 8087 + - id: 11087 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -1281,7 +1281,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - id: 8088 + - id: 11088 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." @@ -1297,7 +1297,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - - id: 8089 + - id: 11089 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." @@ -1313,7 +1313,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - - id: 8090 + - id: 11090 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." @@ -1329,7 +1329,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - id: 8091 + - id: 11091 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." @@ -1345,7 +1345,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - id: 8092 + - id: 11092 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." @@ -1362,7 +1362,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' # Section 18.5 - Network - - id: 8093 + - id: 11093 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." @@ -1376,7 +1376,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - - id: 8094 + - id: 11094 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." rationale: "Allowing regular users to set a network location increases the risk and attack surface." @@ -1390,7 +1390,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - - id: 8095 + - id: 11095 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." @@ -1405,7 +1405,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' # Section 18.8 - System - - id: 8096 + - id: 11096 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." @@ -1419,7 +1419,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - - id: 8097 + - id: 11097 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." @@ -1433,7 +1433,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - - id: 8098 + - id: 11098 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1447,7 +1447,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - id: 8099 + - id: 11099 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." @@ -1461,7 +1461,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - - id: 8100 + - id: 11100 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1476,7 +1476,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' # Section 18.8 - System - - id: 8101 + - id: 11101 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." rationale: "Users might download drivers that include malicious code." @@ -1490,7 +1490,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - id: 8102 + - id: 11102 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." @@ -1504,7 +1504,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - id: 8103 + - id: 11103 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." @@ -1518,7 +1518,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - id: 8104 + - id: 11104 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." @@ -1532,7 +1532,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - id: 8105 + - id: 11105 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1546,7 +1546,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - id: 8106 + - id: 11106 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1560,7 +1560,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - id: 8107 + - id: 11107 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." rationale: "App notifications might display sensitive business or personal data." @@ -1574,7 +1574,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - id: 8108 + - id: 11108 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." @@ -1588,7 +1588,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - id: 8109 + - id: 11109 title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." @@ -1602,7 +1602,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - - id: 8110 + - id: 11110 title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " @@ -1616,7 +1616,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - - id: 8111 + - id: 11111 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -1630,7 +1630,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 8112 + - id: 11112 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -1645,7 +1645,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' # Section 18.9 - Windows Components - - id: 8113 + - id: 11113 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." @@ -1659,7 +1659,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - id: 8114 + - id: 11114 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1673,7 +1673,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - id: 8115 + - id: 11115 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." @@ -1687,7 +1687,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - id: 8116 + - id: 11116 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1701,7 +1701,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' - - id: 8117 + - id: 11117 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." @@ -1715,7 +1715,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - id: 8118 + - id: 11118 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." @@ -1729,7 +1729,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - id: 8119 + - id: 11119 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1743,7 +1743,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - id: 8120 + - id: 11120 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1757,7 +1757,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8121 + - id: 11121 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1771,7 +1771,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - id: 8122 + - id: 11122 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1785,7 +1785,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - id: 8123 + - id: 11123 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1799,7 +1799,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - id: 8124 + - id: 11124 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1813,7 +1813,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8125 + - id: 11125 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1827,7 +1827,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - id: 8126 + - id: 11126 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1841,7 +1841,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 8127 + - id: 11127 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." @@ -1855,7 +1855,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - id: 8128 + - id: 11128 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1869,7 +1869,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - id: 8129 + - id: 11129 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1883,7 +1883,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - id: 8130 + - id: 11130 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." @@ -1897,7 +1897,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - id: 8131 + - id: 11131 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." @@ -1911,7 +1911,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 8132 + - id: 11132 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -1925,7 +1925,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 8133 + - id: 11133 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -1939,7 +1939,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 8134 + - id: 11134 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -1953,7 +1953,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 8135 + - id: 11135 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -1967,7 +1967,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 8136 + - id: 11136 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -1981,7 +1981,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 8137 + - id: 11137 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -1995,7 +1995,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 8138 + - id: 11138 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -2009,7 +2009,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 8139 + - id: 11139 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -2023,7 +2023,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 8140 + - id: 11140 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -2037,7 +2037,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - id: 8141 + - id: 11141 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." @@ -2051,7 +2051,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - id: 8142 + - id: 11142 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." @@ -2065,7 +2065,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - id: 8143 + - id: 11143 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -2079,7 +2079,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - id: 8144 + - id: 11144 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -2093,7 +2093,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 8145 + - id: 11145 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -2107,7 +2107,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 8146 + - id: 11146 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -2121,7 +2121,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 8147 + - id: 11147 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." @@ -2135,7 +2135,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - id: 8148 + - id: 11148 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2149,7 +2149,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 8149 + - id: 11149 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2163,7 +2163,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 8150 + - id: 11150 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2177,7 +2177,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 8151 + - id: 11151 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2191,7 +2191,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 8152 + - id: 11152 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2205,7 +2205,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 8153 + - id: 11153 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." @@ -2219,7 +2219,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 8154 + - id: 11154 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2233,7 +2233,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 8155 + - id: 11155 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2247,7 +2247,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 8156 + - id: 11156 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 3ef206482..3b2d99cc9 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -28,7 +28,7 @@ requirements: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' checks: - - id: 8500 + - id: 11500 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." @@ -43,7 +43,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' # Section 18.4 - MSS (Legacy) - - id: 8501 + - id: 11501 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." @@ -59,7 +59,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' - - id: 8502 + - id: 11502 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." @@ -75,7 +75,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - - id: 8503 + - id: 11503 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -91,7 +91,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 8504 + - id: 11504 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -108,7 +108,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # Section 18.5 - Network - - id: 8505 + - id: 11505 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -128,7 +128,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - - id: 8506 + - id: 11506 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -148,7 +148,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - - id: 8507 + - id: 11507 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." @@ -162,7 +162,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' - - id: 8508 + - id: 11508 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." @@ -176,7 +176,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' - - id: 8509 + - id: 11509 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." @@ -198,7 +198,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - - id: 8510 + - id: 11510 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." @@ -212,7 +212,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' - - id: 8511 + - id: 11511 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -226,7 +226,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - id: 8512 + - id: 11512 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." @@ -240,7 +240,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - id: 8513 + - id: 11513 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -254,7 +254,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - id: 8514 + - id: 11514 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." @@ -267,7 +267,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - id: 8515 + - id: 11515 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." @@ -281,7 +281,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 8516 + - id: 11516 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -295,7 +295,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - id: 8517 + - id: 11517 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -309,7 +309,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 8518 + - id: 11518 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -323,7 +323,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 8519 + - id: 11519 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -337,7 +337,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - id: 8520 + - id: 11520 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -351,7 +351,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - id: 8521 + - id: 11521 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." @@ -365,7 +365,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - - id: 8522 + - id: 11522 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -379,7 +379,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - - id: 8523 + - id: 11523 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." @@ -393,7 +393,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - - id: 8524 + - id: 11524 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." @@ -407,7 +407,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - - id: 8525 + - id: 11525 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." @@ -422,7 +422,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' # Section 18.9 - System - - id: 8526 + - id: 11526 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." @@ -436,7 +436,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - - id: 8527 + - id: 11527 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." @@ -449,7 +449,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' - - id: 8528 + - id: 11528 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -463,7 +463,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - id: 8529 + - id: 11529 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -477,7 +477,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - id: 8530 + - id: 11530 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." @@ -491,7 +491,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - - id: 8531 + - id: 11531 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." @@ -507,7 +507,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - - id: 8532 + - id: 11532 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." @@ -521,7 +521,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - - id: 8533 + - id: 11533 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." @@ -535,7 +535,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' - - id: 8534 + - id: 11534 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." @@ -548,7 +548,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - - id: 8535 + - id: 11535 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." @@ -561,7 +561,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - - id: 8536 + - id: 11536 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." @@ -575,7 +575,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - - id: 8537 + - id: 11537 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." @@ -589,7 +589,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - - id: 8538 + - id: 11538 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index e29afd959..74bc7d221 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -30,7 +30,7 @@ requirements: checks: # Section 1.1 - Password Policies - - id: 9000 + - id: 12000 title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." @@ -46,7 +46,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' # Section 2.3 - Security Options - - id: 9001 + - id: 12001 title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems." @@ -60,7 +60,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - - id: 9002 + - id: 12002 title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." @@ -74,7 +74,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - - id: 9003 + - id: 12003 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." @@ -88,7 +88,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - - id: 9004 + - id: 12004 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." @@ -103,7 +103,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - id: 9005 + - id: 12005 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." @@ -116,7 +116,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - id: 9006 + - id: 12006 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." @@ -130,7 +130,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - id: 9007 + - id: 12007 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -144,7 +144,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 9008 + - id: 12008 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -158,7 +158,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 9009 + - id: 12009 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -172,7 +172,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 9010 + - id: 12010 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." @@ -186,7 +186,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 9011 + - id: 12011 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" @@ -200,7 +200,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 9012 + - id: 12012 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -214,7 +214,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 9013 + - id: 12013 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -228,7 +228,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 9014 + - id: 12014 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." @@ -242,7 +242,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' - - id: 9015 + - id: 12015 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -256,7 +256,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare <= 14' - - id: 9016 + - id: 12016 title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled." rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer." @@ -270,7 +270,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1' - - id: 9017 + - id: 12017 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -284,7 +284,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - id: 9018 + - id: 12018 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -298,7 +298,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 9019 + - id: 12019 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -312,7 +312,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 9020 + - id: 12020 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -326,7 +326,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 9021 + - id: 12021 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -341,7 +341,7 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 9022 + - id: 12022 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -355,7 +355,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 9023 + - id: 12023 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -369,7 +369,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 9024 + - id: 12024 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." @@ -383,7 +383,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - id: 9025 + - id: 12025 title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers." rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." @@ -399,7 +399,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - - id: 9026 + - id: 12026 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -413,7 +413,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - - id: 9027 + - id: 12027 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -427,7 +427,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - id: 9028 + - id: 12028 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." @@ -441,7 +441,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - id: 9029 + - id: 12029 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." @@ -455,7 +455,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*' - - id: 9030 + - id: 12030 title: "Configure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." @@ -469,7 +469,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - - id: 9031 + - id: 12031 title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." @@ -483,7 +483,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' - - id: 9032 + - id: 12032 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." @@ -497,7 +497,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - id: 9033 + - id: 12033 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." @@ -511,7 +511,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - - id: 9034 + - id: 12034 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." @@ -525,7 +525,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - id: 9035 + - id: 12035 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." @@ -539,7 +539,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - - id: 9036 + - id: 12036 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." rationale: "NULL sessions are less secure because by definition they are unauthenticated." @@ -553,7 +553,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - - id: 9037 + - id: 12037 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." @@ -567,7 +567,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - - id: 9038 + - id: 12038 title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." @@ -581,7 +581,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - - id: 9039 + - id: 12039 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." @@ -595,7 +595,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - id: 9040 + - id: 12040 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." @@ -609,7 +609,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - - id: 9041 + - id: 12041 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." @@ -622,7 +622,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 9042 + - id: 12042 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." @@ -636,7 +636,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(/d+) compare >= 1' - - id: 9043 + - id: 12043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." @@ -650,7 +650,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - id: 9044 + - id: 12044 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." @@ -666,7 +666,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - id: 9045 + - id: 12045 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." @@ -680,7 +680,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' - - id: 9046 + - id: 12046 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." @@ -693,7 +693,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - id: 9047 + - id: 12047 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." @@ -707,7 +707,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - id: 9048 + - id: 12048 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." @@ -721,7 +721,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - - id: 9049 + - id: 12049 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." @@ -735,7 +735,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - - id: 9050 + - id: 12050 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." @@ -749,7 +749,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$' - - id: 9051 + - id: 12051 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." @@ -763,7 +763,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - - id: 9052 + - id: 12052 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" @@ -777,7 +777,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - - id: 9053 + - id: 12053 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." @@ -791,7 +791,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - - id: 9054 + - id: 12054 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." @@ -805,7 +805,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - - id: 9055 + - id: 12055 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." @@ -819,7 +819,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - - id: 9056 + - id: 12056 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." @@ -833,7 +833,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # Section 9.1 - Domain Profile - - id: 9057 + - id: 12057 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -847,7 +847,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - - id: 9058 + - id: 12058 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -861,7 +861,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - - id: 9059 + - id: 12059 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -875,7 +875,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - - id: 9060 + - id: 12060 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" @@ -888,7 +888,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' - - id: 9061 + - id: 12061 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -902,7 +902,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - - id: 9062 + - id: 12062 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -916,7 +916,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 9063 + - id: 12063 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -930,7 +930,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - - id: 9064 + - id: 12064 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -945,7 +945,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile - - id: 9065 + - id: 12065 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -959,7 +959,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - id: 9066 + - id: 12066 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -973,7 +973,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - - id: 9067 + - id: 12067 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -987,7 +987,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - - id: 9068 + - id: 12068 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." @@ -1000,7 +1000,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - - id: 9069 + - id: 12069 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1014,7 +1014,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - - id: 9070 + - id: 12070 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1028,7 +1028,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 9071 + - id: 12071 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1042,7 +1042,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - - id: 9072 + - id: 12072 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1057,7 +1057,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile - - id: 9073 + - id: 12073 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1071,7 +1071,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - id: 9074 + - id: 12074 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -1085,7 +1085,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - - id: 9075 + - id: 12075 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." @@ -1099,7 +1099,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - - id: 9076 + - id: 12076 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." @@ -1112,7 +1112,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - - id: 9077 + - id: 12077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." @@ -1126,7 +1126,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' - - id: 9078 + - id: 12078 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." @@ -1140,7 +1140,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' - - id: 9079 + - id: 12079 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1154,7 +1154,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - - id: 9080 + - id: 12080 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1168,7 +1168,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - - id: 9081 + - id: 12081 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1182,7 +1182,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - - id: 9082 + - id: 12082 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1197,7 +1197,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel - - id: 9083 + - id: 12083 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." @@ -1210,7 +1210,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - - id: 9084 + - id: 12084 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." @@ -1224,7 +1224,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' # Section 18.2 - LAPS - - id: 9085 + - id: 12085 title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1237,7 +1237,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - - id: 9086 + - id: 12086 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1251,7 +1251,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - - id: 9087 + - id: 12087 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1265,7 +1265,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - - id: 9088 + - id: 12088 title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1279,7 +1279,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - - id: 9089 + - id: 12089 title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1293,7 +1293,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - - id: 9090 + - id: 12090 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." @@ -1308,7 +1308,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' # Section 18.3 - MS Security Guide - - id: 9091 + - id: 12091 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled." rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." @@ -1326,7 +1326,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0' - - id: 9092 + - id: 12092 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." @@ -1345,7 +1345,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' # Section 18.4 - MSS (Legacy) - - id: 9093 + - id: 12093 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." @@ -1362,7 +1362,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 9094 + - id: 12094 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -1378,7 +1378,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - id: 9095 + - id: 12095 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -1394,7 +1394,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - id: 9096 + - id: 12096 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." @@ -1410,7 +1410,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - - id: 9097 + - id: 12097 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." @@ -1426,7 +1426,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - - id: 9098 + - id: 12098 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." @@ -1442,7 +1442,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - id: 9099 + - id: 12099 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." @@ -1458,7 +1458,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - id: 9100 + - id: 12100 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." @@ -1475,7 +1475,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' # Section 18.5 - Network - - id: 9101 + - id: 12101 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." @@ -1489,7 +1489,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - - id: 9102 + - id: 12102 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." rationale: "Allowing regular users to set a network location increases the risk and attack surface." @@ -1503,7 +1503,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - - id: 9103 + - id: 12103 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." @@ -1518,7 +1518,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' # Section 18.8 - System - - id: 9104 + - id: 12104 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." @@ -1532,7 +1532,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - - id: 9105 + - id: 12105 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." @@ -1546,7 +1546,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - - id: 9106 + - id: 12106 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1560,7 +1560,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - id: 9107 + - id: 12107 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." @@ -1574,7 +1574,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - - id: 9108 + - id: 12108 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -1588,7 +1588,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - - id: 9109 + - id: 12109 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." @@ -1602,7 +1602,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - - id: 9110 + - id: 12110 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1616,7 +1616,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - - id: 9111 + - id: 12111 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." @@ -1630,7 +1630,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - - id: 9112 + - id: 12112 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." rationale: "App notifications might display sensitive business or personal data." @@ -1644,7 +1644,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - - id: 9113 + - id: 12113 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." @@ -1658,7 +1658,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - - id: 9114 + - id: 12114 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -1672,7 +1672,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 9115 + - id: 12115 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -1686,7 +1686,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - - id: 9116 + - id: 12116 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled." rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." @@ -1703,7 +1703,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' # Section 18.9 - Windows Components - - id: 9117 + - id: 12117 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." @@ -1717,7 +1717,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - - id: 9118 + - id: 12118 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1731,7 +1731,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - - id: 9119 + - id: 12119 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." @@ -1745,7 +1745,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - - id: 9120 + - id: 12120 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -1759,7 +1759,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' - - id: 9121 + - id: 12121 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." @@ -1773,7 +1773,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - - id: 9122 + - id: 12122 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." @@ -1787,7 +1787,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - - id: 9123 + - id: 12123 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1801,7 +1801,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - - id: 9124 + - id: 12124 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1815,7 +1815,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 9125 + - id: 12125 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1829,7 +1829,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - - id: 9126 + - id: 12126 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1843,7 +1843,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - - id: 9127 + - id: 12127 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1857,7 +1857,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - - id: 9128 + - id: 12128 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1871,7 +1871,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 9129 + - id: 12129 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." @@ -1885,7 +1885,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - - id: 9130 + - id: 12130 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" @@ -1899,7 +1899,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - - id: 9131 + - id: 12131 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." @@ -1913,7 +1913,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - - id: 9132 + - id: 12132 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1927,7 +1927,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - - id: 9133 + - id: 12133 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." @@ -1941,7 +1941,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - - id: 9134 + - id: 12134 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." @@ -1955,7 +1955,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - - id: 9135 + - id: 12135 title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." @@ -1969,7 +1969,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' - - id: 9136 + - id: 12136 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." @@ -1983,7 +1983,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 9137 + - id: 12137 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -1997,7 +1997,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 9138 + - id: 12138 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -2011,7 +2011,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 9139 + - id: 12139 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." @@ -2025,7 +2025,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - - id: 9140 + - id: 12140 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -2039,7 +2039,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 9141 + - id: 12141 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." @@ -2053,7 +2053,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - - id: 9142 + - id: 12142 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." @@ -2067,7 +2067,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - - id: 9143 + - id: 12143 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." @@ -2081,7 +2081,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - - id: 9144 + - id: 12144 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." @@ -2095,7 +2095,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - - id: 9145 + - id: 12145 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." @@ -2109,7 +2109,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - - id: 9146 + - id: 12146 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." @@ -2123,7 +2123,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - - id: 9147 + - id: 12147 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." @@ -2137,7 +2137,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - - id: 9148 + - id: 12148 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." @@ -2151,7 +2151,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - - id: 9149 + - id: 12149 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -2165,7 +2165,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 9150 + - id: 12150 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." @@ -2179,7 +2179,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - - id: 9151 + - id: 12151 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." @@ -2193,7 +2193,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - - id: 9152 + - id: 12152 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." @@ -2207,7 +2207,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - - id: 9153 + - id: 12153 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2221,7 +2221,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - - id: 9154 + - id: 12154 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2235,7 +2235,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - - id: 9155 + - id: 12155 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2249,7 +2249,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - - id: 9156 + - id: 12156 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." @@ -2263,7 +2263,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - - id: 9157 + - id: 12157 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." @@ -2277,7 +2277,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - - id: 9158 + - id: 12158 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." @@ -2291,7 +2291,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - - id: 9159 + - id: 12159 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2305,7 +2305,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 9160 + - id: 12160 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -2319,7 +2319,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - - id: 9161 + - id: 12161 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index 93960b46d..552a0a1cd 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -26,7 +26,7 @@ requirements: checks: # Section 2.3.7 - Interactive logon - - id: 9500 + - id: 12500 title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" description: "This policy setting determines whether a user can log on to a Windows domain using cached account information." rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally." @@ -41,7 +41,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> r:^0$|^1$|^2$|^3$|^4$' # Section 2.3.10 - Network access - - id: 9501 + - id: 12501 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer." @@ -56,7 +56,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' # Section 18.4 - MSS (Legacy) - - id: 9502 + - id: 12502 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." @@ -70,7 +70,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' - - id: 9503 + - id: 12503 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router." @@ -84,7 +84,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - - id: 9504 + - id: 12504 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -98,7 +98,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 9505 + - id: 12505 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -113,7 +113,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # Section 18.5.9 - Link-Layer Topology Discovery - - id: 9506 + - id: 12506 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -133,7 +133,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - - id: 9507 + - id: 12507 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." @@ -154,7 +154,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' # Section 18.5.10 - Microsoft Peer-to-Peer Networking Services - - id: 9508 + - id: 12508 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." @@ -169,7 +169,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' # Section 18.5.19.2 - Parameters - - id: 9509 + - id: 12509 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on." remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents" @@ -183,7 +183,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' # Section 18.5.20 - Windows Connect Now - - id: 9510 + - id: 12510 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN)." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." @@ -205,7 +205,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - - id: 9511 + - id: 12511 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." @@ -220,7 +220,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # Section 18.5.21 - Windows Connection Manager - - id: 9512 + - id: 12512 title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time." rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." @@ -235,7 +235,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' # Section 18.8.22.1 - Internet Communication settings - - id: 9513 + - id: 12513 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." @@ -249,7 +249,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - - id: 9514 + - id: 12514 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." @@ -263,7 +263,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - - id: 9515 + - id: 12515 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs)." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -277,7 +277,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - - id: 9516 + - id: 12516 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." @@ -290,7 +290,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - - id: 9517 + - id: 12517 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for." @@ -304,7 +304,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 9518 + - id: 12518 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." @@ -318,7 +318,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - - id: 9519 + - id: 12519 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -332,7 +332,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 9520 + - id: 12520 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -346,7 +346,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 9521 + - id: 12521 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -360,7 +360,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - - id: 9522 + - id: 12522 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation." @@ -378,7 +378,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' # Section 18.8.26 - Locale Services - - id: 9523 + - id: 12523 title: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen." rationale: "This is a way to increase the security of the system account." @@ -393,7 +393,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' # Section 18.8.36 - Remote Procedure Call - - id: 9524 + - id: 12524 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers." rationale: "Unauthenticated RPC communication can create a security vulnerability." @@ -408,7 +408,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' # Section 18.8.44.5 - Microsoft Support Diagnostic Tool - - id: 9525 + - id: 12525 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." @@ -423,7 +423,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' # Section 18.8.44.11 - Windows Performance PerfTrack - - id: 9526 + - id: 12526 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft." @@ -438,7 +438,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' # Section 18.8.46 User Profiles - - id: 9527 + - id: 12527 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern." @@ -453,7 +453,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' # Section 18.8.49.1 - Time Providers - - id: 9528 + - id: 12528 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services." @@ -467,7 +467,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' - - id: 9529 + - id: 12529 title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" description: "This policy setting allows you to specify whether the Windows NTP Server is enabled." rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." @@ -482,7 +482,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' # Section 18.9.39 - Location and Sensors - - id: 9530 + - id: 12530 title: "Ensure 'Turn off Windows Location Provider' is set to 'Enabled'" description: "This policy setting turns off the Windows Location Provider feature for the computer." rationale: "This setting affects the Windows Location Provider feature (e.g. GPS or other location tracking)." @@ -495,7 +495,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider -> 1' - - id: 9531 + - id: 12531 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer." rationale: "This setting affects the location feature (e.g. GPS or other location tracking)." @@ -510,7 +510,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' # Section 18.9.58.3.2 - Connections - - id: 9532 + - id: 12532 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session." @@ -524,7 +524,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' # Section 18.9.58.3.3 Device and Resource Redirection - - id: 9533 + - id: 12533 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." @@ -538,7 +538,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - - id: 9534 + - id: 12534 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." @@ -552,7 +552,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - - id: 9535 + - id: 12535 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." @@ -567,7 +567,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' # Section 18.9.58.3.10 - Session Time Limits - - id: 9536 + - id: 12536 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions." @@ -581,7 +581,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - - id: 9537 + - id: 12537 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions." @@ -596,7 +596,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' # Section 18.9.60.1 - OCR - - id: 9538 + - id: 12538 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." @@ -611,7 +611,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' # Section 18.9.56 - Software Protection Platform - - id: 9539 + - id: 12539 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically." @@ -625,7 +625,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' # Section 18.9.76.3 - MAPS - - id: 9540 + - id: 12540 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\"." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed." @@ -640,7 +640,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' # Section - 18.9.76.9 - Reporting - - id: 9541 + - id: 12541 title: "Ensure 'Configure Watson events' is set to 'Disabled'" description: "This policy setting allows you to configure whether or not Watson events are sent." rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission." @@ -655,7 +655,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' # Section 18.9.85 - Windows Installer - - id: 9542 + - id: 12542 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." @@ -670,7 +670,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' # Section 18.9.97.2 - WinRM Service - - id: 9543 + - id: 12543 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." @@ -685,7 +685,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' # Section 18.9.98 - Windows Remote Shell - - id: 9544 + - id: 12544 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index 113ee040f..212d219b0 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -22,7 +22,7 @@ requirements: - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' checks: - - id: 2500 + - id: 14000 title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." @@ -35,7 +35,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - - id: 2501 + - id: 14001 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." @@ -48,7 +48,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - - id: 2502 + - id: 14002 title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." @@ -61,7 +61,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - - id: 2503 + - id: 14003 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." @@ -74,7 +74,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - - id: 2504 + - id: 14004 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -87,7 +87,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - - id: 2505 + - id: 14005 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -100,7 +100,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 2506 + - id: 14006 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." @@ -113,7 +113,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - - id: 2507 + - id: 14007 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." @@ -126,7 +126,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - - id: 2508 + - id: 14008 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" @@ -139,7 +139,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - - id: 2509 + - id: 14009 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." @@ -152,7 +152,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - - id: 2510 + - id: 14010 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." @@ -165,7 +165,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - - id: 2511 + - id: 14011 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." @@ -178,7 +178,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - - id: 2512 + - id: 14012 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." @@ -191,7 +191,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - - id: 2513 + - id: 14013 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -204,7 +204,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - - id: 2514 + - id: 14014 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -217,7 +217,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - - id: 2515 + - id: 14015 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." @@ -230,7 +230,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - - id: 2516 + - id: 14016 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." @@ -243,7 +243,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - - id: 2517 + - id: 14017 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -256,7 +256,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - - id: 2518 + - id: 14018 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." @@ -269,7 +269,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - - id: 2519 + - id: 14019 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" @@ -282,7 +282,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - - id: 2520 + - id: 14020 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." @@ -295,7 +295,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - - id: 2521 + - id: 14021 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." @@ -308,7 +308,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - - id: 2522 + - id: 14022 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." @@ -321,7 +321,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - - id: 2523 + - id: 14023 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." @@ -334,7 +334,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - - id: 2524 + - id: 14024 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." @@ -347,7 +347,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - - id: 2525 + - id: 14025 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." @@ -360,7 +360,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - - id: 2526 + - id: 14026 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." @@ -373,7 +373,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - - id: 2527 + - id: 14027 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." @@ -386,7 +386,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1' - - id: 2528 + - id: 14028 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." @@ -399,7 +399,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - - id: 2529 + - id: 14029 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." @@ -414,7 +414,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - - id: 2530 + - id: 14030 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." @@ -425,7 +425,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - - id: 2531 + - id: 14031 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." @@ -438,7 +438,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - - id: 2532 + - id: 14032 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -451,7 +451,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - - id: 2533 + - id: 14033 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." @@ -464,7 +464,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - - id: 2534 + - id: 14034 title: "Ensure Registry tools set is enabled" compliance: - pci_dss: ["10.6.1"] @@ -476,7 +476,7 @@ checks: - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' - - id: 2535 + - id: 14035 title: "Ensure DCOM is enabled" description: "The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network." compliance: @@ -491,7 +491,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - - id: 2536 + - id: 14036 title: "LM authentication not allowed (disable weak passwords)" compliance: - pci_dss: ["10.6.1","11.4"] @@ -505,7 +505,7 @@ checks: # Disabled by some Malwares (sometimes by McAfee and Symantec # security center too). - - id: 2537 + - id: 14037 title: "Ensure Firewall/Anti Virus notifications are enabled" compliance: - pci_dss: ["10.6.1"] @@ -524,7 +524,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride -> 0' # Checking for the microsoft firewall. - - id: 2538 + - id: 14038 title: "Ensure Microsoft Firewall is enabled" compliance: - pci_dss: ["10.6.1","1.4"] @@ -536,7 +536,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' - - id: 2539 + - id: 14039 title: "Ensure Null sessions are not allowed" compliance: - pci_dss: ["11.4"] @@ -547,7 +547,7 @@ checks: - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - - id: 2540 + - id: 14040 title: "Ensure Turn off Windows Error reporting is enabled" compliance: - pci_dss: ["10.6.1"] @@ -564,7 +564,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - - id: 2541 + - id: 14041 title: "Ensure Automatic Logon is disabled" compliance: - pci_dss: ["10.6.1"] @@ -576,7 +576,7 @@ checks: - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 2542 + - id: 14042 title: "Ensure Winpcap packet filter driver is not present" compliance: - pci_dss: ["10.6.1"] @@ -587,7 +587,7 @@ checks: - 'f:%WINDIR%\System32\drivers\npf.sys' - 'f:%WINDIR%\Sysnative\drivers\npf.sys' - - id: 2543 + - id: 14043 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." @@ -603,7 +603,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - - id: 2544 + - id: 14044 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -618,7 +618,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - - id: 2545 + - id: 14045 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." @@ -633,7 +633,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - - id: 2546 + - id: 14046 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." @@ -648,7 +648,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - - id: 2547 + - id: 14047 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." @@ -663,7 +663,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - - id: 2548 + - id: 14048 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." @@ -678,7 +678,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' - - id: 2549 + - id: 14049 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." @@ -691,7 +691,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - - id: 2550 + - id: 14050 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." rationale: "Users might download drivers that include malicious code." @@ -704,7 +704,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - - id: 2551 + - id: 14051 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." @@ -717,7 +717,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - - id: 2552 + - id: 14052 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." @@ -730,7 +730,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - - id: 2553 + - id: 14053 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." @@ -743,7 +743,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - - id: 2554 + - id: 14054 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." @@ -756,7 +756,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - - id: 2555 + - id: 14055 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." @@ -769,7 +769,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' - - id: 2556 + - id: 14056 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." @@ -782,7 +782,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - - id: 2557 + - id: 14057 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." @@ -795,7 +795,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - - id: 2558 + - id: 14058 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." @@ -808,7 +808,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - - id: 2559 + - id: 14059 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." @@ -821,7 +821,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - - id: 2560 + - id: 14060 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." @@ -834,7 +834,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 2561 + - id: 14061 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." @@ -847,7 +847,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - - id: 2562 + - id: 14062 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." @@ -860,7 +860,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' - - id: 2563 + - id: 14063 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -875,7 +875,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 2564 + - id: 14064 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." @@ -890,7 +890,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' - - id: 2565 + - id: 14065 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." @@ -903,7 +903,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - - id: 2566 + - id: 14066 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." @@ -916,7 +916,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - - id: 2567 + - id: 14067 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." @@ -929,7 +929,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - - id: 2568 + - id: 14068 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." @@ -942,7 +942,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - id: 2569 + - id: 14069 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." @@ -955,7 +955,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' - - id: 2570 + - id: 14070 title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" rationale: "Unauthenticated RPC communication can create a security vulnerability." From 86981ba82d65ef833dd346b0d884f276a9301495 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 3 Jul 2019 17:21:11 +0200 Subject: [PATCH 189/247] Check HPUX ssh file in variable --- sca/generic/sca_unix_audit.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index 69367f4e6..18483bb8c 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -15,20 +15,20 @@ policy: references: - https://www.ssh.com/ssh/ +variables: + $sshd_file: /etc/ssh/sshd_config,/opt/ssh/etc/sshd_config + $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd + requirements: title: "Check that the SSH service is installed on the system and password-related files are present on the system" description: "Requirements for running the SCA scan against the Unix based systems policy." condition: any rules: - - 'f:/etc/ssh/sshd_config' + - 'f:$sshd_file' - 'f:/etc/passwd' - 'f:/etc/shadow' -variables: - $sshd_file: /etc/ssh/sshd_config - $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd - checks: - id: 4000 title: "SSH Hardening - 1: Port should not be 22" From 6215c645be9d210347d6af3441dd4d334b2cda61 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Thu, 4 Jul 2019 13:37:49 +0200 Subject: [PATCH 190/247] Adapt condition and fix some rules --- sca/darwin/15/cis_apple_macOS_10.11.yml | 4 ++-- sca/darwin/16/cis_apple_macOS_10.12.yml | 2 +- sca/debian/cis_debian8_L1.yml | 2 +- sca/debian/cis_debian9_L1.yml | 2 +- sca/windows/cis_win10_enterprise_L1.yml | 2 +- sca/windows/cis_win10_enterprise_L2.yml | 2 +- sca/windows/cis_win2012r2_domainL1.yml | 2 +- sca/windows/cis_win2012r2_domainL2.yml | 2 +- sca/windows/cis_win2012r2_memberL1.yml | 2 +- sca/windows/cis_win2012r2_memberL2.yml | 2 +- sca/windows/sca_win_audit.yml | 6 +++--- 11 files changed, 14 insertions(+), 14 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index dd2d42a9e..8dba03748 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -290,7 +290,7 @@ checks: remediation: "Run the following command in Terminal: defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements" compliance: - cis: ["4.1"] - condition: any + condition: all rules: - 'c:defaults read /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -> 1' @@ -437,6 +437,6 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: ["6.3"] - condition: any + condition: all rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index bb261657e..62a264170 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -400,6 +400,6 @@ checks: remediation: "Perform the following to implement the prescribed state: 1. Open Safari 2. Select Safari from the menu bar 3. Select Preferences 4. Select General 5. Uncheck Open \"safe\" files after downloading Alternatively run the following command in Terminal: defaults write com.apple.Safari AutoOpenSafeDownloads -boolean no" compliance: - cis: ["6.3"] - condition: any + condition: all rules: - 'c:defaults read com.apple.Safari AutoOpenSafeDownloads -> 0' diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 40c4f75cd..9767971fc 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -131,7 +131,7 @@ checks: references: - http://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - condition: any + condition: all rules: - 'c:mount -> r:\s/tmp\s' diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index a38650eeb..9df960dfd 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -105,7 +105,7 @@ checks: references: - http://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ - condition: any + condition: all rules: - 'c:mount -> r:\s/tmp\s' diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 9883a0415..f9af95157 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -21,7 +21,7 @@ policy: requirements: title: "Check that the Windows platform is Windows 10" description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows 10" - condition: any + condition: all rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 7066d35f1..b2aaa830f 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -21,7 +21,7 @@ policy: requirements: title: "Check that the Windows platform is Windows 10" description: "Requirements for running the CIS benchmark Domain Controller L2 under Windows 10" - condition: any + condition: all rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows 10' diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 70ef56c47..2b177aed4 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -23,7 +23,7 @@ policy: requirements: title: "Check that the Windows platform is Windows Server 2012 R2" description: "Requirements for running the CIS benchmark Domain Controller L1 under Windows Server 2012 R2" - condition: "any" + condition: all rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 3b2d99cc9..f63088482 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -23,7 +23,7 @@ policy: requirements: title: "Check that the Windows platform is Windows Server 2012 R2" description: "Requirements for running the CIS benchmark Domain Controller L2 under Windows Server 2012 R2" - condition: "any required" + condition: all rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index 74bc7d221..c3ffa329c 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -23,7 +23,7 @@ policy: requirements: title: "Check that the Windows platform is Windows Server 2012 R2" description: "Requirements for running the CIS benchmark Member Server L1 under Windows Server 2012 R2" - condition: "any" + condition: all rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index 552a0a1cd..c5e3ce692 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -20,7 +20,7 @@ policy: requirements: title: "Check that the Windows platform is Windows Server 2012 R2" description: "Requirements for running the CIS benchmark Member Server L2 under Windows Server 2012 R2" - condition: "any required" + condition: all rules: - 'r:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion -> ProductName -> r:^Windows Server 2012 R2' diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index 212d219b0..eab27d2d4 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -9,15 +9,15 @@ # policy: - id: "win_audit" - file: "win_audit.yml" + id: "sca_win_audit" + file: "sca_win_audit.yml" name: "Benchmark for Windows audit" description: "This document provides a way of ensuring the security of the Windows systems." requirements: title: "Check for Windows platform" description: "Requirements for running the audit policy under a Windows platform" - condition: "any" + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' From c4cc643ef7a28392449b8d588f4bcbe7e6fbd14c Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 4 Jul 2019 18:50:23 +0200 Subject: [PATCH 191/247] Fix typos in mysql policy --- sca/applications/cis_mysql5-6_community.yml | 6 +++--- sca/applications/cis_mysql5-6_enterprise.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index 7aeebf250..ae4426c40 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -31,7 +31,7 @@ checks: title: "Disable MySQL Command History" description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." - remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." + remediation: "Perform the following steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - cis: ["1.3"] references: @@ -48,9 +48,9 @@ checks: remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - cis: ["1.5"] - condition: none + condition: all rules: - - 'c:getent passwd mysql -> r:^\s$' + - 'c:getent passwd mysql -> r:\/bin\/false|\/sbin\/nologin' - id: 9502 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index 7e8fdd4b1..be2428e09 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -31,7 +31,7 @@ checks: title: "Disable MySQL Command History" description: "On Linux/UNIX, the MySQL client logs statements executed interactively to a history file. By default, this file is named .mysql_history in the user's home directory. Most interactive commands run in the MySQL client application are saved to a history file. The MySQL command history should be disabled." rationale: "Disabling the MySQL command history reduces the probability of exposing sensitive information, such as passwords and encryption keys." - remediation: "Perform the folowwing steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." + remediation: "Perform the following steps: 1. Remove .mysql_history if it exists. And 2. Set the MYSQL_HISTFILE environment variable to /dev/null. This will need to be placed in the shell's startup script. Or Create $HOME/.mysql_history as a symbolic to /dev/null." compliance: - cis: ["1.3"] references: @@ -48,9 +48,9 @@ checks: remediation: "Execute one of the following commands in a terminal: 'usermod -s /bin/false mysql' or 'usermod -s /sbin/nologin mysql'" compliance: - cis: ["1.5"] - condition: none + condition: all rules: - - 'c:getent passwd mysql -> r:^\s$' + - 'c:getent passwd mysql -> r:c:getent passwd mysql -> r:\/bin\/false|\/sbin\/nologin' - id: 10002 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" From e6aec76bf416fe2364dd03ee5010c405ebc57915 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 4 Jul 2019 19:57:16 +0200 Subject: [PATCH 192/247] Review failing mysql rules --- sca/applications/cis_mysql5-6_community.yml | 6 +++--- sca/applications/cis_mysql5-6_enterprise.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index ae4426c40..c79f9f3cb 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -50,7 +50,7 @@ checks: - cis: ["1.5"] condition: all rules: - - 'c:getent passwd mysql -> r:\/bin\/false|\/sbin\/nologin' + - 'c:getent passwd mysql -> r:/bin/false|/sbin/nologin' - id: 9502 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" @@ -63,7 +63,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none rules: - - 'c:find /home -maxdepth 2 -type f -regex "/home/.*/\(\.bashrc\|\.profile\|.bash_profile\)" -exec grep MYSQL_PWD {} + -> r:MYSQL_PWD' + - 'c:find /home -maxdepth 2 -type f -exec grep MYSQL_PWD {} + -> r:.profile|.bashrc|.bash_profile && r:$MYSQL_PWD' #4 General - id: 9503 @@ -92,7 +92,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: all rules: - - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' + - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s*=\s*0' - id: 9505 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index be2428e09..123798cc4 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -50,7 +50,7 @@ checks: - cis: ["1.5"] condition: all rules: - - 'c:getent passwd mysql -> r:c:getent passwd mysql -> r:\/bin\/false|\/sbin\/nologin' + - 'c:getent passwd mysql -> r:/bin/false|/sbin/nologin' - id: 10002 title: "Verify That 'MYSQL_PWD' Is Not Set In Users' Profiles" @@ -63,7 +63,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/environment-variables.html condition: none rules: - - 'c:find /home -maxdepth 2 -type f -regex "/home/.*/\(\.bashrc\|\.profile\|.bash_profile\)" -exec grep MYSQL_PWD {} + -> r:MYSQL_PWD' + - 'c:find /home -maxdepth 2 -type f -exec grep MYSQL_PWD {} + -> r:.profile|.bashrc|.bash_profile && r:$MYSQL_PWD' #4 General - id: 10003 @@ -92,7 +92,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/load-data.html condition: all rules: - - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s+=\s+0' + - 'c:grep -Rh local-infile /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:local-infile\s*=\s*0' - id: 10005 title: "Ensure 'mysqld' Is Not Started with '--skip-grant-tables'" From 0e130f555f94d853bd1dcf9b4007a9e513f3db1a Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 8 Jul 2019 15:39:06 +0200 Subject: [PATCH 193/247] Fix title, compliance for Apache policy --- sca/applications/cis_apache2224.yml | 106 ++++++++++++++-------------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache2224.yml index 53a9815ed..830cae085 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache2224.yml @@ -52,7 +52,7 @@ checks: remediation: "For source builds with static modules run the Apache ./configure script without including the mod_dav , and mod_dav_fs in the --enable-modules=configure script options. For dynamically loaded modules comment out the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file." compliance: - cis: ["2.3"] - - cis_csc: ["9.1"] + - cis_csc: ["9.1","9.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_dav.html - https://httpd.apache.org/docs/2.4/mod/mod_dav.html @@ -68,7 +68,7 @@ checks: remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file." compliance: - cis: ["2.4"] - - cis_csc: ["9.1"] + - cis_csc: ["9.1","9.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_status.html - https://httpd.apache.org/docs/2.4/mod/mod_status.html @@ -84,7 +84,7 @@ checks: remediation: "For source builds with static modules, run the Apache ./configure script with the - -disable-autoindex configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_autoindex module from the httpd.conf file." compliance: - cis: ["2.5"] - - cis_csc: ["18"] + - cis_csc: ["18","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html @@ -100,7 +100,7 @@ checks: remediation: "For source builds with static modules, run the Apache ./configure script without including the mod_proxy and all other proxy modules in the --enable- modules=configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_proxy module and all other proxy modules from the httpd.conf file." compliance: - cis: ["2.6"] - - cis_csc: ["9.1"] + - cis_csc: ["9.1,"9.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html @@ -116,7 +116,7 @@ checks: remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script option. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_userdir module from the httpd.conf file." compliance: - cis: ["2.7"] - - cis_csc: ["18"] + - cis_csc: ["18","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html @@ -132,7 +132,7 @@ checks: remediation: "For source builds with static modules, run the Apache ./configure script without including mod_info in the --enable-modules= configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file." compliance: - cis: ["2.8"] - - cis_csc: ["9.1"] + - cis_csc: ["9.1","9.2"] references: - https://httpd.apache.org/docs/2.2/mod/mod_info.html - https://httpd.apache.org/docs/2.4/mod/mod_info.html @@ -148,10 +148,10 @@ checks: remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" compliance: - cis: ["3.2"] - - cis_csc: ["16"] + - cis_csc: ["16","4.3"] condition: none rules: - - 'f:/etc/passwd -> r:apache' + - 'f:/etc/passwd -> r:apache && r:/sbin/nologin$|/dev/null$' #3.3 Lock the Apache User Account - id: 9007 @@ -161,7 +161,7 @@ checks: remediation: "Use the passwd command to lock the apache account: # passwd -l apache" compliance: - cis: ["3.3"] - - cis_csc: ["16"] + - cis_csc: ["16","16.8"] condition: all rules: - 'c:passwd -S apache -> r:Password locked' @@ -173,8 +173,8 @@ checks: rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." compliance: - - cis: ["4.4"] - - cis_csc: ["14.4"] + - cis: ["4.3"] + - cis_csc: ["14.4","14.6"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride @@ -194,7 +194,7 @@ checks: remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." compliance: - cis: ["5.3"] - - cis_csc: ["18"] + - cis_csc: ["18","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_include.html - https://httpd.apache.org/docs/2.2/mod/core.html#options @@ -213,7 +213,7 @@ checks: remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - cis: ["5.4"] - - cis_csc: ["18.9"] + - cis_csc: ["18.9","5.1"] condition: none rules: - 'd:/var/www -> index.html' @@ -227,7 +227,7 @@ checks: remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - cis: ["5.4"] - - cis_csc: ["18.9"] + - cis_csc: ["18.9","5.1"] condition: none rules: - 'd:$confdirs -> r:manual.conf|apache2-doc.conf' @@ -240,7 +240,7 @@ checks: remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." compliance: - cis: ["5.4"] - - cis_csc: ["18.9"] + - cis_csc: ["18.9","5.1"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' @@ -254,7 +254,7 @@ checks: remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via the Script , ScriptAlias , ScriptAliasMatch , or ScriptInterpreterSource directives. Remove the printenv default CGI in the cgi-bin directory if it is installed." compliance: - cis: ["5.5"] - - cis_csc: ["18"] + - cis_csc: ["18","4.7"] condition: none rules: - 'd:/var/www/cgi-bin -> printenv' @@ -268,7 +268,7 @@ checks: remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. Remove the test-cgi default CGI in the cgi-bin directory if it is installed." compliance: - cis: ["5.6"] - - cis_csc: ["18.9"] + - cis_csc: ["18.9","4.7"] condition: none rules: - 'd:/var/www/cgi-bin -> test-cgi' @@ -282,7 +282,7 @@ checks: remediation: "Search for the directive on the document root directory, ensure that the access control order within the directive is deny, allow. Add a directive within the group of document root directives and search in other Apache configuration files in places other than de root directory." compliance: - cis: ["5.7"] - - cis_csc: ["9.1"] + - cis_csc: ["9.1","9.2"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept - https://www.ietf.org/rfc/rfc2616.txt @@ -300,7 +300,7 @@ checks: remediation: "Locate the main Apache configuration file such as httpd.conf. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or ." compliance: - cis: ["5.8"] - - cis_csc: ["9.1"] + - cis_csc: ["9.1","9.2"] references: - https://www.ietf.org/rfc/rfc2616.txt - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable @@ -317,7 +317,7 @@ checks: remediation: "Find any Listen directives in the Apache configuration file with no IP address specified or with an IP address of all zeroes similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address and port." compliance: - cis: ["5.13"] - - cis_csc: ["9.1"] + - cis_csc: ["9.1","9.2"] references: - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen @@ -338,7 +338,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frame-Options header in the Apache configuration to have the condition always , an action of append , and a value of SAMEORIGIN , as shown: Header always append X-Frame-Options SAMEORIGIN" compliance: - cis: ["5.14"] - - cis_csc: ["18"] + - cis_csc: ["18","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header @@ -356,7 +356,7 @@ checks: remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." compliance: - cis: ["6.1"] - - cis_csc: ["6.2"] + - cis_csc: ["6.2","6.3"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -377,7 +377,7 @@ checks: remediation: "Add an ErrorLog directive if not already configured. Any appropriate syslog facility may be used in place of local1. Add a similar ErrorLog directive for each virtual host if necessary." compliance: - cis: ["6.2"] - - cis_csc: ["6.6"] + - cis_csc: ["6.6","6.8"] references: - https://httpd.apache.org/docs/2.2/logs.html - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel @@ -397,7 +397,7 @@ checks: remediation: "Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present, modify the value to be off. If the directive is not present, no action is required: SSLInsecureRenegotiation off" compliance: - cis: ["7.6"] - - cis_csc: ["14.2"] + - cis_csc: ["14.2","14.4"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation @@ -415,7 +415,7 @@ checks: remediation: "Verify the Apache version is 2.2.24 or later with httpd -v. Search the Apache configuration files for the SSLCompression directive. Update the directive to have a value of off." compliance: - cis: ["7.7"] - - cis_csc: ["14.2"] + - cis_csc: ["14.2","14.4"] references: - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression @@ -427,13 +427,13 @@ checks: #8.1 Set ServerToken to Prod or ProductOnly - id: 9023 - title: "Ensure ServerTokens Provides Minimal Information" + title: "Ensure ServerTokens is Set to 'Prod' or 'ProductOnly'" description: "Configure the Apache ServerTokens directive to provide minimal information by setting the value to Prod or ProductOnly." rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." remediation: "Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" compliance: - cis: ["8.1"] - - cis_csc: ["18.9"] + - cis_csc: ["18.9","14.7"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens condition: any @@ -449,7 +449,7 @@ checks: remediation: "Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" compliance: - cis: ["8.2"] - - cis_csc: ["18"] + - cis_csc: ["18","13.2"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature @@ -465,8 +465,8 @@ checks: rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." remediation: "The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conf file. Alternatively, the icon alias directive and the directory access control configuration can be commented out." compliance: - - cis: ["8.4"] - - cis_csc: ["18.9"] + - cis: ["8.3"] + - cis_csc: ["18.9","13.2"] condition: none rules: - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' @@ -474,13 +474,13 @@ checks: #9.1:Set TimeOut to 10 or less - id: 9026 - title: "Ensure the TimeOut Is Set Properly" + title: "Ensure the TimeOut Is Set to 10 or Less" description: "The TimeOut directive controls the maximum time in seconds that Apache HTTP server will wait for an Input/Output call to complete. It is recommended that the TimeOut directive be set to 10 or less." rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." remediation: "Add or modify the Timeout directive in the Apache configuration files to have a value of 10 seconds or less." compliance: - cis: ["9.1"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#timeout - https://httpd.apache.org/docs/2.4/mod/core.html#timeout @@ -496,7 +496,7 @@ checks: remediation: "Add or modify the KeepAlive directive in the Apache configuration to have a value of On." compliance: - cis: ["9.2"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive @@ -506,13 +506,13 @@ checks: #9.3:Set MaxKeepAliveRequests to 100 or greater - id: 9028 - title: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed. It is recommended that the MaxKeepAliveRequests directive be set to 100 or greater." - description: "Set MaxKeepAliveRequest to 100 or greater" - rationale: "Limiting the number of requests per connection may improve a server's resiliency to DoS attacks." + title: "Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater" + description: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed." + rationale: "The MaxKeepAliveRequests directive is important to be used to mitigate the risk of Denial of Service (DoS) attack technique by reducing the overhead imposed on the server. The KeepAlive directive must be enabled before it is effective. Enabling KeepAlives allows for multiple HTTP requests to be sent while keeping the same TCP connection alive. This reduces the overhead of having to setup and tear down TCP connections for each request. By making the server more efficient, it will be more resilient to DoS conditions." remediation: "Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more." compliance: - cis: ["9.3"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests @@ -522,29 +522,29 @@ checks: #9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service - id: 9029 - title: "Ensure the KeepAliveTimeout Is Set Properly" + title: "Ensure KeepAliveTimeout is Set to a Value of 15 or Less" description: "The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a subsequent request before closing a connection that is being kept alive." rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." remediation: "Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less." compliance: - cis: ["9.4"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout - condition: none + condition: all rules: - - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare > 15' + - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare <= 15' #9.5 Set Timeout Limits for Request Headers - id: 9030 - title: "Ensure Timeout Limits for Request Headers Are Set Properly" + title: "Ensure the Timeout Limits for Request Headers is Set to 40 or Less" description: "The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout, and a minimum rate." rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." remediation: "Load the mod_requesttimeout module in the Apache configuration. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less." compliance: - cis: ["9.5"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://ha.ckers.org/slowloris/ - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t @@ -557,13 +557,13 @@ checks: #9.6 Set Timeout Limits for Request Body - id: 9031 - title: "Ensure Timeout Limits for the Request Body Are Set Properly" + title: "Ensure Timeout Limits for the Request Body is Set to 20 or Less" description: "The RequestReadTimeout directive allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, a maximum timeout, and a minimum rate." rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." remediation: "Load the mod_requesttimeout module in the Apache configuration and add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less." compliance: - cis: ["9.6"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html @@ -574,13 +574,13 @@ checks: #10.1 Set the LimitRequestLine directive to 512 or less - id: 9032 - title: "Ensure the Maximum Request Line Length Is Set Properly" + title: "Ensure the LimitRequestLine directive is Set to 512 or less" description: "The LimitRequestLine directive sets the maximum number of bytes that Apache will read for each line of an HTTP request. It is recommended that the LimitRequestLine be set to 512 or less." rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestLine directive in the Apache configuration to have a value of 512 or less." compliance: - cis: ["10.1"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline @@ -590,13 +590,13 @@ checks: #10.2 Set the LimitRequestFields directive to 100 or less - id: 9033 - title: "Ensure the Maximum Request Headers Per Request Is Set Properly" + title: "Ensure the LimitRequestFields Directive is Set to 100 or Less" description: "The LimitRequestFields directive sets the maximum limit on the number of HTTP request headers allowed per request. It is recommended that the LimitRequestFields directive be set to 100 or less." rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of 100." compliance: - cis: ["10.2"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields @@ -606,13 +606,13 @@ checks: #10.3 Set the LimitRequestFieldsize directive to 1024 or less - id: 9034 - title: "Ensure the Maximum Request Header Field Size Is Set Properly" + title: "Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less" description: "The LimitRequestFieldSize directive sets the maximum size of an HTTP request header field. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less." rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestFieldSize directive in the Apache configuration to have a value of 1024 or less." compliance: - cis: ["10.3"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize @@ -622,13 +622,13 @@ checks: #10.4 Set the LimitRequestBody directive to 102400 or less - id: 9035 - title: "Ensure the Maximum Request Body Size Is Set Properly" + title: "Ensure the LimitRequestBody Directive is Set to 102400 or Less" description: "The LimitRequestBody directive sets the maximum size of an HTTP request body. It is recommended that the LimitRequestBody directive be set to 102400 or less." rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." remediation: "Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server." compliance: - cis: ["10.4"] - - cis_csc: ["9"] + - cis_csc: ["9","5.1"] references: - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody From a5396c3da21586b47875758aef93820be4db190d Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 8 Jul 2019 16:53:28 +0200 Subject: [PATCH 194/247] Fix some Solaris rules --- sca/sunos/cis_solaris11.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index e2680c7ad..575d7209e 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -350,9 +350,9 @@ checks: remediation: "Perform the following to implement the recommended state: # awk '/^X11Forwarding / { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - cis: ["6.3"] - condition: none + condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*yes' + - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*no' - id: 7024 title: "Limit Consecutive Login Attempts for SSH" @@ -394,9 +394,9 @@ checks: remediation: "Perform the following to implement the recommended state: # awk '/^PermitEmptyPasswords/ { $2 = \"no\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" compliance: - cis: ["6.7"] - condition: none + condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+yes' + - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' - id: 7028 title: "Disable Host-based Authentication for Login-based Services" @@ -458,9 +458,11 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - cis: ["6.11"] - condition: none + condition: all rules: - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin\s*\t*auth\s*\t*required\s*\t*pam_unix_cred.so.1' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin\s*\t*auth\s*\t*sufficient\s*\t*pam_allow.so.1' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin\s*\t*account\s*\t*sufficient\s*\t*pam_allow.so.1' - id: 7032 title: "Set Default Screen Lock for GNOME Users" From b93bdaee855a6a602dc86d2d3fb814021d242eab Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 9 Jul 2019 05:54:02 -0700 Subject: [PATCH 195/247] Fix typo in rules whitout spaces --- sca/debian/cis_debian8_L1.yml | 2 +- sca/debian/cis_debian9_L1.yml | 2 +- sca/generic/sca_unix_audit.yml | 2 +- sca/windows/cis_win10_enterprise_L1.yml | 4 ++-- sca/windows/cis_win2012r2_domainL1.yml | 4 ++-- sca/windows/sca_win_audit.yml | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 9767971fc..9561cdea7 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -318,7 +318,7 @@ checks: condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' - - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:=\s*\t*0$' - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - id: 2023 diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 9df960dfd..3d1b63341 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -292,7 +292,7 @@ checks: condition: all rules: - 'c:sysctl fs.suid_dumpable -> r:=\s*\t*0$' - - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d-> r:=\s*\t*0$' + - 'c:grep -Rh fs\.suid_dumpable /etc/sysctl.conf /etc/sysctl.d -> r:=\s*\t*0$' - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' - id: 3021 diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index 18483bb8c..bd2ab22e3 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -178,7 +178,7 @@ checks: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:$pam_d_files-> r:pam_cracklib.so && r:dcredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit=-1' - id: 4013 title: "Ensure passwords contain at least one lowercase character" diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index f9af95157..3e03b0d1e 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -2266,8 +2266,8 @@ checks: - cis_csc: ["8.3","8.4","8.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> ff' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> ff' - id: 13161 title: "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 2b177aed4..72a3008ec 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -1698,8 +1698,8 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' - id: 11117 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index eab27d2d4..a675292d2 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -766,8 +766,8 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer-> NoDriveTypeAutoRun -> 255' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' - id: 14056 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" From d10e382dbfb871e81111cb539cdb1aaadeb075e2 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 9 Jul 2019 06:46:09 -0700 Subject: [PATCH 196/247] Fix typo in Windows Office policy --- sca/windows/acsc_office2016.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml index 83b99b90a..d6a22b835 100644 --- a/sca/windows/acsc_office2016.yml +++ b/sca/windows/acsc_office2016.yml @@ -118,7 +118,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' # ACSC - Active X - - id: 14508 #* + - id: 14508 title: "Ensure 'Disable All Active X' is set to 'Enabled'" description: "While ActiveX controls can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, ActiveX controls should be disabled for Microsoft Office." references: @@ -337,7 +337,7 @@ checks: - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> 2' # CIS 2.22 - Office Converters - - id: 14529 #* + - id: 14529 title: "Ensure 'Block Opening of Pre-Release Versions of File Formats New to PowerPoint Through the Compatibility Pack for Office and PowerPoint Converter' is set to Enabled" description: "This policy setting controls whether users with the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats installed can open Office Open XML files saved with pre-release versions of PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. The recommended state for this setting is: Enabled." rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." From 5f5cb6bddd78bbf9d8241f5a8d40427bad952a07 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 9 Jul 2019 10:51:42 -0700 Subject: [PATCH 197/247] Update CIS Apache policy for SCA --- sca/applications/cis_apache2224.yml | 429 ++++++++++------------------ 1 file changed, 148 insertions(+), 281 deletions(-) diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache2224.yml index 830cae085..7e110b26e 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache2224.yml @@ -8,14 +8,13 @@ # Foundation # # Based on: -# Center for Internet Security Benchmark for Apache 2.2 v3.5.0 - 06-08-2018 -# Center for Internet Security Benchmark for Apache 2.4 v1.4.0 - 07-13-2018 +# Center for Internet Security Benchmark for Apache 2.4 v1.5.0 - 06-12-2019 policy: id: "cis_apache" - file: "cis_apache2224.yml" - name: "CIS Apache HTTP Server 2.2/2.4 Benchmark" - description: "This document provides prescriptive guidance for establishing a secure configuration posture for Apache Web Server versions 2.2 and 2.4 running on Linux." + file: "cis_apache24.yml" + name: "CIS Apache HTTP Server 2.4 Benchmark" + description: "This document provides prescriptive guidance for establishing a secure configuration posture for Apache Web Server version 2.4 running on Linux." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -27,50 +26,39 @@ requirements: - 'f:/etc/apache2/apache2.conf' - 'f:/etc/httpd/conf/httpd.conf' -# In case your installation is located in: /etc/apache2 use this block of variables -# variables: -# $main-conf: /etc/apache2/apache2.conf -# $conf-dirs: /etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled -# $ssl-confs: /etc/apache2/mods-enabled/ssl.conf -# $request-confs: /etc/apache2/mods-enabled/reqtimeout.conf -# $traceen: /etc/apache2/apache2.conf,/etc/apache2/conf-enabled/security.conf - - variables: - $main-conf: /etc/httpd/conf/httpd.conf - $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d - $ssl-confs: /etc/httpd/conf.d/ssl.conf - $request-confs: /etc/httpd/conf/httpd.conf - $traceen: /etc/httpd/conf/httpd.conf + $main-conf: /etc/httpd/conf/httpd.conf,/etc/apache2/apache2.conf + $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d,/etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled + $ssl-confs: /etc/httpd/conf.d/ssl.conf,/etc/apache2/mods-enabled/ssl.conf + $request-confs: /etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf + $traceen: /etc/httpd/conf/httpd.conf,/etc/apache2/apache2.conf,/etc/apache2/conf-enabled/security.conf #2.3 Disable WebDAV Modules checks: - id: 9000 title: "Ensure the WebDAV Modules Are Disabled" - description: "The Apache mod_dav and mod_dav_fs modules support WebDAV functionality for Apache, which is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server." + description: "The Apache mod_dav and mod_dav_fs modules support WebDAV (Web-based Distributed Authoring and Versioning) functionality for Apache. WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server." rationale: "Disabling WebDAV modules will improve the security posture of the web server by reducing the amount of potentially vulnerable code paths exposed to the network and reducing potential for unauthorized access to files via misconfigured WebDAV access controls." - remediation: "For source builds with static modules run the Apache ./configure script without including the mod_dav , and mod_dav_fs in the --enable-modules=configure script options. For dynamically loaded modules comment out the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file." + remediation: "Perform either one of the following to disable WebDAV module: 1. For source builds with static modules run the Apache ./configure script without including the mod_dav, and mod_dav_fs in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules comment out or remove the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file. ##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so" compliance: - cis: ["2.3"] - cis_csc: ["9.1","9.2"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_dav.html - https://httpd.apache.org/docs/2.4/mod/mod_dav.html condition: none rules: - - 'c:httpd -M -> r:dav_\s*_module' + - 'c:httpd -M -> r:dav_\.+module' #2.4 Disable Status Module - id: 9001 title: "Ensure the Status Module Is Disabled" description: "The Apache mod_status module provides current server performance statistics." - rationale: "While having server performance status information available as a web page may be convenient, it's recommended that this module be disabled. When it is enabled, its handler capability is available in all configuration files, including per-directory files." - remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file." + rationale: "When mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess). The mod_status module may provide an adversary with information that can be used to refine exploits that depend on measuring server load." + remediation: "Perform either one of the following to disable the mod_status module: 1) For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. 2) For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file. ##LoadModule status_module modules/mod_status.so" compliance: - cis: ["2.4"] - cis_csc: ["9.1","9.2"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_status.html - https://httpd.apache.org/docs/2.4/mod/mod_status.html condition: none rules: @@ -81,12 +69,11 @@ checks: title: "Ensure the Autoindex Module Is Disabled" description: "The Apache mod_autoindex module automatically generates a web page listing the contents of directories on the server, typically used so an index.html does not have to be generated." rationale: "Automated directory listings should not be enabled because they will reveal information helpful to an attacker such as naming conventions and directory paths. They may also reveal files that were not intended to be revealed." - remediation: "For source builds with static modules, run the Apache ./configure script with the - -disable-autoindex configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_autoindex module from the httpd.conf file." + remediation: "Perform either one of the following to disable the mod_autoindex module: 1. For source builds with static modules, run the Apache ./configure script with the --disable-autoindex configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure -disable-autoindex. 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_autoindex from the httpd.conf file. ## LoadModule autoindex_module modules/mod_autoindex.so" compliance: - cis: ["2.5"] - cis_csc: ["18","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_autoindex.html - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html condition: none rules: @@ -95,14 +82,13 @@ checks: #2.6 Disable Proxy Modules - id: 9003 title: "Ensure the Proxy Modules Are Disabled" - description: "The Apache proxy modules allow the server to act as a proxy for HTTP and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network, the proxy module should not be loaded." - rationale: "A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended." - remediation: "For source builds with static modules, run the Apache ./configure script without including the mod_proxy and all other proxy modules in the --enable- modules=configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_proxy module and all other proxy modules from the httpd.conf file." + description: "The Apache proxy modules allow the server to act as a proxy (either forward or reverse proxy) of HTTP and other protocols with additional proxy modules loaded. If the Apache installation is not intended to proxy requests to or from another network then the proxy module should not be loaded." + rationale: "Proxy servers can act as an important security control when properly configured, however a secure proxy server is not within the scope of this benchmark. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests is a very common attack, as proxy servers are useful for anonymizing attacks on other servers, or possibly proxying requests into an otherwise protected network." + remediation: "Perform either one of the following to disable the proxy module: 1. For source builds with static modules, run the Apache ./configure script without including the mod_proxy in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules from the httpd.conf file. ##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so ##LoadModule proxy_scgi_module modules/mod_proxy_scgi.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_express_module modules/mod_proxy_express.so ##LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ##LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so" compliance: - cis: ["2.6"] - cis_csc: ["9.1,"9.2"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_proxy.html - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html condition: none rules: @@ -112,13 +98,12 @@ checks: - id: 9004 title: "Ensure the User Directories Module Is Disabled" description: "The UserDir directive must be disabled so that user home directories are not accessed via the web site with a tilde (~) preceding the username. The directive also sets the path name of the directory that will be accessed." - rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network." - remediation: "For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script option. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_userdir module from the httpd.conf file." + rationale: "The user directories should not be globally enabled since that allows anonymous access to anything users may want to share with other users on the network. Also consider that every time a new account is created on the system, there is potentially new content available via the web site." + remediation: "Perform either one of the following to disable the user directories module: 1. For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure --disable-userdir 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_userdir module from the httpd.conf file. ##LoadModule userdir_module modules/mod_userdir.so" compliance: - cis: ["2.7"] - cis_csc: ["18","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_userdir.html - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html condition: none rules: @@ -128,13 +113,12 @@ checks: - id: 9005 title: "Ensure the Info Module Is Disabled" description: "The Apache mod_info module provides information on the server configuration via access to a /server-info URL location." - rationale: "Although having server configuration information available as a web page may be convenient, it's recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory .htaccess files. This can leak sensitive information from the configuration directives of other Apache modules." - remediation: "For source builds with static modules, run the Apache ./configure script without including mod_info in the --enable-modules= configure script options. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file." + rationale: "While having server configuration information available as a web page may be convenient it is recommended that this module NOT be enabled. Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc." + remediation: "Perform either one of the following to disable the mod_info module: 1. For source builds with static modules, run the Apache ./configure script without including the mod_info in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file. ##LoadModule info_module modules/mod_info.so" compliance: - cis: ["2.8"] - cis_csc: ["9.1","9.2"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_info.html - https://httpd.apache.org/docs/2.4/mod/mod_info.html condition: none rules: @@ -143,13 +127,13 @@ checks: #3.2 Give the Apache User Account an Invalid Shell - id: 9006 title: "Ensure the Apache User Account Has an Invalid Shell" - description: "The apache account must not be used as a regular login account, so it should be assigned an invalid or nologin shell to ensure it cannot be used to log in." + description: "The apache account must not be used as a regular login account, so it should be assigned an invalid or nologin shell to ensure it cannot be used to login." rationale: "Service accounts such as the apache account are a risk if they can be used to get a login shell to the system." remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" compliance: - cis: ["3.2"] - cis_csc: ["16","4.3"] - condition: none + condition: all rules: - 'f:/etc/passwd -> r:apache && r:/sbin/nologin$|/dev/null$' @@ -157,60 +141,58 @@ checks: - id: 9007 title: "Ensure the Apache User Account Is Locked" description: "The user account under which Apache runs should not have a valid password, but should be locked." - rationale: "As a defense-in-depth measure, the Apache user account should be locked to prevent logins and to prevent a user from su-ing to apache using the password." + rationale: "As a defense-in-depth measure the Apache user account should be locked to prevent logins, and to prevent a user from suing to apache using the password. In general, there should not be a need for anyone to have to su as apache, and when there is a need, then sudo should be used instead, which would not require the apache account password." remediation: "Use the passwd command to lock the apache account: # passwd -l apache" compliance: - cis: ["3.3"] - cis_csc: ["16","16.8"] - condition: all + condition: any rules: - - 'c:passwd -S apache -> r:Password locked' + - 'c:passwd -S apache -> r:apache && r:\s*\t*L|\s*\t*LK' + - 'c:passwd -S apache -> r:apache && r:Password locked' #4.4 Restrict Override for All Directories - id: 9008 title: "Ensure OverRide Is Disabled for All Directories" - description: "When the server finds an .htaccess file (as specified by AccessFileName), it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, .htaccess files are completely ignored. When this directive is set to All, any directive which has the .htaccess Context is allowed in .htaccess files." - rationale: "While the functionality of htaccess files is sometimes convenient, usage decentralizes the access controls and increases the risk of configurations being changed or viewed inappropriately by an unintended or rogue .htaccess file. Consider also that some of the more common vulnerabilities in web servers and web applications allow the web files to be viewed or to be modified." - remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. Set the value for all AllowOverride directives to None." + description: "The Apache AllowOverride directive and the new AllowOverrideList directive allow for .htaccess files to be used to override much of the configuration, including authentication, handling of document types, auto generated indexes, access control, and options. When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information. When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem. When this directive is set to All, then any directive which has the .htaccess context is allowed in .htaccess files." + rationale: ".htaccess files decentralizes access control and increases the risk of server configuration being changed inappropriately." + remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. 2. Set the value for all AllowOverride directives to None. 3. Remove any AllowOverrideList directives found." compliance: - - cis: ["4.3"] + - cis: ["4.4"] - cis_csc: ["14.4","14.6"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist - condition: none + condition: all rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverride && !r:none$' - - 'd:$conf-dirs -> conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' - - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverride && !r:none$' - - 'f:$main-conf -> !r:^# && r:\w+ && r:allowoverridelist && !r:none$' + - 'd:$conf-dirs -> conf -> !r:^# && r:allowoverride|AllowOverride && r:none|None' + - 'not d:$conf-dirs -> conf -> r:allowoverridelist|AllowOverrideList' + - 'f:$main-conf -> !r:^# && r:allowoverride|AllowOverride && r:none|None' + - 'f:$main-conf -> r:allowoverridelist|AllowOverrideList' #5.3 Minimize Options for Other Directories - id: 9009 title: "Ensure Options for Other Directories Are Minimized" description: "The Apache Options directive allows for specific configuration of options, including execution of CGI, following symbolic links, server side includes, and content negotiation." - rationale: "The options for other directories and hosts should be restricted to the minimal options required. A setting of None is recommended; however, other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, Indexes." - remediation: "Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." + rationale: "Likewise, the options for other directories and hosts needs to be restricted to the minimal options required. A setting of None is recommended, however it is recognized that other options may be needed in some cases: Multiviews, FollowSymbolicLinks & SymLinksIfOwnerMatch, ExecCGI, Includes & IncludesNOEXEC, & Indexes." + remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. 2. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." compliance: - cis: ["5.3"] - cis_csc: ["18","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_include.html - - https://httpd.apache.org/docs/2.2/mod/core.html#options - https://httpd.apache.org/docs/2.4/mod/core.html#options - https://httpd.apache.org/docs/2.4/mod/mod_include.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:options\sincludes' - - 'f:$main-conf -> !r:^# && r:options\sincludes' + - 'd:$conf-dirs -> conf -> !r:^# && r:options && r:includes\Includes' + - 'f:$main-conf -> !r:^# && r:options && r:includes\Includes' -#5.4.1 Remove default index.html sites +#5.4.2 Remove the Apache user manual - id: 9010 - title: "Ensure Default HTML Content Is Removed (index.html)" + title: "Ensure Default HTML Content Is Removed" description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." - remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." + remediation: "Review all pre-installed content and remove content which is not required. In particular look for the unnecessary content which may be found in the document root directory, a configuration directory such as conf/extra directory, or as a Unix/Linux package. 1. Remove the default index.html or welcome page if it is a separate package. If it is part of main Apache httpd package such as it is on Red Hat Linux, then comment out the configuration as shown below. Removing a file such as the welcome.conf, is not recommended as it may get replaced if the package is updated. 2. Remove the Apache user manual content or comment out configurations referencing the manual. # yum erase httpd-manual 3. Remove or comment out any Server Information handler configuration. 4. Remove or comment out any other handler configuration such as perl-status." compliance: - cis: ["5.4"] - cis_csc: ["18.9","5.1"] @@ -218,40 +200,18 @@ checks: rules: - 'd:/var/www -> index.html' - 'd:/var/www/html -> index.html' - -#5.4.2 Remove the Apache user manual - - id: 9011 - title: "Ensure Default HTML Content Is Removed (Apache user manual)" - description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." - rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." - remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." - compliance: - - cis: ["5.4"] - - cis_csc: ["18.9","5.1"] - condition: none - rules: - - 'd:$confdirs -> r:manual.conf|apache2-doc.conf' - -#5.4.5 Verify that no Handler is enabled - - id: 9012 - title: "Ensure Default HTML Content Is Removed (Handler)" - description: "Apache installations have default content that is not needed or appropriate for production use. The primary function for the sample content is to provide a default web site, provide user manuals, or demonstrate special features of the web server. All content that is not needed should be removed." - rationale: "Historically, sample content and features have been remotely exploited and can provide different levels of access to the server. Usually these routines are not written for production use and consequently little thought was given to security in their development." - remediation: "Review all pre-installed content and remove content which is not required. In particular, look for unnecessary content in the document root directory, in a configuration directory such as conf/extra directory, or as a Unix/Linux package." - compliance: - - cis: ["5.4"] - - cis_csc: ["18.9","5.1"] - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:/wsethandler' - - 'f:$main-conf -> !r:^# && r:/wsethandler' + - 'd:$conf-dirs -> r:manual.conf|apache2-doc.conf' + - 'd:$conf-dirs -> conf -> !r:^# && r:sethandler|SetHandler && r:server' + - 'f:$main-conf -> !r:^# && r:sethandler|SetHandler && r:server' + - 'd:$conf-dirs -> conf -> !r:^# && r:sethandler|SetHandler && r:perl' + - 'f:$main-conf -> !r:^# && r:sethandler|SetHandler && r:perl' #5.5 Remove default CGI content printenv - - id: 9013 + - id: 9011 title: "Ensure the Default CGI Content printenv Script Is Removed" - description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for apache installations is the script printenv that will print back to the requester all of the CGI environment variables, which include many server configuration details and system paths." - rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The printenv script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." - remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via the Script , ScriptAlias , ScriptAliasMatch , or ScriptInterpreterSource directives. Remove the printenv default CGI in the cgi-bin directory if it is installed." + description: "Most Web Servers, including Apache installations have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. One common default CGI content for Apache installations is the script printenv. This script will print back to the requester all of the CGI environment variables which includes many server configuration details and system paths." + rationale: "CGI programs have a long history of security bugs and problems associated with improperly accepting user-input. Since these programs are often targets of attackers, we need to make sure that there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs are not written for production use and consequently little thought was given to security in their development. The printenv script in particular will disclose inappropriate information about the web server including directory paths and detailed version and configuration information." + remediation: "Perform the following to implement the recommended state: 1. Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. 2. Remove the printenvdefault CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/printenv" compliance: - cis: ["5.5"] - cis_csc: ["18","4.7"] @@ -261,11 +221,11 @@ checks: - 'd:/usr/lib/cgi-bin -> printenv' #5.6 Remove default CGI content test-cgi - - id: 9014 + - id: 9012 title: "Ensure the Default CGI Content test-cgi Script Is Removed" - description: "Most web servers, including Apache installations, have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script test-cgi that will print back to the requester CGI environment variables, which includes many server configuration details." - rationale: "Since CGI programs are often targets of attackers, we need to make sure there are no unnecessary CGI programs that could potentially be used for malicious purposes. The test-cgi script in particular will disclose inappropriate information about the web server, including directory paths and detailed version and configuration information." - remediation: "Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. Remove the test-cgi default CGI in the cgi-bin directory if it is installed." + description: "Most Web Servers, including Apache installations have default CGI content which is not needed or appropriate for production use. The primary function for these sample programs is to demonstrate the capabilities of the web server. A common default CGI content for Apache installations is the script test-cgi. This script will print back to the requester CGI environment variables which includes many server configuration details." + rationale: "CGI programs have a long history of security bugs and problems associated with improperly accepting user-input. Since these programs are often targets of attackers, we need to make sure that there are no unnecessary CGI programs that could potentially be used for malicious purposes. Usually these programs are not written for production use and consequently little thought was given to security in their development. The test-cgi script in particular will disclose inappropriate information about the web server including directory paths and detailed version and configuration information." + remediation: "Perform the following to implement the recommended state: 1. Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. 2. Remove the test-cgi default CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/test-cgi" compliance: - cis: ["5.6"] - cis_csc: ["18.9","4.7"] @@ -274,365 +234,272 @@ checks: - 'd:/var/www/cgi-bin -> test-cgi' - 'd:/usr/lib/cgi-bin -> test-cgi' -#5.7 Limit HTTP Request Method - - id: 9015 - title: "Ensure HTTP Request Methods Are Restricted" - description: "Use the Apache directive to restrict unnecessary HTTP request methods of the web server so it only accepts and processes the GET, HEAD, POST and OPTIONS HTTP request methods." - rationale: "The HTTP 1.1 protocol supports several request methods which are rarely used and potentially high risk. For normal web server operation, you will typically need to allow only the GET, HEAD and POST request methods." - remediation: "Search for the directive on the document root directory, ensure that the access control order within the directive is deny, allow. Add a directive within the group of document root directives and search in other Apache configuration files in places other than de root directory." - compliance: - - cis: ["5.7"] - - cis_csc: ["9.1","9.2"] - references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitexcept - - https://www.ietf.org/rfc/rfc2616.txt - - https://httpd.apache.org/docs/2.4/mod/core.html#limitexcept - condition: all - rules: - - 'f:$main-conf -> r:^Order\s+allow,deny$' - - 'not f:$main-conf -> r:LimitExcept && r:DELETE|HEAD|PUT|CONNECT|TRACE' - #5.8 Disable HTTP Trace Method - - id: 9016 + - id: 9013 title: "Ensure the HTTP TRACE Method Is Disabled" description: "Use the Apache TraceEnable directive to disable the HTTP TRACE request method." - rationale: "The HTTP 1.1 protocol requires support for the TRACE request method, which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse, so it should be disabled." - remediation: "Locate the main Apache configuration file such as httpd.conf. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top level configuration, not nested within any other directives like or ." + rationale: "The HTTP 1.1 protocol requires support for the TRACE request method which reflects the request back as a response and was intended for diagnostics purposes. The TRACE method is not needed and is easily subjected to abuse and should be disabled." + remediation: "Perform the following to implement the recommended state: 1. Locate the main Apache configuration file such as httpd.conf. 2. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top-level configuration, not nested within any other directives like or ." compliance: - cis: ["5.8"] - cis_csc: ["9.1","9.2"] references: - https://www.ietf.org/rfc/rfc2616.txt - - https://httpd.apache.org/docs/2.2/mod/core.html#traceenable - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable - condition: none + condition: all rules: - - 'f:$traceen -> !r:^# && r:TraceEnable\s+on\s*$' + - 'f:$traceen -> !r:^# && r:TraceEnable && r:off' #5.13 Restrict Listen Directive - - id: 9017 + - id: 9014 title: "Ensure the IP Addresses for Listening for Requests Are Specified" - description: "The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen on for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically, a Listen directive with no IP address specified or with an IP address of all zeroes should not be used." - rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an IP address or interface that was not intended for the web server." - remediation: "Find any Listen directives in the Apache configuration file with no IP address specified or with an IP address of all zeroes similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address and port." + description: "The Apache Listen directive specifies the IP addresses and port numbers the Apache web server will listen for requests. Rather than be unrestricted to listen on all IP addresses available to the system, the specific IP address or addresses intended should be explicitly specified. Specifically, a Listen directive with no IP address specified, or with an IP address of zeros should not be used." + rationale: "Having multiple interfaces on web servers is fairly common, and without explicit Listen directives, the web server is likely to be listening on an inappropriate IP address / interface that was not intended for the web server. Single homed system with a single IP addressed are also required to have an explicit IP address in the Listen directive, in case additional interfaces are added to the system at a later date." + remediation: "Perform the following to implement the recommended state: 1. Find any Listen directives in the Apache configuration file with no IP address specified, or with an IP address of all zeros similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. 2. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address & Port." compliance: - cis: ["5.13"] - cis_csc: ["9.1","9.2"] references: - - https://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s(\d+)$' - - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' - - 'f:$main-conf -> !r:^# && r:listen\s(\d+)$' - - 'f:$main-conf -> !r:^# && r:listen\s0.0.0.0\p(\d+)' - - 'f:$main-conf -> !r:^# && r:listen\s[\p\pffff\p0.0.0.0]\p(\d+)' + - 'd:$conf-dirs -> conf -> !r:^# && r:listen\s*\t*\d+$|Listen\s*\t*\d+$' + - 'd:$conf-dirs -> conf -> !r:^# && r:listen|Listen && r:0.0.0.0' + - 'f:$main-conf -> !r:^# && r:listen\s*\t*\d+$|Listen\s*\t*\d+$' + - 'f:$main-conf -> !r:^# && r:listen|Listen && r:0.0.0.0' #5.14 Restrict Browser Frame Options - - id: 9018 + - id: 9015 title: "Ensure Browser Framing Is Restricted" - description: "The Header directive allows server HTTP response headers to be added, replaced, or merged. Use the directive to add a server HTTP response header to tell browsers to restrict all the web pages from being framed by other web sites." - rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site." - remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frame-Options header in the Apache configuration to have the condition always , an action of append , and a value of SAMEORIGIN , as shown: Header always append X-Frame-Options SAMEORIGIN" + description: "The Header directive allows server HTTP response headers to be added, replaced or merged. We will use the directive to add a server HTTP response header to tell browsers to restrict all of the web pages from being framed by other web sites." + rationale: "Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which using frames to include the expected content from the legitimate site. The attack can also be performed via XSS (either reflected, DOM or stored XSS) to add the malicious content to the legitimate web site. To combat this vector, an HTTP Response header, X-Frame-Options, has been introduced that allows a server to specify whether a web page may be loaded in any frame (DENY) or those frames that share the pages origin (SAMEORIGIN)." + remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frames-Options header in the Apache configuration to have the condition always, an action of append and a value of SAMEORIGIN or DENY, as shown below. Header always append X-Frame-Options SAMEORIGIN" compliance: - cis: ["5.14"] - cis_csc: ["18","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_headers.html#header - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header - https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header - https://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx condition: all rules: - - 'f:$main-conf -> r:Header\salways\sappend\sX-Frame-Options && r:SAMEORIGIN' - -#6.1 Configure the Error Log to notice at least - - id: 9019 - title: "Ensure the Error Log Filename and Severity Level Are Configured Correctly" - description: "The LogLevel directive is used to configure the severity level for the error logs, while the ErrorLog directive configures the error log filename. The log level values are the standard syslog levels of emerg , alert , crit , error , warn , notice , info and debug . The recommended level is notice , so that all errors from the emerg level through the notice level will be logged." - rationale: "The server error logs are invaluable because they can be used to spot potential problems before they become serious. Most importantly, they can be used to watch for anomalous behavior such as numerous 'not found' or 'unauthorized' errors that may be an indication an attack is pending or has occurred." - remediation: "Add or modify the LogLevel in the Apache configuration to have a value of info or lower for the core module and notice or lower for all other modules. The recommended value is notice core:info. Add an ErrorLog and a similar one for each virtual host configured if the virtual host will have different people responsible for the web site." - compliance: - - cis: ["6.1"] - - cis_csc: ["6.2","6.3"] - references: - - https://httpd.apache.org/docs/2.2/logs.html - - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.2/mod/core.html#errorlog - - https://httpd.apache.org/docs/2.4/logs.html - - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog - condition: all - rules: - - 'f:$main-conf -> !r:^# && r:loglevel\snotice\score\p && r:warn|emerg|alert|crit|error|notice' - - 'not f:$main-conf -> r:loglevel\snotice\score\p && r:info|debug' - -#6.2 Configure a Syslog facility for Error Log - - id: 9020 - title: "Ensure a Syslog Facility Is Configured for Error Logging" - description: "The ErrorLog directive should be configured to send web server error logs to a syslog facility so the logs can be processed and monitored along with the system logs." - rationale: "It is easy for web server error logs to be overlooked in the log monitoring process, yet application-level attacks have become the most common and are extremely important for detecting attacks early, as well as detecting non-malicious problems such as a broken link or internal errors." - remediation: "Add an ErrorLog directive if not already configured. Any appropriate syslog facility may be used in place of local1. Add a similar ErrorLog directive for each virtual host if necessary." - compliance: - - cis: ["6.2"] - - cis_csc: ["6.6","6.8"] - references: - - https://httpd.apache.org/docs/2.2/logs.html - - https://httpd.apache.org/docs/2.2/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.2/mod/core.html#errorlog - - https://httpd.apache.org/docs/2.4/logs.html - - https://httpd.apache.org/docs/2.4/mod/core.html#loglevel - - https://httpd.apache.org/docs/2.4/mod/core.html#errorlog - condition: all - rules: - - 'f:$main-conf -> r:ErrorLog\s+\p*syslog\p\.*\p*' + - 'f:$main-conf -> r:Header && r:always && r:append && r:X-Frame-Options && r:SAMEORIGIN|DENY' #7.6 Disable SSL Insecure Renegotiation - - id: 9021 + - id: 9016 title: "Ensure Insecure SSL Renegotiation Is Not Enabled" - description: "The SSLInsecureRenegotiation directive was added in Apache 2.2.15 for web servers linked with OpenSSL version 0.9.8m or later, to allow the insecure renegotiation to provide backward compatibility to clients with the older unpatched SSL implementations. Enabling this directive also leaves the server vulnerable to man-in-the-middle renegotiation attack, therefore, it should not be enabled." - rationale: "The seriousness and ramification of this attack warrants that servers and clients be upgraded to support the improved SSL/TLS protocols. Therefore, the recommendation is to not enable the insecure renegotiation." - remediation: "Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present, modify the value to be off. If the directive is not present, no action is required: SSLInsecureRenegotiation off" + description: "A man-in-the-middle renegotiation attack was discovered in SSLv3 and TLSv1 in November, 2009 (CVE-2009-3555). First, a work around and then a fix was approved as an Internet Standard as RFC 574, Feb 2010. The work around, which removes the renegotiation, is available from OpenSSL as of version 0.9.8l and newer versions. For details: https://www.openssl.org/news/secadv_20091111.txt The SSLInsecureRenegotiation directive was added in Apache 2.2.15, for web servers linked with OpenSSL version 0.9.8m or later, to provide backward compatibility to clients with the older, unpatched SSL implementations." + rationale: "Enabling the SSLInsecureRenegotiation directive leaves the server vulnerable to man-in- the-middle renegotiation attack. Therefore, the SSLInsecureRenegotiation directive should not be enabled." + remediation: "Perform the following to implement the recommended state: Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present modify the value to be off. If the directive is not present then no action is required. SSLInsecureRenegotiation off" compliance: - cis: ["7.6"] - cis_csc: ["14.2","14.4"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 - https://azure.microsoft.com/en-us/services/multi-factor-authentication/ condition: none rules: - - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslinsecurerenegotiation\s+on' + - 'f:$ssl-confs -> !r:^# && r:sslinsecurerenegotiation|SSLInsecureRenegotiation && r:\s+on$' #7.7 Ensure SSL Compression is not enabled - - id: 9022 + - id: 9017 title: "Ensure SSL Compression is Not Enabled" description: "The SSLCompression directive controls whether SSL compression is used by Apache when serving content over HTTPS. It is recommended that the SSLCompression directive be set to off." - rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator that can be used to impersonate the account associated with the authenticator." - remediation: "Verify the Apache version is 2.2.24 or later with httpd -v. Search the Apache configuration files for the SSLCompression directive. Update the directive to have a value of off." + rationale: "If SSL compression is enabled, HTTPS communication between the client and the server may be at increased risk to the CRIME attack. The CRIME attack increases a malicious actor's ability to derive the value of a session cookie, which commonly contains an authenticator. If the authenticator in a session cookie is derived, it can be used to impersonate the account associated with the authenticator." + remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files for the SSLCompression directive. 2. If the directive is present, set it to off." compliance: - cis: ["7.7"] - cis_csc: ["14.2","14.4"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcompression - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression - - https://en.wikipedia.org/wiki/CRIME_(security_exploit) + - https://en.wikipedia.org/wiki/CRIME - condition: all + condition: none rules: - - 'f:$ssl-confs -> !r:^\t*\s*# && r:sslcompression\s+off' + - 'f:$ssl-confs -> !r:^# && r:sslcompression|SSLCompression && r:\s+on$' #8.1 Set ServerToken to Prod or ProductOnly - - id: 9023 + - id: 9018 title: "Ensure ServerTokens is Set to 'Prod' or 'ProductOnly'" - description: "Configure the Apache ServerTokens directive to provide minimal information by setting the value to Prod or ProductOnly." - rationale: "Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target exploits, the chances of successful compromise prior to detection increase dramatically." - remediation: "Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" + description: "Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be Apache rather than details on modules and versions installed." + rationale: "Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much "noise" being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful compromise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released." + remediation: "Perform the following to implement the recommended state: Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" compliance: - cis: ["8.1"] - cis_csc: ["18.9","14.7"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#servertokens + - https://httpd.apache.org/docs/2.4/mod/core.html#servertokens condition: any rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+Prod' - - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens\s+ProductOnly' + - 'd:$conf-dirs -> conf -> !r:^# && r:servertokens|ServerTokens && r:\s+Prod|\s+ProductOnly' #8.2: Set ServerSignature to Off - - id: 9024 + - id: 9019 title: "Ensure ServerSignature Is Not Enabled" - description: "Disable the server signatures, which is the generation of a signature line as a trailing footer at the bottom of server-generated documents such as error pages." - rationale: "Server signatures are helpful when the server is acting as a proxy because they help the user distinguish errors from the proxy rather than the destination server. However, in this context there is no need for the additional information." - remediation: "Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" + description: "Disable the server signatures which generates a signature line as a trailing footer at the bottom of server generated documents such as error pages." + rationale: "Server signatures are helpful when the server is acting as a proxy, since it helps the user distinguish errors from the proxy rather than the destination server, however in this context there is no need for the additional information." + remediation: "Perform the following to implement the recommended state: Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" compliance: - cis: ["8.2"] - cis_csc: ["18","13.2"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#serversignature - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+email' - - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature\s+on' - -#8.3: Prevent Information Leakage via Default Apache Content - - id: 9025 - title: "Ensure All Default Apache Content Is Removed" - description: "If you want to further restrict information leakage about the web server, it is important that default content such as icons are not left on the web server." - rationale: "To identify the type of web servers and versions software installed, it is common for attackers to scan for icons or special content specific to the server type and version. Many icons are used primarily for auto indexing, which is recommended to be disabled." - remediation: "The default source build places the auto-index and icon configurations in the extra/httpd-autoindex.conf file, so it can be disabled by leaving the include line commented out in the main httpd.conf file. Alternatively, the icon alias directive and the directory access control configuration can be commented out." - compliance: - - cis: ["8.3"] - - cis_csc: ["18.9","13.2"] - condition: none - rules: - - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:include\s*\w*httpd-autoindex.conf' - - 'd:$conf-dirs -> conf -> !r:^\t*\s*# && r:alias\s*/icons/\s*\.*' + - 'd:$conf-dirs -> conf -> !r:^# && r:serversignature|ServerSignature && r:\s+on|\s+On' #9.1:Set TimeOut to 10 or less - - id: 9026 + - id: 9020 title: "Ensure the TimeOut Is Set to 10 or Less" - description: "The TimeOut directive controls the maximum time in seconds that Apache HTTP server will wait for an Input/Output call to complete. It is recommended that the TimeOut directive be set to 10 or less." - rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections, the server can free resources more quickly and be more responsive." - remediation: "Add or modify the Timeout directive in the Apache configuration files to have a value of 10 seconds or less." + description: "Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity. DoS attacks, which are normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality. Although there is no 100% solution for preventing DoS attacks, the following recommendation uses the Timeout directive to mitigate some of the risk, by requiring more effort for a successful DoS attack. Of course, DoS attacks can happen in rather unintentional ways as well as intentional and these directives will help in many of those situations as well." + rationale: "One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections and we allow the server to free up resources more quickly and be more responsive. By making the server more efficient, it will be more resilient to DoS conditions. The Timeout directive affects several timeout values for Apache, so review the Apache document carefully." + remediation: "Perform the following to implement the recommended state: Add or modify the Timeout directive in the Apache configuration to have a value of 10 seconds or shorter. Timeout 10" compliance: - cis: ["9.1"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#timeout - https://httpd.apache.org/docs/2.4/mod/core.html#timeout condition: all rules: - - 'f:$main-conf -> !r:^# && n:timeout\s+(\d+) compare <= 10' + - 'f:$main-conf -> !r:^# && && r:timeout|Timeout && n:\s+(\d+) compare <= 10' #9.2:Set the KeepAlive directive to On - - id: 9027 + - id: 9021 title: "Ensure KeepAlive Is Enabled" description: "The KeepAlive directive controls whether Apache will reuse the same TCP connection per client to process subsequent HTTP requests from that client. It is recommended that the KeepAlive directive be set to On." - rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server's resiliency to DoS attacks." - remediation: "Add or modify the KeepAlive directive in the Apache configuration to have a value of On." + rationale: "Allowing per-client reuse of TCP sockets reduces the amount of system and network resources required to serve requests. This efficiency gain may improve a server resiliency to DoS attacks." + remediation: "Perform the following to implement the recommended state: Add or modify the KeepAlive directive in the Apache configuration to have a value of On, so that KeepAlive connections are enabled. KeepAlive On" compliance: - cis: ["9.2"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#keepalive - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive condition: none rules: - - 'f:$main-conf -> !r:^# && r:keepalive\s+Off' + - 'f:$main-conf -> !r:^# && r:keepalive|KeepAlive && r:\s+Off' #9.3:Set MaxKeepAliveRequests to 100 or greater - - id: 9028 + - id: 9022 title: "Ensure MaxKeepAliveRequests is Set to a Value of 100 or Greater" - description: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0 , unlimited requests will be allowed." + description: "The MaxKeepAliveRequests directive limits the number of requests allowed per connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed." rationale: "The MaxKeepAliveRequests directive is important to be used to mitigate the risk of Denial of Service (DoS) attack technique by reducing the overhead imposed on the server. The KeepAlive directive must be enabled before it is effective. Enabling KeepAlives allows for multiple HTTP requests to be sent while keeping the same TCP connection alive. This reduces the overhead of having to setup and tear down TCP connections for each request. By making the server more efficient, it will be more resilient to DoS conditions." - remediation: "Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more." + remediation: "Perform the following to implement the recommended state: Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more. MaxKeepAliveRequests 100" compliance: - cis: ["9.3"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#maxkeepaliverequests - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests condition: none rules: - - 'f:$main-conf -> n:^maxkeepaliverequests\s+(\d+) compare <= 100' + - 'f:$main-conf -> !r:^# && r:maxkeepaliverequests|MaxKeepAliveRequests && n:\s+(\d+) compare < 100' #9.4: Set KeepAliveTimeout Low to Mitigate Denial of Service - - id: 9029 + - id: 9023 title: "Ensure KeepAliveTimeout is Set to a Value of 15 or Less" description: "The KeepAliveTimeout directive specifies the number of seconds Apache will wait for a subsequent request before closing a connection that is being kept alive." - rationale: "Reducing the number of seconds that Apache HTTP server will keep unused resources allocated will increase the availability of resources to serve other requests. This efficiency gain may improve a server's resiliency to DoS attacks." - remediation: "Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less." + rationale: "The KeepAliveTimeout directive is used mitigate some of the risk, by requiring more effort for a successful DoS attack. By enabling KeepAlive and keeping the timeout relatively low for old connections and we allow the server to free up resources more quickly and be more responsive." + remediation: "Perform the following to implement the recommended state: Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less. KeepAliveTimeout 15" compliance: - cis: ["9.4"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#keepalivetimeout - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout condition: all rules: - - 'f:$main-conf -> n:keepalivetimeout\s+(\d+) compare <= 15' + - 'f:$main-conf -> !r:^# && r:keepalivetimeout|KeepAliveTimeout && n:\s+(\d+) compare <= 15' #9.5 Set Timeout Limits for Request Headers - - id: 9030 + - id: 9024 title: "Ensure the Timeout Limits for Request Headers is Set to 40 or Less" - description: "The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout, and a minimum rate." - rationale: "Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies." - remediation: "Load the mod_requesttimeout module in the Apache configuration. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less." + description: "The RequestReadTimeout directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout and a minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional 1 second for each N bytes received. The recommended setting is to have a maximum timeout of 40 seconds or less. Keep in mind that for SSL/TLS virtual hosts the time for the TLS handshake must fit within the timeout." + rationale: "Setting a request header timeout is vital for mitigating Denial of Service attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies. Starting in June 2009 with the Slow Loris DoS attack, which used a slow GET request as published by Robert Hansen (RSnake) on his blog http://ha.ckers.org/slowloris/. Later in November 2010 at the OWASP App Sec DC conference Wong Onn Chee demonstrated a slow POST request attack which was even more effective." + remediation: "Perform the following to implement the recommended state: 1. Load the mod_requesttimeout module in the Apache configuration with the following configuration. LoadModule reqtimeout_module modules/mod_reqtimeout.so 2. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less. RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500" compliance: - cis: ["9.5"] - cis_csc: ["9","5.1"] references: - https://ha.ckers.org/slowloris/ - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t - - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - condition: all + condition: any rules: - - 'f:$main-conf -> r:^loadmodule\s+reqtimeout' - - 'f:$request-confs -> n:^\t*\s*requestreadtimeout\.+header\p(\d+) compare <= 40' + - 'f:$main-conf -> !r:^# && r:loadmodule|LoadModule && r:\s+mod_reqtimeout' + - 'f:$request-confs -> !r:^# && r:requestreadtimeout|RequestReadTimeout && n:header=\d+\p(\d+) compare <= 40' #9.6 Set Timeout Limits for Request Body - - id: 9031 + - id: 9025 title: "Ensure Timeout Limits for the Request Body is Set to 20 or Less" - description: "The RequestReadTimeout directive allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, a maximum timeout, and a minimum rate." - rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks." - remediation: "Load the mod_requesttimeout module in the Apache configuration and add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less." + description: "The RequestReadTimeout directive also allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, and a maximum timeout and minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional 1 second for each N bytes are received. The recommended setting is to have a maximum timeout of 20 seconds or less. The default value is body=20,MinRate=500." + rationale: "It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks like the OWASP Slow POST attack, which provide the body of the request very slowly. Therefore, the body portion of the request must have a timeout as well. A timeout of 20 seconds or less is recommended." + remediation: "Perform the following to implement the recommended state: 1. Load the mod_requesttimeout module in the Apache configuration with the following configuration. LoadModule reqtimeout_module modules/mod_reqtimeout.so 2. Add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less. RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500" compliance: - cis: ["9.6"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html - condition: all + condition: any rules: - - 'f:$main-conf -> r:^loadmodule\s+reqtimeout' - - 'f:$request-confs -> n:\t*\s*requestreadtimeout\.+body\p(\d+) compare <= 20' + - 'f:$main-conf -> !r:^# && r:loadmodule|LoadModule && r:\s+mod_reqtimeout' + - 'f:$request-confs -> !r:^# && r:requestreadtimeout|RequestReadTimeout && n:body=(\d+) compare <= 20' #10.1 Set the LimitRequestLine directive to 512 or less - - id: 9032 + - id: 9026 title: "Ensure the LimitRequestLine directive is Set to 512 or less" - description: "The LimitRequestLine directive sets the maximum number of bytes that Apache will read for each line of an HTTP request. It is recommended that the LimitRequestLine be set to 512 or less." - rationale: "Limiting request line size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestLine directive in the Apache configuration to have a value of 512 or less." + description: "Buffer Overflow attacks attempt to exploit an application by providing more data than the application buffer can contain. If the application allows copying data to the buffer to overflow the boundaries of the buffer, then the application is vulnerable to a buffer overflow. The results of Buffer overflow vulnerabilities vary, and may result in the application crashing, or may allow the attacker to execute instructions provided in the data. The Apache LimitRequest* directives allow the Apache web server to limit the sizes of requests and request fields and can be used to help protect programs and applications processing those requests. Specifically, the LimitRequestLine directive limits the allowed size of a client's HTTP request-line, which consists of the HTTP method, URI, and protocol version." + rationale: "The limiting of the size of the request line is helpful so that the web server can prevent an unexpectedly long or large request from being passed to a potentially vulnerable CGI program, module or application that would have attempted to process the request. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directive is available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications." + remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestline directive in the Apache configuration to have a value of 512 or shorter. LimitRequestline 512" compliance: - cis: ["10.1"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestline - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline condition: all rules: - - 'f:$main-conf -> n:^LimitRequestLine\s+(\d+) compare <= 512' + - 'f:$main-conf -> !r:^# && r:limitrequestline|LimitRequestLine && n:\s(\d+) compare <= 512' #10.2 Set the LimitRequestFields directive to 100 or less - - id: 9033 + - id: 9027 title: "Ensure the LimitRequestFields Directive is Set to 100 or Less" - description: "The LimitRequestFields directive sets the maximum limit on the number of HTTP request headers allowed per request. It is recommended that the LimitRequestFields directive be set to 100 or less." - rationale: "Limiting the number of headers per request may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present, the default depends on a compile time configuration, but defaults to a value of 100." + description: "The LimitRequestFields directive limits the number of fields allowed in an HTTP request." + rationale: "The limiting of the number of fields is helpful so that the web server can prevent an unexpectedly high number of fields from being passed to a potentially vulnerable CGI program, module or application that would have attempted to process the request. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directives are available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications." + remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present the default depends on a compile time configuration, but defaults to a value of 100. LimitRequestFields 100" compliance: - cis: ["10.2"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfields - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields condition: all rules: - - 'f:$main-conf -> n:^LimitRequestFields\s(\d+) compare <= 100' + - 'f:$main-conf -> !r:^# && r:limitrequestfields|LimitRequestFields && n:\s(\d+) compare <= 100' #10.3 Set the LimitRequestFieldsize directive to 1024 or less - - id: 9034 + - id: 9028 title: "Ensure the LimitRequestFieldsize Directive is Set to 1024 or Less" - description: "The LimitRequestFieldSize directive sets the maximum size of an HTTP request header field. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less." - rationale: "Limiting header field size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestFieldSize directive in the Apache configuration to have a value of 1024 or less." + description: "The LimitRequestFieldSize limits the number of bytes that will be allowed in an HTTP request header. It is recommended that the LimitRequestFieldSize directive be set to 1024 or less." + rationale: "By limiting of the size of request headers is helpful so that the web server can prevent an unexpectedly long or large value from being passed to exploit a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. Since the configuration directives are available only at the server configuration level, it is not possible to tune the value for different portions of the same web server. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications." + remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestFieldsize directive in the Apache configuration to have a value of 1024 or less. LimitRequestFieldsize 1024" compliance: - cis: ["10.3"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize condition: all rules: - - 'f:$main-conf -> n:^LimitRequestFieldSize\s+(\d+) compare <= 1024' + - 'f:$main-conf -> !r:^# && r:limitrequestfieldsize|LimitRequestFieldSize && n:\s(\d+) compare <= 1024' #10.4 Set the LimitRequestBody directive to 102400 or less - - id: 9035 + - id: 9029 title: "Ensure the LimitRequestBody Directive is Set to 102400 or Less" - description: "The LimitRequestBody directive sets the maximum size of an HTTP request body. It is recommended that the LimitRequestBody directive be set to 102400 or less." - rationale: "Limiting request body size may reduce the exposure of a buffer-related vulnerability potentially present in a code base hosted by Apache HTTP server." - remediation: "Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so it is understood this directive will limit the size of file uploads to the web server." + description: "The LimitRequestBody directive limits the number of bytes that are allowed in a request body. Size of requests may vary greatly; for example, during a file upload the size of the file must fit within this limit." + rationale: "The limiting of the size of the request body is helpful so that the web server can prevent an unexpectedly long or large request from being passed to a potentially vulnerable program. Of course, the underlying dependency is that we need to set the limits high enough to not interfere with any one application on the server, while setting them low enough to be of value in protecting the applications. The LimitRequestBody may be configured on a per directory, or per location context. Please read the Apache documentation carefully, as these requests may interfere with the expected functionality of some web applications." + remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so that it is understood that this directive will limit the size of file up-loads to the web server. LimitRequestBody 102400" compliance: - cis: ["10.4"] - cis_csc: ["9","5.1"] references: - - https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody condition: all rules: - - 'f:$main-conf -> n:^LimitRequestBody\s+(\d+) compare <= 102400' + - 'f:$main-conf -> !r:^# && r:limitrequestbody|LimitRequestBody && n:\s(\d+) compare <= 102400' From 5fc7ff21611ac5b1ecf5bc3283a79195b4de135a Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Fri, 12 Jul 2019 07:35:30 -0700 Subject: [PATCH 198/247] Fix policies which cause errors in Wazuh DB --- .../{cis_apache2224.yml => cis_apache_24.yml} | 6 +- sca/debian/cis_debian8_L1.yml | 74 +++++++++---------- sca/debian/cis_debian8_L2.yml | 2 +- sca/debian/cis_debian9_L1.yml | 74 +++++++++---------- sca/debian/cis_debian9_L2.yml | 2 +- 5 files changed, 79 insertions(+), 79 deletions(-) rename sca/applications/{cis_apache2224.yml => cis_apache_24.yml} (99%) diff --git a/sca/applications/cis_apache2224.yml b/sca/applications/cis_apache_24.yml similarity index 99% rename from sca/applications/cis_apache2224.yml rename to sca/applications/cis_apache_24.yml index 7e110b26e..d8b75da54 100644 --- a/sca/applications/cis_apache2224.yml +++ b/sca/applications/cis_apache_24.yml @@ -12,7 +12,7 @@ policy: id: "cis_apache" - file: "cis_apache24.yml" + file: "cis_apache_24.yml" name: "CIS Apache HTTP Server 2.4 Benchmark" description: "This document provides prescriptive guidance for establishing a secure configuration posture for Apache Web Server version 2.4 running on Linux." references: @@ -87,7 +87,7 @@ checks: remediation: "Perform either one of the following to disable the proxy module: 1. For source builds with static modules, run the Apache ./configure script without including the mod_proxy in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules from the httpd.conf file. ##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so ##LoadModule proxy_scgi_module modules/mod_proxy_scgi.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_express_module modules/mod_proxy_express.so ##LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ##LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so" compliance: - cis: ["2.6"] - - cis_csc: ["9.1,"9.2"] + - cis_csc: ["9.1","9.2"] references: - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html condition: none @@ -323,7 +323,7 @@ checks: - id: 9018 title: "Ensure ServerTokens is Set to 'Prod' or 'ProductOnly'" description: "Configure the Apache ServerTokens directive to provide minimal information. By setting the value to Prod or ProductOnly. The only version information given in the server HTTP response header will be Apache rather than details on modules and versions installed." - rationale: "Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much "noise" being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful compromise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released." + rationale: "Information is power and identifying web server details greatly increases the efficiency of any attack, as security vulnerabilities are extremely dependent upon specific software versions and configurations. Excessive probing and requests may cause too much 'noise' being generated and may tip off an administrator. If an attacker can accurately target their exploits, the chances of successful compromise prior to detection increase dramatically. Script Kiddies are constantly scanning the Internet and documenting the version information openly provided by web servers. The purpose of this scanning is to accumulate a database of software installed on those hosts, which can then be used when new vulnerabilities are released." remediation: "Perform the following to implement the recommended state: Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" compliance: - cis: ["8.1"] diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 9561cdea7..1c4fe1ccb 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -347,20 +347,20 @@ checks: rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' - - id: 2025 - title: "Ensure GDM login banner is configured" - description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." - remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" - compliance: - - cis_csc: ["5.1"] - - cis: ["1.7.2"] - - pci_dss: ["2.2.2"] - condition: all - rules: - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' + - id: 2025 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.7.2"] + - pci_dss: ["2.2.2"] + condition: all + rules: + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' # 2 Services - id: 2026 @@ -523,17 +523,17 @@ checks: - 'c:systemctl is-enabled apache2 -> r:^enabled' - id: 2038 - title: "Ensure IMAP and POP3 server is not enabled" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.11"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:dpkg -s exim4 -> install ok installed' + title: "Ensure IMAP and POP3 server is not enabled" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.11"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s exim4 -> install ok installed' - id: 2039 title: "Ensure Samba is not enabled" @@ -583,18 +583,18 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 2043 - title: "Ensure NIS Server is not enabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable nis: # systemctl disable nis" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.17"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled nis -> r:^enabled' + - id: 2043 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.17"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled nis -> r:^enabled' - id: 2044 title: "Ensure NIS Client is not installed" diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 1e1f03508..cc7f4682b 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -375,7 +375,7 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - id: 2523 diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 3d1b63341..fbfe68163 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -321,20 +321,20 @@ checks: rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' - - id: 3023 - title: "Ensure GDM login banner is configured" - description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." - rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." - remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" - compliance: - - cis_csc: ["5.1"] - - cis: ["1.7.2"] - - pci_dss: ["2.2.2"] - condition: all - rules: - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' - - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' + - id: 3023 + title: "Ensure GDM login banner is configured" + description: "GDM is the GNOME Display Manager which handles graphical login for GNOME based systems." + rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place." + remediation: "Edit or create the file /etc/gdm3/greeter.dconf-defaults and add: [org/gnome/login-screen], banner-message-enable=true, banner-message-text='Authorized uses only. All activity may be monitored and reported.'" + compliance: + - cis_csc: ["5.1"] + - cis: ["1.7.2"] + - pci_dss: ["2.2.2"] + condition: all + rules: + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-enable=true' + - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^banner-message-text=\.+' # 2 Services - id: 3024 @@ -497,17 +497,17 @@ checks: - 'c:systemctl is-enabled apache2 -> r:^enabled' - id: 3036 - title: "Ensure IMAP and POP3 server is not enabled" - description: "exim is an open source IMAP and POP3 server for Linux based systems." - rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." - remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.11"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:dpkg -s exim4 -> install ok installed' + title: "Ensure IMAP and POP3 server is not enabled" + description: "exim is an open source IMAP and POP3 server for Linux based systems." + rationale: "Unless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface." + remediation: "Run the following commands to remove exim: # apt-get remove exim4; # apt-get purge exim4" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.11"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:dpkg -s exim4 -> install ok installed' - id: 3037 title: "Ensure Samba is not enabled" @@ -557,18 +557,18 @@ checks: rules: - 'c:systemctl is-enabled rsync -> r:^enabled' - - id: 3041 - title: "Ensure NIS Server is not enabled" - description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." - rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" - remediation: "Run the following command to disable nis: # systemctl disable nis" - compliance: - - cis_csc: ["9.2"] - - cis: ["2.2.17"] - - pci_dss: ["2.2.2"] - condition: none - rules: - - 'c:systemctl is-enabled nis -> r:^enabled' + - id: 3041 + title: "Ensure NIS Server is not enabled" + description: "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." + rationale: "The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be disabled and other, more secure services be used" + remediation: "Run the following command to disable nis: # systemctl disable nis" + compliance: + - cis_csc: ["9.2"] + - cis: ["2.2.17"] + - pci_dss: ["2.2.2"] + condition: none + rules: + - 'c:systemctl is-enabled nis -> r:^enabled' - id: 3042 title: "Ensure NIS Client is not installed" diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index 64c9b0e6d..184f4ef06 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -373,7 +373,7 @@ checks: rules: - 'd:/etc/audit' - 'f:/etc/audit/audit.rules' - - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' + - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - id: 3523 From 5443edc1f86285cb9a46112b847556860fbd0856 Mon Sep 17 00:00:00 2001 From: Daniel Ruiz Date: Mon, 15 Jul 2019 16:01:21 +0200 Subject: [PATCH 199/247] Update HIPAA and NIST 800 53 mapping --- sca/applications/cis_apache_24.yml | 60 +++---- sca/applications/web_vulnerabilities.yml | 48 +++--- sca/debian/cis_debian7_L1.yml | 6 +- sca/debian/cis_debian7_L2.yml | 58 +++---- sca/debian/cis_debian8_L1.yml | 169 +++++++++--------- sca/debian/cis_debian8_L2.yml | 58 +++---- sca/debian/cis_debian9_L1.yml | 30 ++-- sca/debian/cis_debian9_L2.yml | 116 ++++++------- sca/generic/sca_unix_audit.yml | 31 ++-- sca/rhel/5/cis_rhel5_linux.yml | 51 +++++- sca/rhel/6/cis_rhel6_linux.yml | 64 +++++-- sca/rhel/7/cis_rhel7_linux.yml | 67 ++++++-- sca/sles/11/cis_sles11_linux.yml | 72 +++++--- sca/sles/12/cis_sles12_linux.yml | 71 +++++--- sca/windows/cis_win10_enterprise_L1.yml | 208 +++++++++++------------ sca/windows/cis_win10_enterprise_L2.yml | 68 ++++---- sca/windows/cis_win2012r2_domainL1.yml | 17 +- sca/windows/cis_win2012r2_memberL1.yml | 16 +- sca/windows/sca_win_audit.yml | 20 +-- 19 files changed, 702 insertions(+), 528 deletions(-) diff --git a/sca/applications/cis_apache_24.yml b/sca/applications/cis_apache_24.yml index d8b75da54..d773ceb45 100644 --- a/sca/applications/cis_apache_24.yml +++ b/sca/applications/cis_apache_24.yml @@ -42,7 +42,7 @@ checks: remediation: "Perform either one of the following to disable WebDAV module: 1. For source builds with static modules run the Apache ./configure script without including the mod_dav, and mod_dav_fs in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules comment out or remove the LoadModule directive for mod_dav, and mod_dav_fs modules from the httpd.conf file. ##LoadModule dav_module modules/mod_dav.so ##LoadModule dav_fs_module modules/mod_dav_fs.so" compliance: - cis: ["2.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://httpd.apache.org/docs/2.4/mod/mod_dav.html condition: none @@ -57,7 +57,7 @@ checks: remediation: "Perform either one of the following to disable the mod_status module: 1) For source builds with static modules, run the Apache ./configure script with the --disable-status configure script options. 2) For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_status module from the httpd.conf file. ##LoadModule status_module modules/mod_status.so" compliance: - cis: ["2.4"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://httpd.apache.org/docs/2.4/mod/mod_status.html condition: none @@ -72,7 +72,7 @@ checks: remediation: "Perform either one of the following to disable the mod_autoindex module: 1. For source builds with static modules, run the Apache ./configure script with the --disable-autoindex configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure -disable-autoindex. 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_autoindex from the httpd.conf file. ## LoadModule autoindex_module modules/mod_autoindex.so" compliance: - cis: ["2.5"] - - cis_csc: ["18","5.1"] + - cis_csc: ["18", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html condition: none @@ -87,7 +87,7 @@ checks: remediation: "Perform either one of the following to disable the proxy module: 1. For source builds with static modules, run the Apache ./configure script without including the mod_proxy in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_proxy module and all other proxy modules from the httpd.conf file. ##LoadModule proxy_module modules/mod_proxy.so ##LoadModule proxy_connect_module modules/mod_proxy_connect.so ##LoadModule proxy_ftp_module modules/mod_proxy_ftp.so ##LoadModule proxy_http_module modules/mod_proxy_http.so ##LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so ##LoadModule proxy_scgi_module modules/mod_proxy_scgi.so ##LoadModule proxy_ajp_module modules/mod_proxy_ajp.so ##LoadModule proxy_balancer_module modules/mod_proxy_balancer.so ##LoadModule proxy_express_module modules/mod_proxy_express.so ##LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so ##LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so" compliance: - cis: ["2.6"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html condition: none @@ -102,7 +102,7 @@ checks: remediation: "Perform either one of the following to disable the user directories module: 1. For source builds with static modules, run the Apache ./configure script with the --disable-userdir configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure --disable-userdir 2. For dynamically loaded modules, comment out or remove the LoadModule directive for mod_userdir module from the httpd.conf file. ##LoadModule userdir_module modules/mod_userdir.so" compliance: - cis: ["2.7"] - - cis_csc: ["18","5.1"] + - cis_csc: ["18", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html condition: none @@ -117,7 +117,7 @@ checks: remediation: "Perform either one of the following to disable the mod_info module: 1. For source builds with static modules, run the Apache ./configure script without including the mod_info in the --enable-modules=configure script options. $ cd $DOWNLOAD_HTTPD $ ./configure 2. For dynamically loaded modules, comment out or remove the LoadModule directive for the mod_info module from the httpd.conf file. ##LoadModule info_module modules/mod_info.so" compliance: - cis: ["2.8"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://httpd.apache.org/docs/2.4/mod/mod_info.html condition: none @@ -132,7 +132,7 @@ checks: remediation: "Change the apache account to use the nologin shell or an invalid shell such as /dev/null: # chsh -s /sbin/nologin apache" compliance: - cis: ["3.2"] - - cis_csc: ["16","4.3"] + - cis_csc: ["16", "4.3"] condition: all rules: - 'f:/etc/passwd -> r:apache && r:/sbin/nologin$|/dev/null$' @@ -145,7 +145,7 @@ checks: remediation: "Use the passwd command to lock the apache account: # passwd -l apache" compliance: - cis: ["3.3"] - - cis_csc: ["16","16.8"] + - cis_csc: ["16", "16.8"] condition: any rules: - 'c:passwd -S apache -> r:apache && r:\s*\t*L|\s*\t*LK' @@ -159,7 +159,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files (httpd.conf and any included configuration files) to find AllowOverride directives. 2. Set the value for all AllowOverride directives to None. 3. Remove any AllowOverrideList directives found." compliance: - cis: ["4.4"] - - cis_csc: ["14.4","14.6"] + - cis_csc: ["14.4", "14.6"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride - https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist @@ -178,7 +178,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files (httpd.conf and any included configuration files) to find all elements. 2. Add or modify any existing Options directive to NOT have a value of Includes. Other options may be set if necessary and appropriate as described above." compliance: - cis: ["5.3"] - - cis_csc: ["18","5.1"] + - cis_csc: ["18", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#options - https://httpd.apache.org/docs/2.4/mod/mod_include.html @@ -195,7 +195,7 @@ checks: remediation: "Review all pre-installed content and remove content which is not required. In particular look for the unnecessary content which may be found in the document root directory, a configuration directory such as conf/extra directory, or as a Unix/Linux package. 1. Remove the default index.html or welcome page if it is a separate package. If it is part of main Apache httpd package such as it is on Red Hat Linux, then comment out the configuration as shown below. Removing a file such as the welcome.conf, is not recommended as it may get replaced if the package is updated. 2. Remove the Apache user manual content or comment out configurations referencing the manual. # yum erase httpd-manual 3. Remove or comment out any Server Information handler configuration. 4. Remove or comment out any other handler configuration such as perl-status." compliance: - cis: ["5.4"] - - cis_csc: ["18.9","5.1"] + - cis_csc: ["18.9", "5.1"] condition: none rules: - 'd:/var/www -> index.html' @@ -214,7 +214,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. 2. Remove the printenvdefault CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/printenv" compliance: - cis: ["5.5"] - - cis_csc: ["18","4.7"] + - cis_csc: ["18", "4.7"] condition: none rules: - 'd:/var/www/cgi-bin -> printenv' @@ -228,7 +228,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Locate cgi-bin files and directories enabled in the Apache configuration via Script, ScriptAlias, ScriptAliasMatch, or ScriptInterpreterSource directives. 2. Remove the test-cgi default CGI in cgi-bin directory if it is installed. # rm $APACHE_PREFIX/cgi-bin/test-cgi" compliance: - cis: ["5.6"] - - cis_csc: ["18.9","4.7"] + - cis_csc: ["18.9", "4.7"] condition: none rules: - 'd:/var/www/cgi-bin -> test-cgi' @@ -242,7 +242,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Locate the main Apache configuration file such as httpd.conf. 2. Add a TraceEnable directive to the server level configuration with a value of off. Server level configuration is the top-level configuration, not nested within any other directives like or ." compliance: - cis: ["5.8"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://www.ietf.org/rfc/rfc2616.txt - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable @@ -258,7 +258,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Find any Listen directives in the Apache configuration file with no IP address specified, or with an IP address of all zeros similar to the examples below. Keep in mind there may be both IPv4 and IPv6 addresses on the system. 2. Modify the Listen directives in the Apache configuration file to have explicit IP addresses according to the intended usage. Multiple Listen directives may be specified for each IP address & Port." compliance: - cis: ["5.13"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://httpd.apache.org/docs/2.4/mod/mpm_common.html#listen condition: none @@ -276,7 +276,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the Header directive for the X-Frames-Options header in the Apache configuration to have the condition always, an action of append and a value of SAMEORIGIN or DENY, as shown below. Header always append X-Frame-Options SAMEORIGIN" compliance: - cis: ["5.14"] - - cis_csc: ["18","5.1"] + - cis_csc: ["18", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header - https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header @@ -293,7 +293,7 @@ checks: remediation: "Perform the following to implement the recommended state: Search the Apache configuration files for the SSLInsecureRenegotiation directive. If the directive is present modify the value to be off. If the directive is not present then no action is required. SSLInsecureRenegotiation off" compliance: - cis: ["7.6"] - - cis_csc: ["14.2","14.4"] + - cis_csc: ["14.2", "14.4"] references: - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555 @@ -310,7 +310,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Search the Apache configuration files for the SSLCompression directive. 2. If the directive is present, set it to off." compliance: - cis: ["7.7"] - - cis_csc: ["14.2","14.4"] + - cis_csc: ["14.2", "14.4"] references: - https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression - https://en.wikipedia.org/wiki/CRIME @@ -327,7 +327,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the ServerTokens directive as shown below to have the value of Prod or ProductOnly: ServerTokens Prod" compliance: - cis: ["8.1"] - - cis_csc: ["18.9","14.7"] + - cis_csc: ["18.9", "14.7"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#servertokens condition: any @@ -342,7 +342,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the ServerSignature directive to have the value of Off: ServerSignature Off" compliance: - cis: ["8.2"] - - cis_csc: ["18","13.2"] + - cis_csc: ["18", "13.2"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#serversignature condition: none @@ -357,7 +357,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the Timeout directive in the Apache configuration to have a value of 10 seconds or shorter. Timeout 10" compliance: - cis: ["9.1"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#timeout condition: all @@ -372,7 +372,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the KeepAlive directive in the Apache configuration to have a value of On, so that KeepAlive connections are enabled. KeepAlive On" compliance: - cis: ["9.2"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive condition: none @@ -387,7 +387,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the MaxKeepAliveRequests directive in the Apache configuration to have a value of 100 or more. MaxKeepAliveRequests 100" compliance: - cis: ["9.3"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#maxkeepaliverequests condition: none @@ -402,7 +402,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the KeepAliveTimeout directive in the Apache configuration to have a value of 15 or less. KeepAliveTimeout 15" compliance: - cis: ["9.4"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout condition: all @@ -417,7 +417,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Load the mod_requesttimeout module in the Apache configuration with the following configuration. LoadModule reqtimeout_module modules/mod_reqtimeout.so 2. Add a RequestReadTimeout directive similar to the one below with the maximum request header timeout value of 40 seconds or less. RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500" compliance: - cis: ["9.5"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://ha.ckers.org/slowloris/ - https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t @@ -435,7 +435,7 @@ checks: remediation: "Perform the following to implement the recommended state: 1. Load the mod_requesttimeout module in the Apache configuration with the following configuration. LoadModule reqtimeout_module modules/mod_reqtimeout.so 2. Add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less. RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500" compliance: - cis: ["9.6"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html condition: any @@ -451,7 +451,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestline directive in the Apache configuration to have a value of 512 or shorter. LimitRequestline 512" compliance: - cis: ["10.1"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestline condition: all @@ -466,7 +466,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestFields directive in the Apache configuration to have a value of 100 or less. If the directive is not present the default depends on a compile time configuration, but defaults to a value of 100. LimitRequestFields 100" compliance: - cis: ["10.2"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfields condition: all @@ -481,7 +481,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestFieldsize directive in the Apache configuration to have a value of 1024 or less. LimitRequestFieldsize 1024" compliance: - cis: ["10.3"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestfieldsize condition: all @@ -496,7 +496,7 @@ checks: remediation: "Perform the following to implement the recommended state: Add or modify the LimitRequestBody directive in the Apache configuration to have a value of 102400 (100K) or less. Please read the Apache documentation so that it is understood that this directive will limit the size of file up-loads to the web server. LimitRequestBody 102400" compliance: - cis: ["10.4"] - - cis_csc: ["9","5.1"] + - cis_csc: ["9", "5.1"] references: - https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody condition: all diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 69003e930..6b9120129 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -55,8 +55,8 @@ checks: - id: 10504 title: "Web exploits: '.yop' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^.yop$' @@ -64,8 +64,8 @@ checks: - id: 10505 title: "Web exploits: 'id' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^id$' @@ -73,8 +73,8 @@ checks: - id: 10506 title: "Web exploits: '.ssh' is an uncommon file name inside htdocs" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^.ssh$' @@ -82,8 +82,8 @@ checks: - id: 10507 title: "Web exploits: '...' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^...$' @@ -91,8 +91,8 @@ checks: - id: 10508 title: "Web exploits: '.shell' is an uncommon file name inside htdocs - Possible compromise" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^.shell$' @@ -101,8 +101,8 @@ checks: - id: 10509 title: "Web vulnerability - Outdated WordPress installation" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:^\.wp_version && r:4.4.2' @@ -110,8 +110,8 @@ checks: - id: 10510 title: "Web vulnerability - Outdated Joomla installation" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:3.4.8' @@ -119,8 +119,8 @@ checks: - id: 10511 title: "Web vulnerability - Outdated osCommerce (v2.2) installation" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> ^application_top.php$ -> r:osCommerce && r:2.2-' @@ -129,8 +129,8 @@ checks: - id: 10512 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode)" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\paWYo' @@ -138,8 +138,8 @@ checks: - id: 10513 title: "Web vulnerability - Backdoors / Web based malware found - eval(base64_decode(POST))" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] condition: none rules: - 'd:$web_dirs -> .php$ -> r:eval\(base64_decode\(\S_POST' @@ -147,8 +147,8 @@ checks: - id: 10514 title: "Web vulnerability - .htaccess file compromised" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none @@ -158,8 +158,8 @@ checks: - id: 10515 title: "Web vulnerability - .htaccess file compromised - auto append" compliance: - - pci_dss: ["6.5","6.6","11.4"] - - nist_800_53: ["SA.11","IA.10"] + - pci_dss: ["6.5", "6.6", "11.4"] + - nist_800_53: ["SA.11", "SC.5", "SI.3", "SI.4"] references: - https://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html condition: none diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index d5fb2c065..c48f86c90 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -484,7 +484,7 @@ checks: - cis: ["6.10"] condition: none rules: - - 'c:find /etc/rc* -name *apache2* -> r:S\.' + - 'c:find /etc/rc* -name *apache2* -> r:S\.' - id: 1038 title: "Ensure IMAP and POP server is not enabled" @@ -506,7 +506,7 @@ checks: - cis: ["6.12"] condition: none rules: - - 'c:find /etc/rc* -name *smb* -> r:S\.' + - 'c:find /etc/rc* -name *smb* -> r:S\.' - id: 1040 title: "Ensure HTTP Proxy Server is not enabled" @@ -517,7 +517,7 @@ checks: - cis: ["6.13"] condition: none rules: - - 'c:find /etc/rc* -name *squid3* -> r:S\.' + - 'c:find /etc/rc* -name *squid3* -> r:S\.' - id: 1041 title: "Ensure SNMP Server is not enabled" diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index 6e99766eb..6779b485d 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -30,7 +30,7 @@ checks: # 2 Filesystem Configuration - - id: 1500 + - id: 1500 title: "Disable Mounting of cramfs Filesystems" description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -42,7 +42,7 @@ checks: - 'c:/sbin/modprobe -n -v cramfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:cramfs' - - id: 1501 + - id: 1501 title: "Disable Mounting of freevxfs Filesystems" description: "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -54,7 +54,7 @@ checks: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:freevxfs' - - id: 1502 + - id: 1502 title: "Disable Mounting of jffs2 Filesystems" description: "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -66,7 +66,7 @@ checks: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:jffs2' - - id: 1503 + - id: 1503 title: "Disable Mounting of hfs Filesystems" description: "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -78,7 +78,7 @@ checks: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:hfs' - - id: 1504 + - id: 1504 title: "Disable Mounting of hfsplus Filesystems" description: "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -90,7 +90,7 @@ checks: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:hfsplus' - - id: 1505 + - id: 1505 title: "Disable Mounting of squashfs Filesystems" description: "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -102,7 +102,7 @@ checks: - 'c:/sbin/modprobe -n -v squashfs -> r:^install /bin/true' - 'not c:/sbin/lsmod -> r:squashfs' - - id: 1506 + - id: 1506 title: "Disable Mounting of udf Filesystems" description: "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats" rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -116,7 +116,7 @@ checks: # 4 Additional Process Hardening - - id: 1507 + - id: 1507 title: "Activate AppArmor" description: "AppArmor provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model." rationale: "For an action to occur, both the traditional DAC permissions must be satisfied as well as the AppArmor MAC rules. The action will not be allowed if either one of these models does not permit the action. In this way, AppArmor rules can only make a system's permissions more restrictive and secure." @@ -130,7 +130,7 @@ checks: - 'c:apparmor_status -> r:^0\s*processes are unconfined' # 8.1 Configure System Accounting (auditd) - - id: 1508 + - id: 1508 title: "Configure Audit Log Storage Size" description: "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." @@ -143,7 +143,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:max_log_file\s*=\s*\d+' - - id: 1509 + - id: 1509 title: "Disable System on Audit Log Full" description: "The auditd daemon can be configured to halt the system when the audit logs are full." rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." @@ -158,7 +158,7 @@ checks: - 'f:/etc/audit/auditd.conf -> r:^\s*\t*space_left_action\s*=\s*email' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*admin_space_left_action\s*=\s*halt' - - id: 1510 + - id: 1510 title: "Keep All Auditing Information" description: "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." @@ -171,7 +171,7 @@ checks: - 'f:/etc/audit/auditd.conf' - 'f:/etc/audit/auditd.conf -> r:^\s*\t*max_log_file_action\s*=\s*keep_logs' - - id: 1511 + - id: 1511 title: "Install and Enable auditd Service" description: "Install and turn on the auditd daemon to record system events." rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." @@ -183,7 +183,7 @@ checks: - 'c:dpkg -s auditd -> r:install ok installed' - 'c:find /etc/rc* -name *auditd* -> r:S\.' - - id: 1512 + - id: 1512 title: "Enable Auditing for Processes That Start Prior to auditd" description: "Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." @@ -194,7 +194,7 @@ checks: rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\p*audit\s*=\s*1\p*' - - id: 1513 + - id: 1513 title: "Record Events That Modify Date and Time Information" description: "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." @@ -211,7 +211,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit && r:-F arch=b64 && r:-S clock_settime && r:-k time-change' - 'f:/etc/audit/audit.rules -> r:^-w /etc/localtime && r:-p wa && r:-k time-change' - - id: 1514 + - id: 1514 title: "Record Events That Modify User/Group Information" description: "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." @@ -228,7 +228,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /etc/shadow && r:-p wa && r:-k identity' - 'f:/etc/audit/audit.rules -> r:^-w /etc/security/opasswd && r:-p wa && r:-k identity' - - id: 1515 + - id: 1515 title: "Record Events That Modify the System's Network Environment" description: "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses) and /etc/network (directory containing network interface scripts and configurations) files." rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" @@ -246,7 +246,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /etc/hosts && r:-p wa && r:-k system-locale' - 'f:/etc/audit/audit.rules -> r:^-w /etc/network && r:-p wa && r:-k system-locale' - - id: 1516 + - id: 1516 title: "Record Events That Modify the System's Mandatory Access Controls" description: "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." rationale: "Changes to files in this directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." @@ -259,7 +259,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w /etc/selinux/ && r:-p wa && r:-k MAC-policy' - - id: 1517 + - id: 1517 title: "Collect Login and Logout Events" description: "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module" rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." @@ -274,7 +274,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /var/log/lastlog && r:-p wa && r:-k logins' - 'f:/etc/audit/audit.rules -> r:^-w /var/log/tallylog && r:-p wa && r:-k logins' - - id: 1518 + - id: 1518 title: "Collect Session Initiation Information" description: "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\" The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." @@ -289,7 +289,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /var/log/wtmp && r:-p wa && r:-k session' - 'f:/etc/audit/audit.rules -> r:^-w /var/log/btmp && r:-p wa && r:-k session' - - id: 1519 + - id: 1519 title: "Collect Discretionary Access Control Permission Modification Events" description: "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permis&& r:sions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." @@ -307,7 +307,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S setxattr && r:-S lsetxattr && r:-S fsetxattr && r:-S removexattr && r:-S lremovexattr && r:-S fremovexattr && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k perm_mod' - - id: 1520 + - id: 1520 title: "Collect Unsuccessful Unauthorized Access Attempts to Files" description: "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." @@ -323,7 +323,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S creat && r:-S open && r:-S openat && r:-S truncate && r:-F exit=-EPERM && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k access' - - id: 1521 + - id: 1521 title: "Collect Successful File System Mounts" description: "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open, creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." @@ -337,7 +337,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S mount && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k mounts' - - id: 1522 + - id: 1522 title: "Collect File Deletion Events by User" description: "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." @@ -351,7 +351,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b32 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64 && r:-S unlink && r:-S unlinkat && r:-S rename && r:-S renameat && r:-F auid>=1000 && r:-F auid!=4294967295 && r:-k delete' - - id: 1523 + - id: 1523 title: "Collect Changes to System Administration Scope (sudoers)" description: "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." @@ -364,7 +364,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w /etc/sudoers && r:-p wa && r:-k scope' - - id: 1524 + - id: 1524 title: "Collect System Administrator Actions (sudolog)" description: "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." @@ -377,7 +377,7 @@ checks: - 'f:/etc/audit/audit.rules' - 'f:/etc/audit/audit.rules -> r:^-w /var/log/sudo.log && r:-p wa && r:-k actions' - - id: 1525 + - id: 1525 title: "Collect Kernel Module Loading and Unloading" description: "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." @@ -393,7 +393,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-w /sbin/modprobe && r:-p x && r:-k modules' - 'f:/etc/audit/audit.rules -> r:^-a && r:always,exit|exit,always && r:-F arch=b64|-F arch=b32 && r:-S init_module && r:-S delete_module && r:-k modules' - - id: 1526 + - id: 1526 title: "Make the Audit Configuration Immutable" description: "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot" rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." @@ -407,7 +407,7 @@ checks: - 'f:/etc/audit/audit.rules -> r:^-e 2$' # 8.3 Advanced Intrusion Detection Environment (AIDE) - - id: 1527 + - id: 1527 title: "Install AIDE" description: "In some installations, AIDE is not installed automatically" rationale: "Install AIDE to make use of the file integrity features to monitor critical files for changes that could affect the security of the system." @@ -418,7 +418,7 @@ checks: rules: - 'c:dpkg -s aide -> r:install ok installed' - - id: 1528 + - id: 1528 title: "Implement Periodic Execution of File Integrity" description: "Implement periodic file checking, in compliance with site policy" rationale: "Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion." diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 1c4fe1ccb..13ea29dfa 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -48,7 +48,7 @@ checks: remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install freevxfs /bin/true. 2) Run the following command to unload the freevxfs module: # rmmod freevxfs" compliance: - cis: ["1.1.1.2"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v freevxfs -> r:^install /bin/true' @@ -61,7 +61,7 @@ checks: remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install jffs2 /bin/true. 2) Run the following command to unload the jffs2 module: # rmmod jffs2" compliance: - cis: ["1.1.1.3"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v jffs2 -> r:^install /bin/true' @@ -74,7 +74,7 @@ checks: remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfs /bin/true. 2) Run the following command to unload the hfs module: # rmmod hfs" compliance: - cis: ["1.1.1.4"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfs -> r:^install /bin/true' @@ -87,7 +87,7 @@ checks: remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install hfsplus /bin/true. 2) Run the following command to unload the hfsplus module: # rmmod hfsplus" compliance: - cis: ["1.1.1.5"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v hfsplus -> r:^install /bin/true' @@ -113,7 +113,7 @@ checks: remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install udf /bin/true. 2) Run the following command to unload the udf module: # rmmod udf" compliance: - cis: ["1.1.1.7"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:/sbin/modprobe -n -v udf -> r:^install /bin/true' @@ -127,7 +127,7 @@ checks: remediation: "Configure /etc/fstab as appropiate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount." compliance: - cis: ["1.1.2"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ - https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/ @@ -142,7 +142,7 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp" compliance: - cis: ["1.1.3"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -154,7 +154,7 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp" compliance: - cis: ["1.1.4"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -166,7 +166,7 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nodev /var/tmp" compliance: - cis: ["1.1.7"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nodev' @@ -178,7 +178,7 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,nosuid /var/tmp" compliance: - cis: ["1.1.8"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:nosuid' @@ -190,7 +190,7 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information. Run the following command to remount /var/tmp: # mount -o remount,noexec /var/tmp" compliance: - cis: ["1.1.9"] - - cis_csc: ["2","2.6"] + - cis_csc: ["2", "2.6"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s && r:noexec' @@ -202,7 +202,7 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /home" compliance: - cis: ["1.1.13"] - - cis_csc: ["13","15.1","5.1"] + - cis_csc: ["13", "15.1", "5.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -214,7 +214,7 @@ checks: remediation: "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nodev /dev/shm" compliance: - cis: ["1.1.14"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -226,7 +226,7 @@ checks: remediation: "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,nosuid /dev/shm" compliance: - cis: ["1.1.15"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -238,7 +238,7 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /run/shm" compliance: - cis: ["1.1.16"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -250,7 +250,7 @@ checks: remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - cis: ["1.1.21"] - - cis_csc: ["8.3","8.4","8.5"] + - cis_csc: ["8.3", "8.4", "8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -263,7 +263,7 @@ checks: remediation: "Install AIDE: # apt-get install aide aide-common. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Initialize AIDE: # aideinit" compliance: - cis: ["1.3.1"] - - cis_csc: ["3.5","14.9"] + - cis_csc: ["3.5", "14.9"] condition: all rules: - 'c:dpkg -s aide -> r:install ok installed' @@ -275,7 +275,7 @@ checks: remediation: "Execute the following command: # crontab -u root -e Add the following line to the crontab: 0 5 * * * /usr/sbin/aide --check. Note: The checking in this instance occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy." compliance: - cis: ["1.3.2"] - - cis_csc: ["3.5","14.9"] + - cis_csc: ["3.5", "14.9"] condition: all rules: - 'c:grep -Rh aide /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /etc/crontab -> r:\.+' @@ -328,7 +328,7 @@ checks: remediation: "Add the following line to the /etc/sysctl.conf file: kernel.randomize_va_space = 2 and run the following command to set the active kernel parameter: # sysctl -w kernel.randomize_va_space=2" compliance: - cis: ["1.5.3"] - - cis_csc: ["8.3","8.4"] + - cis_csc: ["8.3", "8.4"] condition: all rules: - 'c:grep -Rh ^kernel\.randomize_va_space /etc/sysctl.conf /etc/sysctl.d -> r:\s*\t*2$' @@ -342,7 +342,7 @@ checks: remediation: "Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of \\m,\\r,\\s, or \\v: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue" compliance: - cis: ["1.7.1.2"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: none rules: - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' @@ -356,6 +356,7 @@ checks: - cis_csc: ["5.1"] - cis: ["1.7.2"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' @@ -370,7 +371,7 @@ checks: remediation: "Run the following command to disable xinetd: # apt-get remove xinetd" compliance: - cis: ["2.1.1"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:dpkg -s xinetd -> r:install ok installed' @@ -382,7 +383,7 @@ checks: remediation: "Run the following commands to uninstall openbsd-inetd and inetutils-inetd: # apt-get remove openbsd-inetd # apt-get remove inetutils-inetd" compliance: - cis: ["2.1.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:dpkg -s openbsd-inetd -> r:install ok installed' @@ -425,7 +426,7 @@ checks: remediation: "Run the following command to disable avahi-daemon: # systemctl disable avahi-daemon" compliance: - cis: ["2.2.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -437,7 +438,7 @@ checks: remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - cis: ["2.2.4"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://www.cups.org condition: none @@ -453,7 +454,7 @@ checks: - https://www.isc.org/dhcp/ compliance: - cis: ["2.2.5"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled isc-dhcp-server -> r:^enabled' @@ -466,7 +467,7 @@ checks: remediation: "Run the following command to disable slapd: # systemctl disable slapd" compliance: - cis: ["2.2.6"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - https://www.openldap.org condition: none @@ -480,7 +481,7 @@ checks: remediation: "Run the following commands to disable nfs and rpcbind: # systemctl disable nfs-server # systemctl disable rpcbind" compliance: - cis: ["2.2.7"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled nfs-server -> r:^enabled' @@ -493,7 +494,7 @@ checks: remediation: "Run the following command to disable named: # systemctl disable bind9" compliance: - cis: ["2.2.8"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled bind9 -> r:^enabled' @@ -505,7 +506,7 @@ checks: remediation: "Run the following command to disable vsftpd: # systemctl disable vsftpd" compliance: - cis: ["2.2.9"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -517,7 +518,7 @@ checks: remediation: "Run the following command to disable apache2: # systemctl disable apache2" compliance: - cis: ["2.2.10"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled apache2 -> r:^enabled' @@ -531,6 +532,7 @@ checks: - cis_csc: ["9.2"] - cis: ["2.2.11"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:dpkg -s exim4 -> install ok installed' @@ -542,7 +544,7 @@ checks: remediation: "Run the following command to disable smbd: # systemctl disable smbd" compliance: - cis: ["2.2.12"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled smbd -> r:^enabled' @@ -554,7 +556,7 @@ checks: remediation: "Run the following command to disable squid: # systemctl disable squid" compliance: - cis: ["2.2.13"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -566,7 +568,7 @@ checks: remediation: "Run the following command to disable snmpd: # systemctl disable snmpd" compliance: - cis: ["2.2.14"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -578,7 +580,7 @@ checks: remediation: "Run the following command to disable rsync: # systemctl disable rsync" compliance: - cis: ["2.2.16"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'c:systemctl is-enabled rsync -> r:^enabled' @@ -592,6 +594,7 @@ checks: - cis_csc: ["9.2"] - cis: ["2.2.17"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled nis -> r:^enabled' @@ -603,7 +606,7 @@ checks: remediation: "Uninstall the nis package: # apt-get remove nis" compliance: - cis: ["2.3.1"] - - cis_csc: ["2","2.6"] + - cis_csc: ["2", "2.6"] condition: none rules: - 'c:dpkg -s nis -> r:install ok installed' @@ -615,7 +618,7 @@ checks: remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" compliance: - cis: ["2.3.2"] - - cis_csc: ["3.4","4.5"] + - cis_csc: ["3.4", "4.5"] condition: none rules: - 'c:dpkg -s rsh-client -> r:install ok installed' @@ -628,7 +631,7 @@ checks: remediation: "Run the following command to uninstall talk: apt-get remove talk" compliance: - cis: ["2.3.3"] - - cis_csc: ["2","2.6"] + - cis_csc: ["2", "2.6"] condition: none rules: - 'c:dpkg -s talk -> r:install ok installed' @@ -640,7 +643,7 @@ checks: remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - cis: ["2.3.4"] - - cis_csc: ["3.4","4.5"] + - cis_csc: ["3.4", "4.5"] condition: none rules: - 'c:dpkg -s telnet -> r:install ok installed' @@ -653,7 +656,7 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv6.conf.all.forwarding=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - cis: ["3.1.1"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:=\s*\t*0$' @@ -668,7 +671,7 @@ checks: remediation: "Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf: net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 Modify active kernel parameters to match: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.1.2"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:=\s*\t*0$' @@ -683,7 +686,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv6.conf.all.accept_source_route=0 # sysctl -w net.ipv6.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - cis: ["3.2.1"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:=\s*\t*0$' @@ -702,7 +705,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv6.conf.all.accept_redirects=0 # sysctl -w net.ipv6.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1 # sysctl -w net.ipv6.route.flush=1" compliance: - cis: ["3.2.2"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:=\s*\t*0$' @@ -721,7 +724,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.3"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:=\s*\t*0$' @@ -736,7 +739,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.4"] - - cis_csc: ["6","6.2","6.3"] + - cis_csc: ["6", "6.2", "6.3"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -751,7 +754,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.5"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:=\s*\t*1$' @@ -764,7 +767,7 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.6"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:=\s*\t*1$' @@ -777,7 +780,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.7"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:=\s*\t*1$' @@ -792,7 +795,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.8"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:=\s*\t*1$' @@ -805,7 +808,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv6.conf.all.accept_ra=0 # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1" compliance: - cis: ["3.2.9"] - - cis_csc: ["3","11","5.1"] + - cis_csc: ["3", "11", "5.1"] condition: all rules: - 'c:sysctl net.ipv6.conf.all.accept_ra -> r:=\s*\t*0$' @@ -820,7 +823,7 @@ checks: remediation: "Run the following command to create /etc/hosts.allow: # echo \"ALL: /, /, ...\" >/etc/hosts.allow. Where each / combination (for example, \"192.168.1.0/255.255.255.0\") represents one network block in use by your organization that requires access to this system." compliance: - cis: ["3.3.2"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'f:/etc/hosts.allow' @@ -832,7 +835,7 @@ checks: remediation: "Run the following command to create /etc/hosts.deny: # echo \"ALL: ALL\" >> /etc/hosts.deny" compliance: - cis: ["3.3.3"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'f:/etc/hosts.deny' @@ -845,7 +848,7 @@ checks: remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/dccp.conf and add the following line: install dccp /bin/true" compliance: - cis: ["3.4.1"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'not c:modprobe -n -v dccp -> r:install /bin/true' @@ -858,7 +861,7 @@ checks: remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/sctp.conf and add the following line: install sctp /bin/true" compliance: - cis: ["3.4.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'not c:modprobe -n -v sctp -> r:install /bin/true' @@ -871,7 +874,7 @@ checks: remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/rds.conf and add the following line: install rds /bin/true" compliance: - cis: ["3.4.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'not c:modprobe -n -v rds -> r:install /bin/true' @@ -884,7 +887,7 @@ checks: remediation: "Edit or create a file in the /etc/modprobe.d/ directory ending in .conf Example: vim /etc/modprobe.d/tipc.conf and add the following line: install tipc /bin/true" compliance: - cis: ["3.4.4"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: none rules: - 'not c:modprobe -n -v tipc -> r:install /bin/true' @@ -899,7 +902,7 @@ checks: remediation: "Run the following commands to implement a default DROP policy: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - cis: ["3.5.1.1"] - - cis_csc: ["9.1","9.4"] + - cis_csc: ["9.1", "9.4"] condition: all rules: - 'c:iptables -L -> r:^Chain INPUT && r:policy DROP' @@ -913,7 +916,7 @@ checks: remediation: "Run the following commands to implement a default DROP policy: # ip6tables -P INPUT DROP # ip6tables -P OUTPUT DROP # ip6tables -P FORWARD DROP. Notes: Changing firewall settings while connected over network can result in being locked out of the system. Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well." compliance: - cis: ["3.5.2.1"] - - cis_csc: ["9.1","9.4"] + - cis_csc: ["9.1", "9.4"] condition: all rules: - 'c:ip6tables -L -> r:^Chain INPUT && r:policy DROP' @@ -927,7 +930,7 @@ checks: remediation: "Run the following command to install iptables: # apt-get install iptables" compliance: - cis: ["3.5.3"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'c:dpkg -s iptables -> r:install ok installed' @@ -940,7 +943,7 @@ checks: remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" compliance: - cis: ["4.2.1.1"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' @@ -952,7 +955,7 @@ checks: remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - cis: ["4.2.1.4"] - - cis_csc: ["6.6","6.8"] + - cis_csc: ["6.6", "6.8"] references: - rsyslog.conf(5) man page condition: all @@ -966,7 +969,7 @@ checks: remediation: "For hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment or add the following lines:$ModLoad imtcp & $InputTCPServerRun 514. For hosts that are not designated as log hosts, edit the /etc/rsyslog.conf file and comment or remove the following lines: # $ModLoad imtcp # $InputTCPServerRun 514. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - cis: ["4.2.1.5"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - rsyslog.conf(8) man page condition: all @@ -982,7 +985,7 @@ checks: remediation: "Run the following command to enable cron: systemctl enable cron" compliance: - cis: ["5.1.1"] - - cis_csc: ["6","5.1"] + - cis_csc: ["6", "5.1"] condition: all rules: - 'c:systemctl is-enabled cron -> r:^enabled$' @@ -1023,7 +1026,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: Protocol 2" compliance: - cis: ["5.2.4"] - - cis_csc: ["3.4","4.5"] + - cis_csc: ["3.4", "4.5"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Protocol\s*\t*2' @@ -1037,7 +1040,7 @@ checks: - https://www.ssh.com/ssh/sshd_config/ compliance: - cis: ["5.2.5"] - - cis_csc: ["16","6.2","6.3"] + - cis_csc: ["16", "6.2", "6.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' @@ -1049,7 +1052,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - cis: ["5.2.6"] - - cis_csc: ["16","9.2"] + - cis_csc: ["16", "9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' @@ -1061,7 +1064,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: MaxAuthTries 4" compliance: - cis: ["5.2.7"] - - cis_csc: ["16","16.13"] + - cis_csc: ["16", "16.13"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -1073,7 +1076,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: IgnoreRhosts yes" compliance: - cis: ["5.2.8"] - - cis_csc: ["9","9.2"] + - cis_csc: ["9", "9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' @@ -1085,7 +1088,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - cis: ["5.2.9"] - - cis_csc: ["9","16.3"] + - cis_csc: ["9", "16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:HostbasedAuthentication\s+no' @@ -1097,7 +1100,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitRootLogin no" compliance: - cis: ["5.2.10"] - - cis_csc: ["5.8","4.3"] + - cis_csc: ["5.8", "4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' @@ -1111,7 +1114,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitEmptyPasswords no" compliance: - cis: ["5.2.11"] - - cis_csc: ["16","16.3"] + - cis_csc: ["16", "16.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' @@ -1123,7 +1126,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: PermitUserEnvironment no" compliance: - cis: ["5.2.12"] - - cis_csc: ["16","5.1"] + - cis_csc: ["16", "5.1"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitUserEnvironment\s+no' @@ -1135,7 +1138,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameters according to site policy: ClientAliveInterval 300 ClientAliveCountMax 0" compliance: - cis: ["5.2.16"] - - cis_csc: ["16.4","16.11"] + - cis_csc: ["16.4", "16.11"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && n:ClientAliveInterval\s*\t*(\d+) compare <= 300 && n:ClientAliveInterval\s*\t*(\d+) compare != 0' @@ -1148,7 +1151,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set one or more of the parameter as follows: AllowUsers AllowGroups DenyUsers DenyGroups " compliance: - cis: ["5.2.18"] - - cis_csc: ["5.1","5.8","4.3"] + - cis_csc: ["5.1", "5.8", "4.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:AllowUsers\s+\w+|AllowGroups\s+\w+|DenyUsers\s+\w+|DenyGroups\s+\w+' @@ -1174,7 +1177,7 @@ checks: remediation: "1) Run the following command to install the pam_pwquality module: apt-get install libpam-pwquality 2) Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy: password requisite pam_pwquality.so retry=3 3) Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy: minlen = 14 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1. Notes: Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol." compliance: - cis: ["5.3.1"] - - cis_csc: ["5.7","16.12","4.4"] + - cis_csc: ["5.7", "16.12", "4.4"] condition: all rules: - 'c:dpkg -s libpam-pwquality -> r:install ok installed' @@ -1218,7 +1221,7 @@ checks: remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." compliance: - cis: ["5.4.1.1"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' @@ -1230,7 +1233,7 @@ checks: remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." compliance: - cis: ["5.4.1.2"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' @@ -1242,7 +1245,7 @@ checks: remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." compliance: - cis: ["5.4.1.3"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' @@ -1254,7 +1257,7 @@ checks: remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." compliance: - cis: ["5.4.1.4"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' @@ -1266,7 +1269,7 @@ checks: remediation: "Run the following command to set the root user default group to GID 0: # usermod -g 0 root" compliance: - cis: ["5.4.3"] - - cis_csc: ["5","5.1"] + - cis_csc: ["5", "5.1"] condition: all rules: - 'f:/etc/passwd -> !r:^# && r:root:\w+:\w+:0:' @@ -1293,7 +1296,7 @@ checks: remediation: "If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password: # passwd -l . Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off." compliance: - cis: ["6.2.1"] - - cis_csc: ["16","4.4"] + - cis_csc: ["16", "4.4"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' @@ -1305,7 +1308,7 @@ checks: remediation: "Remove any legacy + entries from /etc/passwd if they exist." compliance: - cis: ["6.2.2"] - - cis_csc: ["16.9","16.2"] + - cis_csc: ["16.9", "16.2"] condition: none rules: - 'f:/etc/passwd -> !r:^# && r:^+:' @@ -1317,7 +1320,7 @@ checks: remediation: "Remove any legacy + entries from /etc/shadow if they exist." compliance: - cis: ["6.2.3"] - - cis_csc: ["16.9","16.2"] + - cis_csc: ["16.9", "16.2"] condition: none rules: - 'f:/etc/shadow -> !r:^# && r:^+:' @@ -1329,7 +1332,7 @@ checks: remediation: "Remove any legacy + entries from /etc/group if they exist." compliance: - cis: ["6.2.4"] - - cis_csc: ["16.9","16.2"] + - cis_csc: ["16.9", "16.2"] condition: none rules: - 'f:/etc/group -> !r:^# && r:^+:' diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index cc7f4682b..651114d55 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -35,7 +35,7 @@ checks: remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - cis: ["1.1.5"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -49,7 +49,7 @@ checks: remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - cis: ["1.1.6"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -63,7 +63,7 @@ checks: remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - cis: ["1.1.10"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -77,7 +77,7 @@ checks: remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - cis: ["1.1.11"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -91,7 +91,7 @@ checks: remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions." compliance: - cis: ["1.1.12"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -105,7 +105,7 @@ checks: remediation: "Disable autofs: # update-rc.d autofs disable" compliance: - cis: ["1.1.21"] - - cis_csc: ["8.3","8.4","8.5"] + - cis_csc: ["8.3", "8.4", "8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -118,7 +118,7 @@ checks: remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - cis: ["1.6.3"] - - cis_csc: ["14.4","14.6"] + - cis_csc: ["14.4", "14.6"] condition: any rules: - 'c:dpkg -s selinux-basics -> r:install ok installed' @@ -133,7 +133,7 @@ checks: remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - cis: ["2.2.4"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - 'https://www.cups.org' condition: none @@ -149,7 +149,7 @@ checks: remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." compliance: - cis: ["4.1.1.1"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'd:/etc/audit' @@ -163,7 +163,7 @@ checks: remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - cis: ["4.1.1.2"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'd:/etc/audit' @@ -179,7 +179,7 @@ checks: remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" compliance: - cis: ["4.1.1.3"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'd:/etc/audit' @@ -193,7 +193,7 @@ checks: remediation: "Run the following command to enable auditd: # systemctl enable auditd" compliance: - cis: ["4.1.2"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'c:systemctl is-enabled auditd -> r:^enabled' @@ -205,7 +205,7 @@ checks: remediation: "1) Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" 2) Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - cis: ["4.1.3"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' @@ -217,7 +217,7 @@ checks: remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" compliance: - cis: ["4.1.4"] - - cis_csc: ["3.6","5.5"] + - cis_csc: ["3.6", "5.5"] condition: all rules: - 'd:/etc/audit' @@ -235,7 +235,7 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.5"] - - cis_csc: ["5.4","4.8"] + - cis_csc: ["5.4", "4.8"] condition: all rules: - 'd:/etc/audit' @@ -253,7 +253,7 @@ checks: remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.6"] - - cis_csc: ["3.6","5.5"] + - cis_csc: ["3.6", "5.5"] condition: all rules: - 'd:/etc/audit' @@ -272,7 +272,7 @@ checks: remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.7"] - - cis_csc: ["3.6","5.5"] + - cis_csc: ["3.6", "5.5"] condition: all rules: - 'd:/etc/audit' @@ -287,7 +287,7 @@ checks: remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.7"] - - cis_csc: ["3.6","5.5"] + - cis_csc: ["3.6", "5.5"] condition: all rules: - 'd:/etc/audit' @@ -302,7 +302,7 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.8"] - - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] + - cis_csc: ["5.5", "16.10", "16.4", "4.9", "16.11", "16.13"] condition: all rules: - 'd:/etc/audit' @@ -318,7 +318,7 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.9"] - - cis_csc: ["5.5","16.10","16.4","4.9","16.11","16.13"] + - cis_csc: ["5.5", "16.10", "16.4", "4.9", "16.11", "16.13"] condition: all rules: - 'd:/etc/audit' @@ -334,7 +334,7 @@ checks: remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.10"] - - cis_csc: ["3.6","5.5"] + - cis_csc: ["3.6", "5.5"] condition: all rules: - 'd:/etc/audit' @@ -353,7 +353,7 @@ checks: remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.11"] - - cis_csc: ["14.6","14.9"] + - cis_csc: ["14.6", "14.9"] condition: all rules: - 'd:/etc/audit' @@ -370,7 +370,7 @@ checks: remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.13"] - - cis_csc: ["13","5.1"] + - cis_csc: ["13", "5.1"] condition: all rules: - 'd:/etc/audit' @@ -400,7 +400,7 @@ checks: remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.15"] - - cis_csc: ["5.4","4.8"] + - cis_csc: ["5.4", "4.8"] condition: all rules: - 'd:/etc/audit' @@ -415,7 +415,7 @@ checks: remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.16"] - - cis_csc: ["5.1","5.5","4.9"] + - cis_csc: ["5.1", "5.5", "4.9"] condition: all rules: - 'd:/etc/audit' @@ -429,7 +429,7 @@ checks: remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - cis: ["4.1.17"] - - cis_csc: ["3","5.1"] + - cis_csc: ["3", "5.1"] condition: all rules: - 'd:/etc/audit' @@ -446,7 +446,7 @@ checks: remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." compliance: - cis: ["4.1.18"] - - cis_csc: ["3","6","6.2","6.3"] + - cis_csc: ["3", "6", "6.2", "6.3"] condition: all rules: - 'd:/etc/audit' @@ -460,7 +460,7 @@ checks: remediation: "Edit the /etc/ssh/sshd_configfile to set the parameter as follows: X11Forwarding no" compliance: - cis: ["5.2.6"] - - cis_csc: ["16","9.2"] + - cis_csc: ["16", "9.2"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' \ No newline at end of file + - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index fbfe68163..31a563bb3 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -212,7 +212,7 @@ checks: remediation: "Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information. Run the following command to remount /dev/shm: # mount -o remount,noexec /dev/shm" compliance: - cis: ["1.1.17"] - - cis_csc: ["2.6","8"] + - cis_csc: ["2.6", "8"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -224,7 +224,7 @@ checks: remediation: "Run the following command to disable autofs: # systemctl disable autofs" compliance: - cis: ["1.1.21"] - - cis_csc: ["8.4","8.5"] + - cis_csc: ["8.4", "8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -330,6 +330,7 @@ checks: - cis_csc: ["5.1"] - cis: ["1.7.2"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/gdm3/greeter.dconf-defaults -> r:^[org/gnome/login-screen]' @@ -378,8 +379,7 @@ checks: - 'f:/etc/ntp.conf -> r:^restrict\s+-6\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' - 'f:/etc/ntp.conf -> r:^server\.+$|^pool\.+$' - 'f:/etc/ntp.conf -> r:^server\s\.+' - - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - + - 'f:/etc/init.d/ntp -> r:^RUNASUSER\s*\t*=\s*\t*ntp' - id: 3027 title: "Ensure chrony is configured" description: "chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server." @@ -505,6 +505,7 @@ checks: - cis_csc: ["9.2"] - cis: ["2.2.11"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:dpkg -s exim4 -> install ok installed' @@ -566,6 +567,7 @@ checks: - cis_csc: ["9.2"] - cis: ["2.2.17"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled nis -> r:^enabled' @@ -589,7 +591,7 @@ checks: remediation: "Run the following command to uninstall rsh: apt-get remove rsh-client rsh-redone-client" compliance: - cis: ["2.3.2"] - - cis_csc: ["2.6","4.5"] + - cis_csc: ["2.6", "4.5"] condition: none rules: - 'c:dpkg -s rsh-client -> r:install ok installed' @@ -614,7 +616,7 @@ checks: remediation: "Run the following command to uninstall telnet: # apt-get remove telnet" compliance: - cis: ["2.3.4"] - - cis_csc: ["2.6","4.5"] + - cis_csc: ["2.6", "4.5"] condition: none rules: - 'c:dpkg -s telnet -> r:install ok installed' @@ -710,7 +712,7 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.log_martians=1 # sysctl -w net.ipv4.conf.default.log_martians=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.4"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:=\s*\t*1$' @@ -914,7 +916,7 @@ checks: remediation: "Run the following command to enable rsyslog: # systemctl enable rsyslog" compliance: - cis: ["4.2.1.1"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'c:systemctl is-enabled rsyslog -> r:^enabled' @@ -926,7 +928,7 @@ checks: remediation: "Edit the /etc/rsyslog.conf and /etc/rsyslog.d/*.conf files and add the following line (where loghost.example.com is the name of your central log host): *.* @@loghost.example.com. Run the following command to reload the rsyslogd configuration: # pkill -HUP rsyslogd" compliance: - cis: ["4.2.1.4"] - - cis_csc: ["6.6","6.8"] + - cis_csc: ["6.6", "6.8"] references: - rsyslog.conf(5) man page condition: all @@ -1011,7 +1013,7 @@ checks: - https://www.ssh.com/ssh/sshd_config/ compliance: - cis: ["5.2.5"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:LogLevel\s+INFO|LogLevel\s+VERBOSE' @@ -1192,7 +1194,7 @@ checks: remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs: PASS_MAX_DAYS 90. Modify user parameters for all users with a password set to match: # chage --maxdays 90 . Notes: You can also check this setting in /etc/shadow directly. The 5th field should be 365 or less for all users with a password. A value of -1 will disable password expiration. Additionally the password expiration must be greater than the minimum days between password changes or users will be unable to change their password." compliance: - cis: ["5.4.1.1"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MAX_DAYS\s*\t*(\d+) compare <= 365' @@ -1204,7 +1206,7 @@ checks: remediation: "Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs: PASS_MIN_DAYS 7. Modify user parameters for all users with a password set to match: # chage --mindays 7 . Notes: You can also check this setting in /etc/shadow directly. The 4th field should be 7 or more for all users with a password." compliance: - cis: ["5.4.1.2"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_MIN_DAYS\s*\t*(\d+) compare >= 7' @@ -1216,7 +1218,7 @@ checks: remediation: "Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs: PASS_WARN_AGE 7. Modify user parameters for all users with a password set to match: # chage --warndays 7 . Notes: You can also check this setting in /etc/shadow directly. The 6th field should be 7 or more for all users with a password." compliance: - cis: ["5.4.1.3"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'f:/etc/login.defs -> n:^\s*\t*PASS_WARN_AGE\s*\t*(\d+) compare >= 7' @@ -1228,7 +1230,7 @@ checks: remediation: "Run the following command to set the default password inactivity period to 30 days: # useradd -D -f 30. Modify user parameters for all users with a password set to match: # chage --inactive 30 . Notes: You can also check this setting in /etc/shadow directly. The 7th field should be 30 or less for all users with a password. A value of -1 would disable this setting." compliance: - cis: ["5.4.1.4"] - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] condition: all rules: - 'c:useradd -D -> n:^INACTIVE=(\d+) compare <= 30' diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index 184f4ef06..dfa04952e 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -34,8 +34,8 @@ checks: rationale: "Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: ["1.1.6"] - - cis_csc: ["5.1"] + - cis: ["1.1.6"] + - cis_csc: ["5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -48,8 +48,8 @@ checks: rationale: "Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /var/tmp its own file system allows an administrator to set the noexec option on the mount, making /var/tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/tmp. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: ["1.1.7"] - - cis_csc: ["5.1"] + - cis: ["1.1.7"] + - cis_csc: ["5.1"] condition: all rules: - 'c:mount -> r:\s/var/tmp\s' @@ -60,8 +60,8 @@ checks: rationale: "There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: ["1.1.11"] - - cis_csc: ["6.4"] + - cis: ["1.1.11"] + - cis_csc: ["6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -74,8 +74,8 @@ checks: rationale: "There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: ["1.1.12"] - - cis_csc: ["6.4"] + - cis: ["1.1.12"] + - cis_csc: ["6.4"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -88,8 +88,8 @@ checks: rationale: "If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." remediation: "For new installations, during installation create a custom partition setup and specify a separate partition for /home. For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate." compliance: - - cis: ["1.1.13"] - - cis_csc: ["5.1"] + - cis: ["1.1.13"] + - cis_csc: ["5.1"] references: - http://tldp.org/HOWTO/LVM-HOWTO/ condition: all @@ -102,8 +102,8 @@ checks: rationale: "With automounting enabled anyone with physical access could attach a USB drive or disc and have it's contents available in system even if they lacked permissions to mount it themselves." remediation: "Run the following command to disable autofs: # systemctl disable autofs" compliance: - - cis: ["1.1.22"] - - cis_csc: ["8.3","8.5"] + - cis: ["1.1.22"] + - cis_csc: ["8.3", "8.5"] condition: none rules: - 'c:systemctl is-enabled autofs -> r:^enabled' @@ -115,8 +115,8 @@ checks: rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis: ["1.6.3"] - - cis_csc: ["14.6"] + - cis: ["1.6.3"] + - cis_csc: ["14.6"] condition: any rules: - 'c:dpkg -s selinux-basics -> r:install ok installed' @@ -130,8 +130,8 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis: ["2.2.4"] - - cis_csc: ["9.2"] + - cis: ["2.2.4"] + - cis_csc: ["9.2"] references: - 'http://www.cups.org' condition: none @@ -146,8 +146,8 @@ checks: rationale: "It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost." remediation: "Set the following parameter in /etc/audit/auditd.conf in accordance with site policy: max_log_file = Notes: The max_log_file parameter is measured in megabytes." compliance: - - cis: ["4.1.1.1"] - - cis_csc: ["6.4"] + - cis: ["4.1.1.1"] + - cis_csc: ["6.4"] condition: all rules: - 'd:/etc/audit' @@ -160,8 +160,8 @@ checks: rationale: "In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability." remediation: "Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt" compliance: - - cis: ["4.1.1.2"] - - cis_csc: ["6.4"] + - cis: ["4.1.1.2"] + - cis_csc: ["6.4"] condition: all rules: - 'd:/etc/audit' @@ -176,8 +176,8 @@ checks: rationale: "In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history." remediation: "Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs" compliance: - - cis: ["4.1.1.3"] - - cis_csc: ["6.4"] + - cis: ["4.1.1.3"] + - cis_csc: ["6.4"] condition: all rules: - 'd:/etc/audit' @@ -190,8 +190,8 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Run the following command to enable auditd: # systemctl enable auditd" compliance: - - cis: ["4.1.2"] - - cis_csc: ["6.2","6.3"] + - cis: ["4.1.2"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'c:systemctl is-enabled auditd -> r:^enabled' @@ -202,8 +202,8 @@ checks: rationale: "Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected." remediation: "Edit /etc/default/grub and add audit=1 to GRUB_CMDLINE_LINUX: GRUB_CMDLINE_LINUX=\"audit=1\" Run the following command to update the grub2 configuration: # update-grub Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings." compliance: - - cis: ["4.1.3"] - - cis_csc: ["6.2","6.3"] + - cis: ["4.1.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'f:/etc/default/grub -> r:^GRUB_CMDLINE_LINUX\s*=\s*\.*audit\s*=\s*1\.*' @@ -214,8 +214,8 @@ checks: rationale: "Unexpected changes in system date and/or time could be a sign of malicious activity on the system." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time- change | -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change | -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change | -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change | -w /etc/localtime -p wa -k time-change" compliance: - - cis: ["4.1.4"] - - cis_csc: ["5.5"] + - cis: ["4.1.4"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -232,8 +232,8 @@ checks: rationale: "Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.5"] - - cis_csc: ["4.8"] + - cis: ["4.1.5"] + - cis_csc: ["4.8"] condition: all rules: - 'd:/etc/audit' @@ -250,8 +250,8 @@ checks: rationale: "Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier \"system-locale.\"" remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale | -w /etc/issue -p wa -k system-locale | -w /etc/issue.net -p wa -k system-locale | -w /etc/hosts -p wa -k system-locale | -w /etc/sysconfig/network -p wa -k system-locale Notes: /etc/sysconfig/network is common to Red Hat and SUSE based distributions. You should expand or replace this coverage to any network configuration files on your system such as /etc/network on Debian based distributions. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.6"] - - cis_csc: ["5.5"] + - cis: ["4.1.6"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -269,8 +269,8 @@ checks: rationale: "Changes to files in that directory could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using SELinux add the following line to the /etc/audit/audit.rules file: -w /etc/selinux/ -p wa -k MAC-policy | -w /usr/share/selinux/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.7"] - - cis_csc: ["5.5"] + - cis: ["4.1.7"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -284,8 +284,8 @@ checks: rationale: "Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system." remediation: "On systems using AppArmor add the following line to the /etc/audit/audit.rules file: -w /etc/apparmor/ -p wa -k MAC-policy | -w /etc/apparmor.d/ -p wa -k MAC-policy. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.7"] - - cis_csc: ["5.5"] + - cis: ["4.1.7"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -299,8 +299,8 @@ checks: rationale: "Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/faillog -p wa -k logins | -w /var/log/lastlog -p wa -k logins | -w /var/log/tallylog -p wa -k logins. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.8"] - - cis_csc: ["4.9, 16.11","16.13"] + - cis: ["4.1.8"] + - cis_csc: ["4.9, 16.11", "16.13"] condition: all rules: - 'd:/etc/audit' @@ -315,8 +315,8 @@ checks: rationale: "Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in)." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/run/utmp -p wa -k session | -w /var/log/wtmp -p wa -k logins | -w /var/log/btmp -p wa -k logins. Notes: The last command can be used to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.9"] - - cis_csc: ["4.9, 16.11","16.13"] + - cis: ["4.1.9"] + - cis_csc: ["4.9, 16.11", "16.13"] condition: all rules: - 'd:/etc/audit' @@ -331,8 +331,8 @@ checks: rationale: "Monitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod | -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.10"] - - cis_csc: ["5.5"] + - cis: ["4.1.10"] + - cis_csc: ["5.5"] condition: all rules: - 'd:/etc/audit' @@ -350,8 +350,8 @@ checks: rationale: "Failed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system." remediation: "For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access | -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.11"] - - cis_csc: ["14.9"] + - cis: ["4.1.11"] + - cis_csc: ["14.9"] condition: all rules: - 'd:/etc/audit' @@ -367,8 +367,8 @@ checks: rationale: "It is highly unusual for a non privileged user to mount file systems to the system. While tracking mount commands gives the system administrator evidence that external media may have been mounted (based on a review of the source of the mount and confirming it's an external media type), it does not conclusively indicate that data was exported to the media. System administrators who wish to determine if data were exported, would also have to track successful open , creat and truncate system calls requiring write access to a file under the mount point of the external media file system. This could give a fair indication that a write occurred. The only way to truly prove it, would be to track successful writes to the external media. Tracking write system calls could quickly fill up the audit log and is not recommended. Recommendations on configuration options to track data export to media is beyond the scope of this document." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts. Notes: This tracks successful and unsuccessful mount commands. File system mounts do not have to come from external media and this action still does not verify write (e.g. CD ROMS). Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.13"] - - cis_csc: ["13"] + - cis: ["4.1.13"] + - cis_csc: ["13"] condition: all rules: - 'd:/etc/audit' @@ -382,8 +382,8 @@ checks: rationale: "Monitoring these calls from non-privileged users could provide a system administrator with evidence that inappropriate removal of files and file attributes associated with protected files is occurring. While this audit option will look at all events, system administrators will want to look for specific privileged files that are being deleted or altered." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete | -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete. Notes: At a minimum, configure the audit system to collect file deletion events for all users and root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.14"] - - cis_csc: ["6.2","13"] + - cis: ["4.1.14"] + - cis_csc: ["6.2", "13"] condition: all rules: - 'd:/etc/audit' @@ -397,8 +397,8 @@ checks: rationale: "Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity." remediation: "Add the following line to the /etc/audit/audit.rules file: -w /etc/sudoers -p wa -k scope | -w /etc/sudoers.d/ -p wa -k scope. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.15"] - - cis_csc: ["4.8"] + - cis: ["4.1.15"] + - cis_csc: ["4.8"] condition: all rules: - 'd:/etc/audit' @@ -412,8 +412,8 @@ checks: rationale: "Changes in /var/log/sudo.log indicate that an administrator has executed a command or the log file itself has been tampered with. Administrators will want to correlate the events written to the audit trail with the records written to /var/log/sudo.log to verify if unauthorized commands have been executed." remediation: "Add the following lines to the /etc/audit/audit.rules file: -w /var/log/sudo.log -p wa -k actions. Notes: The system must be configured with sudisabled (See Item 5.6 Ensure access to the su command is restricted) to force all command execution through sudo. This will not be effective on the console, as administrators can log in as root. Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.16"] - - cis_csc: ["4.9"] + - cis: ["4.1.16"] + - cis_csc: ["4.9"] condition: all rules: - 'd:/etc/audit' @@ -426,8 +426,8 @@ checks: rationale: "Monitoring the use of insmod, rmmod and modprobe could provide system administrators with evidence that an unauthorized user loaded or unloaded a kernel module, possibly compromising the security of the system. Monitoring of the init_module and delete_module system calls would reflect an unauthorized user attempting to use a different program to load and unload modules." remediation: "For 32 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules. For 64 bit systems add the following lines to the /etc/audit/audit.rules file: -w /sbin/insmod -p x -k modules | -w /sbin/rmmod -p x -k modules | -w /sbin/modprobe -p x -k modules | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules. Notes: Reloading the auditd config to set active settings may require a system reboot." compliance: - - cis: ["4.1.17"] - - cis_csc: ["5.1"] + - cis: ["4.1.17"] + - cis_csc: ["5.1"] condition: all rules: - 'd:/etc/audit' @@ -443,8 +443,8 @@ checks: rationale: "In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. Users would most likely notice a system reboot and that could alert administrators of an attempt to make unauthorized audit changes." remediation: "Add the following line to the end of the /etc/audit/audit.rules file: -e 2. Notes: This setting will ensure reloading the auditd config to set active settings requires a system reboot." compliance: - - cis: ["4.1.18"] - - cis_csc: ["6.2","6.3"] + - cis: ["4.1.18"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'd:/etc/audit' @@ -457,8 +457,8 @@ checks: rationale: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." remediation: "Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders." compliance: - - cis: ["5.2.6"] - - cis_csc: ["9.2"] + - cis: ["5.2.6"] + - cis_csc: ["9.2"] condition: all rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index bd2ab22e3..c9ec929e7 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -37,6 +37,7 @@ checks: remediation: "Change the Port option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22\s\t*$' @@ -48,6 +49,7 @@ checks: remediation: "Change the Protocol option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2\s*\t*$' @@ -68,6 +70,7 @@ checks: remediation: "Change the PubkeyAuthentication option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\s*\t*yes' @@ -79,6 +82,7 @@ checks: remediation: "Change the PasswordAuthentication option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> r:^\s*PasswordAuthentication\s*\t*no' @@ -90,6 +94,7 @@ checks: remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\s*\t*no' @@ -101,6 +106,7 @@ checks: remediation: "Change the IgnoreRhosts option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\s*\t*yes' @@ -112,6 +118,7 @@ checks: remediation: "Change the LoginGraceTime option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+)s compare <= 60' @@ -123,6 +130,7 @@ checks: remediation: "Change the MaxAuthTries option value in the sshd_config file." compliance: - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -134,19 +142,18 @@ checks: remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" compliance: - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\s*\t*no' - - id: 4010 title: "Ensure password creation requirements are configured" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis_csc: ["4.4","5.7","16.12"] + - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -160,7 +167,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis_csc: ["4.4","5.7","16.12"] + - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -173,7 +180,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis_csc: ["4.4","5.7","16.12"] + - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -186,7 +193,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis_csc: ["4.4","5.7","16.12"] + - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -199,7 +206,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis_csc: ["4.4","5.7","16.12"] + - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -212,7 +219,7 @@ checks: rationale: "Strong passwords protect systems from being hacked through brute force methods." remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" compliance: - - cis_csc: ["4.4","5.7","16.12"] + - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all @@ -257,7 +264,7 @@ checks: rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." compliance: - - cis_csc: ["4.4","16"] + - cis_csc: ["4.4", "16"] references: - https://www.thegeekdiary.com/understanding-etclogin-defs-file condition: any @@ -271,7 +278,7 @@ checks: rationale: "Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available." remediation: "Run one of the following commands to install SELinux or apparmor: # apt-get install selinux-basics Or: # apt-get install apparmor apparmor-profiles apparmor-utils" compliance: - - cis_csc: ["14.4","14.6"] + - cis_csc: ["14.4", "14.6"] condition: any rules: - 'c:dpkg -s selinux-basics -> r:install ok installed' @@ -283,7 +290,7 @@ checks: rationale: "If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface." remediation: "Run the following command to disable cups: # systemctl disable cups" compliance: - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] references: - 'https://www.cups.org' condition: none @@ -296,7 +303,7 @@ checks: rationale: "The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring." remediation: "Run the following command to enable auditd: # systemctl enable auditd" compliance: - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'c:systemctl is-enabled auditd -> r:^enabled' diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index df4c931e3..1fa933e10 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -58,6 +58,7 @@ checks: compliance: - cis: ["1.1.2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-14412-1 condition: all @@ -73,6 +74,7 @@ checks: compliance: - cis: ["1.1.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-14940-1 condition: all @@ -88,6 +90,7 @@ checks: compliance: - cis: ["1.1.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-14412-1 condition: all @@ -177,6 +180,7 @@ checks: compliance: - cis: ["1.1.10"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4249-9 condition: all @@ -192,6 +196,7 @@ checks: compliance: - cis: ["1.1.14"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-15007-8 condition: all @@ -207,6 +212,7 @@ checks: compliance: - cis: ["1.1.15"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-14306-5 condition: all @@ -222,6 +228,7 @@ checks: compliance: - cis: ["1.1.16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-14927-8 condition: all @@ -259,6 +266,7 @@ checks: compliance: - cis: ["1.4.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3977-6 condition: none @@ -274,6 +282,7 @@ checks: compliance: - cis: ["1.4.2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3999-0 condition: all @@ -289,6 +298,7 @@ checks: compliance: - cis: ["1.4.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3624-4 condition: all @@ -304,6 +314,7 @@ checks: compliance: - cis: ["1.4.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:setroubleshoot && r::on' @@ -317,6 +328,7 @@ checks: compliance: - cis: ["1.4.5"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3668-1 condition: none @@ -335,6 +347,7 @@ checks: compliance: - cis: ["1.5.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3818-2 condition: all @@ -350,6 +363,7 @@ checks: compliance: - cis: ["1.5.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4241-6 condition: none @@ -365,6 +379,7 @@ checks: compliance: - cis: ["1.5.5"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4245-7 condition: all @@ -383,6 +398,7 @@ checks: compliance: - cis: ["1.6.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh ^*[[:space:]]*hard[[:space:]][[:space:]]*core[[:space:]][[:space:]]* /etc/security/limits.conf /etc/security/limits.d -> r:\s*\t*0$' @@ -398,6 +414,7 @@ checks: compliance: - cis: ["1.6.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4146-7 condition: all @@ -414,6 +431,7 @@ checks: compliance: - cis: ["1.6.2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4168-1 condition: all @@ -561,6 +579,7 @@ checks: compliance: - cis: ["3.3"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/inittab -> r:^\s*id:3:initdefault' @@ -575,6 +594,7 @@ checks: compliance: - cis: ["3.1.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:avahi-daemon && r::on' @@ -588,6 +608,7 @@ checks: compliance: - cis: ["3.8"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:/sbin/chkconfig --list -> r:nfslock|rpcgssd|rpcidmapd|portmap && r::on' @@ -615,6 +636,7 @@ checks: compliance: - cis: ["3.11"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa httpd -> r:\.' @@ -628,6 +650,7 @@ checks: compliance: - cis: ["3.12"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa dovecot -> r:\.' @@ -641,6 +664,7 @@ checks: compliance: - cis: ["3.13"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa samba -> r:\.' @@ -654,6 +678,7 @@ checks: compliance: - cis: ["3.14"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa squid -> r:\.' @@ -667,6 +692,7 @@ checks: compliance: - cis: ["3.15"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa net-snmp -> r:\.' @@ -686,6 +712,7 @@ checks: compliance: - cis: ["4.1.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3561-8 condition: all @@ -702,6 +729,7 @@ checks: compliance: - cis: ["4.1.2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4151-7 - CCE-4155-8 @@ -724,6 +752,7 @@ checks: compliance: - cis: ["4.2.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4236-6 - CCE-4091-5 @@ -743,6 +772,7 @@ checks: compliance: - cis: ["4.2.2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4217-6 - CCE-4186-3 @@ -762,6 +792,7 @@ checks: compliance: - cis: ["4.2.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3472-8 - CCE-3339-9 @@ -781,6 +812,7 @@ checks: compliance: - cis: ["4.2.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4320-8 condition: all @@ -799,6 +831,7 @@ checks: compliance: - cis: ["4.2.5"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-3644-2 condition: all @@ -815,6 +848,7 @@ checks: compliance: - cis: ["4.2.6"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4133-5 condition: all @@ -831,6 +865,7 @@ checks: compliance: - cis: ["4.2.7"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4080-8 - CCE-3840-6 @@ -850,6 +885,7 @@ checks: compliance: - cis: ["4.2.8"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] references: - CCE-4265-5 condition: all @@ -872,7 +908,7 @@ checks: compliance: - cis: ["6.2.1"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] references: - CCE-4245-7 @@ -891,7 +927,7 @@ checks: - cis: ["5.2.3"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -907,6 +943,7 @@ checks: - cis: ["5.2.5"] - cis_csc: ["16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -920,7 +957,7 @@ checks: compliance: - cis: ["6.2.6"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] references: - CCE-4250-7 @@ -937,7 +974,7 @@ checks: compliance: - cis: ["6.2.7"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] references: - CCE-4251-5 @@ -954,7 +991,7 @@ checks: compliance: - cis: ["6.2.8"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] references: - CCE-4252-3 @@ -971,7 +1008,7 @@ checks: compliance: - cis: ["6.2.9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] references: - CCE-4256-4 @@ -995,7 +1032,7 @@ checks: - cis: ["9.2.5"] - pci_dss: ["10.2.5"] - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] + - nist_800_53: ["AU.14", "AC.7"] references: - CCE-4009-7 condition: none diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index f5a0fea63..54cc3905e 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -58,6 +58,7 @@ checks: compliance: - cis: ["1.1.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -71,6 +72,7 @@ checks: compliance: - cis: ["1.1.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -85,6 +87,7 @@ checks: - cis: ["1.1.5"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -168,6 +171,7 @@ checks: compliance: - cis: ["1.1.14"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -181,6 +185,7 @@ checks: compliance: - cis: ["1.1.15"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -194,6 +199,7 @@ checks: compliance: - cis: ["1.1.16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -208,6 +214,7 @@ checks: - cis: ["1.1.17"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -225,6 +232,7 @@ checks: - cis: ["1.6.1.1"] - cis_csc: ["14.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: none rules: - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' @@ -239,6 +247,7 @@ checks: - cis: ["1.6.1.2"] - cis_csc: ["14.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' @@ -252,6 +261,7 @@ checks: compliance: - cis: ["1.6.1.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' @@ -265,6 +275,7 @@ checks: compliance: - cis: ["1.6.1.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa setroubleshoot -> r:\.' @@ -278,6 +289,7 @@ checks: compliance: - cis: ["1.6.1.5"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa mcstrans -> r:\.' @@ -295,6 +307,7 @@ checks: - cis: ["1.4.2"] - cis_csc: ["5.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' @@ -309,6 +322,7 @@ checks: - cis: ["1.4.3"] - cis_csc: ["5.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' @@ -323,6 +337,7 @@ checks: - cis: ["1.4.4"] - cis_csc: ["5.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/sysconfig/init -> r:^PROMPT=no$' @@ -373,7 +388,7 @@ checks: remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - cis: ["2.1.8"] - - cis_csc: ["3.4","9.1"] + - cis_csc: ["3.4", "9.1"] - pci_dss: ["2.2.3"] - nist_800_53: ["CM.1"] condition: none @@ -470,6 +485,7 @@ checks: - cis: ["2.2.2"] - cis_csc: ["2"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -484,6 +500,7 @@ checks: - cis: ["2.2.3"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -498,6 +515,7 @@ checks: - cis: ["2.2.7"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -512,6 +530,7 @@ checks: - cis: ["2.2.9"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -539,6 +558,7 @@ checks: - cis: ["2.2.11"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:dovecot && r::on' @@ -553,6 +573,7 @@ checks: - cis: ["2.2.12"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -567,6 +588,7 @@ checks: - cis: ["2.2.13"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -581,6 +603,7 @@ checks: - cis: ["2.2.14"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -599,8 +622,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and run # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.1.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -614,8 +638,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters." compliance: - cis: ["3.1.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -634,8 +659,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters" compliance: - cis: ["3.2.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -651,8 +677,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - cis: ["3.2.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -668,8 +695,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.3"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -687,6 +715,7 @@ checks: - cis: ["3.2.4"] - cis_csc: ["6"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -702,8 +731,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - cis: ["3.2.5"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -718,6 +748,7 @@ checks: compliance: - cis: ["3.2.6"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -732,6 +763,7 @@ checks: compliance: - cis: ["3.2.7"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -747,8 +779,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - cis: ["3.2.8"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -770,7 +803,7 @@ checks: - cis: ["5.2.2"] - cis_csc: ["3.4"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -786,7 +819,7 @@ checks: - cis: ["5.2.3"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -802,6 +835,7 @@ checks: - cis: ["5.2.5"] - cis_csc: ["16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -816,7 +850,7 @@ checks: - cis: ["5.2.6"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -832,7 +866,7 @@ checks: - cis: ["5.2.7"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -848,7 +882,7 @@ checks: - cis: ["5.2.8"] - cis_csc: ["5.8"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -864,7 +898,7 @@ checks: - cis: ["5.2.9"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -887,7 +921,7 @@ checks: - cis_csc: ["5.1"] - pci_dss: ["10.2.5"] - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] + - nist_800_53: ["AU.14", "AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index 6220b4413..a8f53f479 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -58,6 +58,7 @@ checks: compliance: - cis: ["1.1.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -71,6 +72,7 @@ checks: compliance: - cis: ["1.1.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -85,6 +87,7 @@ checks: - cis: ["1.1.5"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -168,6 +171,7 @@ checks: compliance: - cis: ["1.1.14"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -181,6 +185,7 @@ checks: compliance: - cis: ["1.1.15"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -194,6 +199,7 @@ checks: compliance: - cis: ["1.1.16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -208,6 +214,7 @@ checks: - cis: ["1.1.17"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -225,6 +232,7 @@ checks: - cis: ["1.6.1.2"] - cis_csc: ["14.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sestatus -> r:^SELinux status:\s+enabled$' @@ -241,6 +249,7 @@ checks: compliance: - cis: ["1.6.1.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sestatus -> r:^Loaded policy name:\s+targeted$' @@ -255,6 +264,7 @@ checks: compliance: - cis: ["1.6.1.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' @@ -268,6 +278,7 @@ checks: compliance: - cis: ["1.6.1.5"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' @@ -285,6 +296,7 @@ checks: - cis: ["1.4.2"] - cis_csc: ["5.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/boot/grub2/grub.cfg -> r:^GRUB2_PASSWORD=\.+' @@ -537,6 +549,7 @@ checks: - cis: ["2.2.2"] - cis_csc: ["2"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' @@ -551,6 +564,7 @@ checks: - cis: ["2.2.3"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:^enabled' @@ -565,6 +579,7 @@ checks: - cis: ["2.2.5"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] references: - More detailed documentation on DHCP is available at https://www.isc.org/software/dhcp condition: none @@ -581,6 +596,7 @@ checks: - cis: ["2.2.6"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] references: - More detailed documentation on OpenLDAP is available at https://www.openldap.org condition: none @@ -597,6 +613,7 @@ checks: - cis: ["2.2.1.2"] - cis_csc: ["6.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod\s+ && r:\s+nomodify\s+ && r:\s+notrap\s+ && r:\s+nopeer\s+ && r:\s+noquery\s+' @@ -615,6 +632,7 @@ checks: - cis: ["2.2.1.2"] - cis_csc: ["6.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/chrony.conf -> r:^server\.+$|^pool\.+$' @@ -630,6 +648,7 @@ checks: - cis: ["2.2.7"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:^enabled' @@ -646,6 +665,7 @@ checks: - cis: ["2.2.9"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:^enabled' @@ -673,6 +693,7 @@ checks: - cis: ["2.2.11"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:^enabled' @@ -687,6 +708,7 @@ checks: - cis: ["2.2.12"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled smb -> r:^enabled' @@ -701,6 +723,7 @@ checks: - cis: ["2.2.13"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled squid -> r:^enabled' @@ -715,6 +738,7 @@ checks: - cis: ["2.2.14"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:^enabled' @@ -733,8 +757,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0 and set the active kernel parameters." compliance: - cis: ["3.1.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:^net.ipv4.ip_forward\s*=\s*0$' @@ -748,8 +773,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0; net.ipv4.conf.default.send_redirects = 0 and set the active kernel parameters. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0; # sysctl -w net.ipv4.conf.default.send_redirects=0; # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.1.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -768,8 +794,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0; net.ipv4.conf.default.accept_source_route = 0 and set the active kernel parameters." compliance: - cis: ["3.2.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -785,8 +812,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0; net.ipv4.conf.default.accept_redirects = 0 and set the active kernel parameters." compliance: - cis: ["3.2.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -802,8 +830,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0; net.ipv4.conf.default.secure_redirects = 0 and set the active kernel parameters." compliance: - cis: ["3.2.3"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -821,6 +850,7 @@ checks: - cis: ["3.2.4"] - cis_csc: ["6"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -836,8 +866,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 and set the active kernel parameters." compliance: - cis: ["3.2.5"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_echo_ignore_broadcasts -> r:^net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*1$' @@ -851,8 +882,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1 and set the active kernel parameters." compliance: - cis: ["3.2.6"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -866,8 +898,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1; net.ipv4.conf.default.rp_filter = 1 and set the active kernel parameters." compliance: - cis: ["3.2.7"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -883,8 +916,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1 and set the active kernel parameters." compliance: - cis: ["3.2.8"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.tcp_syncookies -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -906,7 +940,7 @@ checks: - cis: ["5.2.2"] - cis_csc: ["3.4"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -922,7 +956,7 @@ checks: - cis: ["5.2.3"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -938,6 +972,7 @@ checks: - cis: ["5.2.5"] - cis_csc: ["16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -952,7 +987,7 @@ checks: - cis: ["5.2.6"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -968,7 +1003,7 @@ checks: - cis: ["5.2.7"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -984,7 +1019,7 @@ checks: - cis: ["5.2.8"] - cis_csc: ["5.8"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -1000,7 +1035,7 @@ checks: - cis: ["5.2.9"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -1023,7 +1058,7 @@ checks: - cis_csc: ["5.1"] - pci_dss: ["10.2.5"] - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] + - nist_800_53: ["AU.14", "AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 6ef94e4dc..e3e002f23 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -53,6 +53,7 @@ checks: compliance: - cis: ["1.1.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -65,6 +66,7 @@ checks: compliance: - cis: ["1.1.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -79,6 +81,7 @@ checks: - cis: ["1.1.5"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -148,6 +151,7 @@ checks: compliance: - cis: ["1.1.14"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -161,6 +165,7 @@ checks: compliance: - cis: ["1.1.15"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -174,6 +179,7 @@ checks: compliance: - cis: ["1.1.16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -188,6 +194,7 @@ checks: - cis: ["1.1.17"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -205,6 +212,7 @@ checks: - cis: ["1.4.2"] - cis_csc: ["5.1"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/boot/grub/menu.lst -> r:^password --md5' @@ -270,7 +278,7 @@ checks: - cis_csc: ["9.1"] condition: none rules: - - 'c:chkconfig --list -> r:daytime:|daytime-udp: && r::on' + - 'c:chkconfig --list -> r:daytime:|daytime-udp: && r::on' - id: 6017 @@ -316,7 +324,7 @@ checks: remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - cis: ["2.1.6"] - - cis_csc: ["3.4","9.1"] + - cis_csc: ["3.4", "9.1"] - pci_dss: ["2.2.3"] - nist_800_53: ["CM.1"] condition: none @@ -344,7 +352,7 @@ checks: remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - cis: ["2.1.8"] - - cis_csc: ["3.4","9.1"] + - cis_csc: ["3.4", "9.1"] - pci_dss: ["2.2.3"] - nist_800_53: ["CM.1"] condition: none @@ -371,8 +379,9 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd : # chkconfig rsyncd off" compliance: - - cis: ["2.1.10","2.2.17"] + - cis: ["2.1.10", "2.2.17"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -389,6 +398,7 @@ checks: - cis: ["2.2.1.2"] - cis_csc: ["6.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: any rules: - 'f:/etc/ntp.conf -> r:restrict -4 default && r:kod && r:limited && r:nomodify && r:notrap && r:nopeer && r:noquery' @@ -406,6 +416,7 @@ checks: - cis: ["2.2.2"] - cis_csc: ["2"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -420,6 +431,7 @@ checks: - cis: ["2.2.3"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:avahi-daemon && r::on' @@ -446,6 +458,7 @@ checks: - cis: ["2.2.7"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:nfs|rpcbind && r::on' @@ -459,6 +472,7 @@ checks: - cis: ["2.2.8"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:named && r::on' @@ -472,6 +486,7 @@ checks: - cis: ["2.2.9"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:vsftpd && r::on' @@ -498,6 +513,7 @@ checks: - cis: ["2.2.11"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list cyrus -> r:cyrus && r::on' @@ -512,6 +528,7 @@ checks: - cis: ["2.2.12"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:smb && r::on' @@ -525,6 +542,7 @@ checks: - cis: ["2.2.13"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:squid && r::on' @@ -538,6 +556,7 @@ checks: - cis: ["2.2.14"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: node rules: - 'c:chkconfig --list -> r:snmpd && r::on' @@ -585,8 +604,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.1.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.ip_forward -> r:=\s*0$' @@ -600,8 +620,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.1.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:/sbin/sysctl net.ipv4.conf.all.send_redirects -> r:=\s*0$' @@ -620,8 +641,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_source_route /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -637,8 +659,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.accept_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -654,8 +677,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.3"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.secure_redirects /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*0$' @@ -672,6 +696,7 @@ checks: - cis: ["3.2.4"] - cis_csc: ["6"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.log_martians /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -687,8 +712,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.5"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -702,8 +728,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.6"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.icmp_ignore_bogus_error_responses /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -717,8 +744,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.7"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.conf\.all\.rp_filter /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -734,8 +762,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.8"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/ -> r:=\s*1$' @@ -757,7 +786,7 @@ checks: - cis: ["5.2.2"] - cis_csc: ["3.4"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -773,7 +802,7 @@ checks: - cis: ["5.2.3"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -789,6 +818,7 @@ checks: - cis: ["5.2.5"] - cis_csc: ["16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> n:^MaxAuthTries\s+(\d+) compare <= 4' @@ -803,7 +833,7 @@ checks: - cis: ["5.2.6"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -819,7 +849,7 @@ checks: - cis: ["5.2.7"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -835,7 +865,7 @@ checks: - cis: ["5.2.8"] - cis_csc: ["5.8"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -851,7 +881,7 @@ checks: - cis: ["5.2.9"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -874,7 +904,7 @@ checks: - cis_csc: ["5.1"] - pci_dss: ["10.2.5"] - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] + - nist_800_53: ["AU.14", "AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -889,7 +919,7 @@ checks: - cis_csc: ["16"] - pci_dss: ["10.2.5"] - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] + - nist_800_53: ["AU.14", "AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index 1128d275a..b90e7f5a0 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -51,6 +51,7 @@ checks: compliance: - cis: ["1.1.3"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nodev' @@ -63,6 +64,7 @@ checks: compliance: - cis: ["1.1.4"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:nosuid' @@ -77,6 +79,7 @@ checks: - cis: ["1.1.5"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/tmp\s && r:noexec' @@ -147,6 +150,7 @@ checks: compliance: - cis: ["1.1.14"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/home\s && r:nodev' @@ -160,6 +164,7 @@ checks: compliance: - cis: ["1.1.15"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nodev' @@ -173,6 +178,7 @@ checks: compliance: - cis: ["1.1.16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:nosuid' @@ -187,6 +193,7 @@ checks: - cis: ["1.1.17"] - cis_csc: ["2"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:mount -> r:\s/dev/shm\s && r:noexec' @@ -298,7 +305,7 @@ checks: remediation: "Run the following commands to disable rsh , rlogin , and rexec : # chkconfig rexec off # chkconfig rlogin off # chkconfig rsh off" compliance: - cis: ["2.1.6"] - - cis_csc: ["3.4","9.1"] + - cis_csc: ["3.4", "9.1"] - pci_dss: ["2.2.3"] - nist_800_53: ["CM.1"] condition: none @@ -326,7 +333,7 @@ checks: remediation: "Run the following command to disable telnet: # chkconfig telnet off" compliance: - cis: ["2.1.8"] - - cis_csc: ["3.4","9.1"] + - cis_csc: ["3.4", "9.1"] - pci_dss: ["2.2.3"] - nist_800_53: ["CM.1"] condition: none @@ -339,7 +346,7 @@ checks: rationale: "TFTP does not support authentication nor does it ensure the confidentiality or integrity of data. It is recommended that TFTP be removed, unless there is a specific need for TFTP. In that case, extreme caution must be used when configuring the services." remediation: "Run the following command to disable tftp: # systemctl disable atftpd" compliance: - - cis: ["2.1.9","2.2.17"] + - cis: ["2.1.9", "2.2.17"] - cis_csc: ["9.1"] - pci_dss: ["2.2.3"] - nist_800_53: ["CM.1"] @@ -353,8 +360,9 @@ checks: rationale: "The rsyncd service presents a security risk as it uses unencrypted protocols for communication." remediation: "Run the following command to disable rsyncd: # systemctl disable rsyncd" compliance: - - cis: ["2.1.10","2.2.18"] + - cis: ["2.1.10", "2.2.18"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:chkconfig --list -> r:rsync: && r::on' @@ -383,6 +391,7 @@ checks: - cis: ["2.2.1.2"] - cis_csc: ["6.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:/etc/ntp.conf -> r:^restrict\s+-4\s+default|^restrict\s+default && r:\s+kod && r:\s+nomodify && r:\s+notrap && r:\s+nopeer && r:\s+noquery' @@ -400,6 +409,7 @@ checks: - cis: ["2.2.2"] - cis_csc: ["2"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:rpm -qa xorg-x11* -> r:\.' @@ -414,6 +424,7 @@ checks: - cis: ["2.2.3"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled avahi-daemon -> r:enabled' @@ -440,6 +451,7 @@ checks: - cis: ["2.2.7"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled nfs -> r:enabled' @@ -454,6 +466,7 @@ checks: - cis: ["2.2.8"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled named -> r:enabled' @@ -467,6 +480,7 @@ checks: - cis: ["2.2.9"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled vsftpd -> r:enabled' @@ -493,6 +507,7 @@ checks: - cis: ["2.2.11"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled dovecot -> r:enabled' @@ -507,6 +522,7 @@ checks: - cis: ["2.2.12"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled smb -> r:enabled' @@ -520,6 +536,7 @@ checks: - cis: ["2.2.13"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled squid -> r:enabled' @@ -533,6 +550,7 @@ checks: - cis: ["2.2.14"] - cis_csc: ["9.1"] - pci_dss: ["2.2.2"] + - nist_800_53: ["CM.1"] condition: none rules: - 'c:systemctl is-enabled snmpd -> r:enabled' @@ -580,8 +598,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.ip_forward = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.ip_forward=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.1.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.ip_forward -> r:\s0$' @@ -595,8 +614,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.send_redirects=0 # sysctl -w net.ipv4.conf.default.send_redirects=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.1.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.send_redirects -> r:^net.ipv4.conf.all.send_redirects\s*=\s*0$' @@ -615,8 +635,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_source_route=0 # sysctl -w net.ipv4.conf.default.accept_source_route=0 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.1"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_source_route -> r:^net.ipv4.conf.all.accept_source_route\s*=\s*0$' @@ -632,8 +653,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.accept_redirects=0 # sysctl -w net.ipv4.conf.default.accept_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.2"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.accept_redirects -> r:^net.ipv4.conf.all.accept_redirects\s*=\s*0$' @@ -649,8 +671,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.secure_redirects=0 # sysctl -w net.ipv4.conf.default.secure_redirects=0 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.3"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.secure_redirects -> r:^net.ipv4.conf.all.secure_redirects\s*=\s*0$' @@ -667,6 +690,7 @@ checks: - cis: ["3.2.4"] - cis_csc: ["6"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.log_martians -> r:^net.ipv4.conf.all.log_martians\s*=\s*1$' @@ -682,8 +706,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.5"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -697,8 +722,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.icmp_ignore_bogus_error_responses = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 # sysctl -w net.ipv4.route.flush=1." compliance: - cis: ["3.2.6"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.icmp_ignore_bogus_error_responses -> r:^net.ipv4.icmp_ignore_bogus_error_responses\s*=\s*1$' @@ -712,8 +738,9 @@ checks: remediation: "Set the following parameters in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.conf.all.rp_filter=1 # sysctl -w net.ipv4.conf.default.rp_filter=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.7"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:sysctl net.ipv4.conf.all.rp_filter -> r:^net.ipv4.conf.all.rp_filter\s*=\s*1$' @@ -729,8 +756,9 @@ checks: remediation: "Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: net.ipv4.tcp_syncookies = 1. Run the following commands to set the active kernel parameters: # sysctl -w net.ipv4.tcp_syncookies=1 # sysctl -w net.ipv4.route.flush=1" compliance: - cis: ["3.2.8"] - - cis_csc: ["3","11"] + - cis_csc: ["3", "11"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'c:grep -Rh net\.ipv4\.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d -> r:^net.ipv4.tcp_syncookies\s*=\s*1$' @@ -752,7 +780,7 @@ checks: - cis: ["5.2.2"] - cis_csc: ["3.4"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -768,7 +796,7 @@ checks: - cis: ["5.2.3"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -784,6 +812,7 @@ checks: - cis: ["5.2.5"] - cis_csc: ["16"] - pci_dss: ["2.2.4"] + - nist_800_53: ["CM.1"] condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' @@ -798,7 +827,7 @@ checks: - cis: ["5.2.6"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -814,7 +843,7 @@ checks: - cis: ["5.2.7"] - cis_csc: ["9"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -830,7 +859,7 @@ checks: - cis: ["5.2.8"] - cis_csc: ["5.8"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: all rules: @@ -846,7 +875,7 @@ checks: - cis: ["5.2.9"] - cis_csc: ["16"] - pci_dss: ["4.1"] - - hipaa: ["164.312.a.2.IV","164.312.e.1","164.312.e.2.I","164.312.e.2.II"] + - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] condition: none rules: @@ -869,7 +898,7 @@ checks: - cis_csc: ["5.1"] - pci_dss: ["10.2.5"] - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] + - nist_800_53: ["AU.14", "AC.7"] condition: none rules: - 'f:/etc/passwd -> !r:^\s*\t*# && !r:^\s*\t*root: && r:^\w+:\w+:0:' @@ -884,7 +913,7 @@ checks: - cis_csc: ["16"] - pci_dss: ["10.2.5"] - hipaa: ["164.312.b"] - - nist_800_53: ["IA.10","AC.7"] + - nist_800_53: ["AU.14", "AC.7"] condition: none rules: - 'f:/etc/shadow -> r:^\w+::' diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 3e03b0d1e..37d8b5e5e 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -62,7 +62,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" compliance: - cis: ["2.3.2.1"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -384,7 +384,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - cis: ["2.3.10.5"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -398,7 +398,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - cis: ["2.3.10.6"] - - cis_csc: ["14.1","14.2"] + - cis_csc: ["14.1", "14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -412,7 +412,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - cis: ["2.3.10.7"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -426,7 +426,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths" compliance: - cis: ["2.3.10.8"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -440,7 +440,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - cis: ["2.3.10.9"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -454,7 +454,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM" compliance: - cis: ["2.3.10.10"] - - cis_csc: ["5.1","9.1","9.2"] + - cis_csc: ["5.1", "9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -468,7 +468,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - cis: ["2.3.10.11"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -482,7 +482,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - cis: ["2.3.10.12"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -496,7 +496,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - cis: ["2.3.11.1"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -648,7 +648,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - cis: ["2.3.15.2"] - - cis_csc: ["14.4","14.6"] + - cis_csc: ["14.4", "14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -788,7 +788,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Computer Browser" compliance: - cis: ["5.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser' @@ -801,7 +801,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\IIS Admin Service" compliance: - cis: ["5.6"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' @@ -814,7 +814,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" compliance: - cis: ["5.7"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon' @@ -828,7 +828,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Internet Connection Sharing (ICS)" compliance: - cis: ["5.8"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess' @@ -842,7 +842,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\LxssManager" compliance: - cis: ["5.10"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' @@ -855,7 +855,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft FTP Service" compliance: - cis: ["5.11"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC' @@ -868,7 +868,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Procedure Call (RPC) Locator" compliance: - cis: ["5.24"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator' @@ -882,7 +882,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" compliance: - cis: ["5.26"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess' @@ -896,7 +896,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Simple TCP/IP Services" compliance: - cis: ["5.28"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' @@ -909,7 +909,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SSDP Discovery" compliance: - cis: ["5.30"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV' @@ -923,7 +923,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\UPnP Device Host" compliance: - cis: ["5.31"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost' @@ -937,7 +937,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Web Management Service" compliance: - cis: ["5.32"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' @@ -950,7 +950,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Media Player Network Sharing Service" compliance: - cis: ["5.35"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc' @@ -963,7 +963,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Mobile Hotspot Service" compliance: - cis: ["5.36"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc' @@ -977,7 +977,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\World Wide Web Publishing Service" compliance: - cis: ["5.40"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: any rules: - 'not r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' @@ -990,7 +990,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Accessory Management Service" compliance: - cis: ["5.41"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc' @@ -1004,7 +1004,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Game Monitoring" compliance: - cis: ["5.42"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm' @@ -1018,7 +1018,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Auth Manager" compliance: - cis: ["5.43"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager' @@ -1032,7 +1032,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Game Save" compliance: - cis: ["5.44"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave' @@ -1046,7 +1046,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" compliance: - cis: ["5.45"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce' @@ -1061,7 +1061,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - cis: ["9.1.1"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1075,7 +1075,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - cis: ["9.1.2"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1089,7 +1089,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - cis: ["9.1.3"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1116,7 +1116,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - cis: ["9.1.5"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1130,7 +1130,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - cis: ["9.1.6"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1144,7 +1144,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - cis: ["9.1.7"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1158,7 +1158,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - cis: ["9.1.8"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1172,7 +1172,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - cis: ["9.2.1"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1186,7 +1186,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - cis: ["9.2.2"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1200,7 +1200,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - cis: ["9.2.3"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1227,7 +1227,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - cis: ["9.2.5"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1241,7 +1241,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - cis: ["9.2.6"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1255,7 +1255,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - cis: ["9.2.7"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1269,7 +1269,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - cis: ["9.2.8"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1283,7 +1283,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - cis: ["9.3.1"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1297,7 +1297,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - cis: ["9.3.2"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1311,7 +1311,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - cis: ["9.3.3"] - - cis_csc: ["9.2","9.4"] + - cis_csc: ["9.2", "9.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1366,7 +1366,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - cis: ["9.3.7"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1380,7 +1380,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - cis: ["9.3.8"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1394,7 +1394,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - cis: ["9.3.9"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1408,7 +1408,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Yes. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - cis: ["9.3.10"] - - cis_csc: ["6.2","6.3"] + - cis_csc: ["6.2", "6.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1477,7 +1477,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy" compliance: - cis: ["18.2.2"] - - cis_csc: ["16.2","16.10"] + - cis_csc: ["16.2", "16.10"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' @@ -1547,7 +1547,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons" compliance: - cis: ["18.3.1"] - - cis_csc: ["5.8","4.3"] + - cis_csc: ["5.8", "4.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1561,7 +1561,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver" compliance: - cis: ["18.3.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' @@ -1575,7 +1575,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server" compliance: - cis: ["18.3.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' @@ -1589,7 +1589,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Enable Structured Exception Handling Overwrite Protection (SEHOP)" compliance: - cis: ["18.3.4"] - - cis_csc: ["8.4","8.3"] + - cis_csc: ["8.4", "8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' @@ -1603,7 +1603,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications" compliance: - cis: ["18.3.5"] - - cis_csc: ["8.4","8.3"] + - cis_csc: ["8.4", "8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine' @@ -1729,7 +1729,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" compliance: - cis: ["18.4.13"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' @@ -1771,7 +1771,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Lanman Workstation\\Enable insecure guest logons" compliance: - cis: ["18.5.8.1"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' @@ -1799,7 +1799,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit use of Internet Connection Sharing on your DNS domain network" compliance: - cis: ["18.5.11.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1871,7 +1871,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" compliance: - cis: ["18.5.23.2.1"] - - cis_csc: ["15.4","15.5"] + - cis_csc: ["15.4", "15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' @@ -1927,7 +1927,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - cis: ["18.8.21.2"] - - cis_csc: ["3.7","5.4","5.5"] + - cis_csc: ["3.7", "5.4", "5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1941,7 +1941,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing" compliance: - cis: ["18.8.21.3"] - - cis_csc: ["3.7","5.4","5.5"] + - cis_csc: ["3.7", "5.4", "5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1955,7 +1955,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Continue experiences on this device" compliance: - cis: ["18.8.21.4"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1969,7 +1969,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy" compliance: - cis: ["18.8.21.5"] - - cis_csc: ["3.7","5.4","5.5"] + - cis_csc: ["3.7", "5.4", "5.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2137,7 +2137,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on battery)" compliance: - cis: ["18.8.33.6.5"] - - cis_csc: ["13.2","13.6"] + - cis_csc: ["13.2", "13.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2165,7 +2165,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance" compliance: - cis: ["18.8.35.1"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2193,7 +2193,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" compliance: - cis: ["18.8.36.1"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2207,7 +2207,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - cis: ["18.8.36.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2235,7 +2235,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices" compliance: - cis: ["18.9.8.1"] - - cis_csc: ["8.3","8.4","8.5"] + - cis_csc: ["8.3", "8.4", "8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2249,7 +2249,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun" compliance: - cis: ["18.9.8.2"] - - cis_csc: ["8.3","8.4","8.5"] + - cis_csc: ["8.3", "8.4", "8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2263,7 +2263,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay" compliance: - cis: ["18.9.8.3"] - - cis_csc: ["8.3","8.4","8.5"] + - cis_csc: ["8.3", "8.4", "8.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' @@ -2304,7 +2304,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Connect\\Require pin for pairing" compliance: - cis: ["18.9.14.1"] - - cis_csc: ["15.8","15.9"] + - cis_csc: ["15.8", "15.9"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' @@ -2388,7 +2388,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode" compliance: - cis: ["18.9.17.1"] - - cis_csc: ["4.5","3.4","3.5"] + - cis_csc: ["4.5", "3.4", "3.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' @@ -2402,7 +2402,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size" compliance: - cis: ["18.9.26.1.1"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2416,7 +2416,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB)" compliance: - cis: ["18.9.26.1.2"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2430,7 +2430,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size" compliance: - cis: ["18.9.26.2.1"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2444,7 +2444,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB)" compliance: - cis: ["18.9.26.2.2"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2458,7 +2458,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size" compliance: - cis: ["18.9.26.3.1"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2472,7 +2472,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB)" compliance: - cis: ["18.9.26.3.2"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2486,7 +2486,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size" compliance: - cis: ["18.9.26.4.1"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2500,7 +2500,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB)" compliance: - cis: ["18.9.26.4.2"] - - cis_csc: ["6.3","6.4"] + - cis_csc: ["6.3", "6.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2514,7 +2514,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer" compliance: - cis: ["18.9.30.2"] - - cis_csc: ["8.4","8.3"] + - cis_csc: ["8.4", "8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2528,7 +2528,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off heap termination on corruption" compliance: - cis: ["18.9.30.3"] - - cis_csc: ["8.4","8.3"] + - cis_csc: ["8.4", "8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2542,7 +2542,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode" compliance: - cis: ["18.9.30.4"] - - cis_csc: ["8.4","8.3"] + - cis_csc: ["8.4", "8.3"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2556,7 +2556,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\HomeGroup\\Prevent the computer from joining a homegroup" compliance: - cis: ["18.9.35.1"] - - cis_csc: ["14.1","14.2"] + - cis_csc: ["14.1", "14.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' @@ -2710,7 +2710,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit" compliance: - cis: ["18.9.58.3.11.1"] - - cis_csc: ["14.4","14.6"] + - cis_csc: ["14.4", "14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2724,7 +2724,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session" compliance: - cis: ["18.9.58.3.11.2"] - - cis_csc: ["14.4","14.6"] + - cis_csc: ["14.4", "14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2752,7 +2752,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana" compliance: - cis: ["18.9.60.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2794,7 +2794,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow search and Cortana to use location" compliance: - cis: ["18.9.60.6"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2808,7 +2808,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off Automatic Download and Install of updates" compliance: - cis: ["18.9.68.3"] - - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] + - cis_csc: ["3.1", "3.4", "3.5", "4.5", "5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2822,7 +2822,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the offer to update to the latest version of Windows" compliance: - cis: ["18.9.68.4"] - - cis_csc: ["3.1","3.4","3.5","4.5","5.1"] + - cis_csc: ["3.1", "3.4", "3.5", "4.5", "5.1"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2850,7 +2850,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Real-Time Protection\\Turn on behavior monitoring" compliance: - cis: ["18.9.76.7.1"] - - cis_csc: ["8.1","8.6"] + - cis_csc: ["8.1", "8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' @@ -2954,7 +2954,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Turn off Windows Defender AntiVirus" compliance: - cis: ["18.9.76.14"] - - cis_csc: ["8.1","8.6"] + - cis_csc: ["8.1", "8.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' @@ -3138,7 +3138,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication" compliance: - cis: ["18.9.97.1.1"] - - cis_csc: ["16.13","16.5"] + - cis_csc: ["16.13", "16.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3152,7 +3152,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic" compliance: - cis: ["18.9.97.1.2"] - - cis_csc: ["16.5","16.13"] + - cis_csc: ["16.5", "16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3166,7 +3166,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication" compliance: - cis: ["18.9.97.1.3"] - - cis_csc: ["16.5","16.13"] + - cis_csc: ["16.5", "16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3180,7 +3180,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication" compliance: - cis: ["18.9.97.2.1"] - - cis_csc: ["16.5","16.13"] + - cis_csc: ["16.5", "16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3208,7 +3208,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic" compliance: - cis: ["18.9.97.2.4"] - - cis_csc: ["16.5","16.13"] + - cis_csc: ["16.5", "16.13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3256,7 +3256,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Quality Updates are received" compliance: - cis: ["18.9.101.1.3"] - - cis_csc: ["3.4","3.5","4.5"] + - cis_csc: ["3.4", "3.5", "4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' @@ -3272,7 +3272,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates" compliance: - cis: ["18.9.101.2"] - - cis_csc: ["3.4","3.5","4.5"] + - cis_csc: ["3.4", "3.5", "4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3286,7 +3286,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day" compliance: - cis: ["18.9.101.3"] - - cis_csc: ["3.4","3.5","4.5"] + - cis_csc: ["3.4", "3.5", "4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3300,7 +3300,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations" compliance: - cis: ["18.9.101.4"] - - cis_csc: ["3.4","3.5","4.5"] + - cis_csc: ["3.4", "3.5", "4.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index b2aaa830f..6e1d05d96 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -77,7 +77,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" compliance: - cis: ["5.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' @@ -91,7 +91,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" compliance: - cis: ["5.4"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker' @@ -105,7 +105,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" compliance: - cis: ["5.5"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc' @@ -119,7 +119,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" compliance: - cis: ["5.9"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc' @@ -133,7 +133,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" compliance: - cis: ["5.12"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI' @@ -147,7 +147,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" compliance: - cis: ["5.15"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc' @@ -161,7 +161,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" compliance: - cis: ["5.16"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc' @@ -175,7 +175,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" compliance: - cis: ["5.17"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc' @@ -189,7 +189,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" compliance: - cis: ["5.18"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg' @@ -203,7 +203,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" compliance: - cis: ["5.19"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport' @@ -217,7 +217,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" compliance: - cis: ["5.20"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto' @@ -231,7 +231,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" compliance: - cis: ["5.21"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv' @@ -245,7 +245,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" compliance: - cis: ["5.22"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService' @@ -259,7 +259,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" compliance: - cis: ["5.23"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService' @@ -273,7 +273,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" compliance: - cis: ["5.25"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry' @@ -287,7 +287,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" compliance: - cis: ["5.27"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer' @@ -301,7 +301,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" compliance: - cis: ["5.29"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' @@ -315,7 +315,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" compliance: - cis: ["5.33"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc' @@ -329,7 +329,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" compliance: - cis: ["5.34"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc' @@ -343,7 +343,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" compliance: - cis: ["5.37"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService' @@ -357,7 +357,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" compliance: - cis: ["5.38"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall' @@ -371,7 +371,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" compliance: - cis: ["5.39"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM' @@ -482,7 +482,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - cis: ["18.5.5.1"] - - cis_csc: ["3","13"] + - cis_csc: ["3", "13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -536,7 +536,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.10.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -564,7 +564,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.20.1"] - - cis_csc: ["15.4","15.5"] + - cis_csc: ["15.4", "15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -586,7 +586,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.5.20.2"] - - cis_csc: ["15.4","15.5"] + - cis_csc: ["15.4", "15.5"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -857,7 +857,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.49.1.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -872,7 +872,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: ["18.9.4.1"] - - cis_csc: ["14.4","14.6"] + - cis_csc: ["14.4", "14.6"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' @@ -928,7 +928,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - cis: ["18.9.43.1"] - - cis_csc: ["9.1","9.2","13"] + - cis_csc: ["9.1", "9.2", "13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' @@ -1040,7 +1040,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - cis: ["18.9.57.1"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' @@ -1067,7 +1067,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.1"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1081,7 +1081,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.3"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1095,7 +1095,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.4"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1139,7 +1139,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - cis: ["18.9.60.2"] - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 72a3008ec..f2c8e8f97 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -421,7 +421,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - cis: ["2.3.10.5"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -435,7 +435,7 @@ checks: remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - cis: ["2.3.10.6"] - - cis_csc: ["14.1","16"] + - cis_csc: ["14.1", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -449,7 +449,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - cis: ["2.3.10.7"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -463,7 +463,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - cis: ["2.3.10.8"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -477,7 +477,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - cis: ["2.3.10.9"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -491,13 +491,12 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - cis: ["2.3.10.10"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - - id: 11033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." @@ -505,7 +504,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - cis: ["2.3.10.11"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -519,7 +518,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - cis: ["2.3.11.1"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index c3ffa329c..4cdc17610 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -434,7 +434,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" compliance: - cis: ["2.3.10.5"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -448,7 +448,7 @@ checks: remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" compliance: - cis: ["2.3.10.6"] - - cis_csc: ["14.1","16"] + - cis_csc: ["14.1", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -462,7 +462,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" compliance: - cis: ["2.3.10.7"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -476,7 +476,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - cis: ["2.3.10.8"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -490,7 +490,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" compliance: - cis: ["2.3.10.9"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -504,7 +504,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" compliance: - cis: ["2.3.10.10"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -518,7 +518,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" compliance: - cis: ["2.3.10.11"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -532,7 +532,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" compliance: - cis: ["2.3.11.1"] - - cis_csc: ["14","16"] + - cis_csc: ["14", "16"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index a675292d2..834d48ab1 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -99,7 +99,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - - id: 14006 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." @@ -494,9 +493,9 @@ checks: - id: 14036 title: "LM authentication not allowed (disable weak passwords)" compliance: - - pci_dss: ["10.6.1","11.4"] + - pci_dss: ["10.6.1", "11.4"] - hipaa: ["164.312.b"] - - nist_800_53: ["AU.6","IA.10"] + - nist_800_53: ["AU.6", "SI.4"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' @@ -527,9 +526,9 @@ checks: - id: 14038 title: "Ensure Microsoft Firewall is enabled" compliance: - - pci_dss: ["10.6.1","1.4"] - - hipaa: ["164.312.b","164.312.a.1"] - - nist_800_53: ["AU.6","SC.7"] + - pci_dss: ["10.6.1", "1.4"] + - hipaa: ["164.312.b", "164.312.a.1"] + - nist_800_53: ["AU.6", "SC.7"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' @@ -540,7 +539,7 @@ checks: title: "Ensure Null sessions are not allowed" compliance: - pci_dss: ["11.4"] - - nist_800_53: ["IA.10"] + - nist_800_53: ["SI.4"] condition: all rules: - 'r:HKLM\System\CurrentControlSet\Control\Lsa' @@ -833,7 +832,6 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - - id: 14061 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." @@ -948,7 +946,7 @@ checks: rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" compliance: - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -961,9 +959,9 @@ checks: rationale: "Unauthenticated RPC communication can create a security vulnerability." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" compliance: - - cis_csc: ["9.1","9.2"] + - cis_csc: ["9.1", "9.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' \ No newline at end of file + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' From f9d06709fb1f81da0958929b52d87340f62c5745 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Tue, 16 Jul 2019 13:07:01 +0200 Subject: [PATCH 200/247] Fix condition for Windows rules --- sca/windows/cis_win10_enterprise_L1.yml | 1 + sca/windows/cis_win2012r2_memberL1.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 37d8b5e5e..c20df82b7 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -567,6 +567,7 @@ checks: compliance: - cis: ["2.3.11.6"] - cis_csc: ["16"] + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index 4cdc17610..ff4a55af9 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -1320,7 +1320,7 @@ checks: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ - condition: aLL + condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' From b9e3346cdb2418d9e21b83044c4bc525e247e59c Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 16 Jul 2019 10:18:14 -0700 Subject: [PATCH 201/247] Fix rules for MySQL policies --- sca/applications/cis_mysql5-6_community.yml | 1 + sca/applications/cis_mysql5-6_enterprise.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index c79f9f3cb..9664b9b9e 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -40,6 +40,7 @@ checks: condition: none rules: - 'd:/home -> ^.mysql_history$' + - 'd:/root -> ^.mysql_history$' - id: 9501 title: "Disable Interactive Login" diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index 123798cc4..99b1641fe 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -40,6 +40,7 @@ checks: condition: none rules: - 'd:/home -> ^.mysql_history$' + - 'd:/root -> ^.mysql_history$' - id: 10001 title: "Disable Interactive Login" From 2a3f7f6daca1d3954716199d5f4b787bd93125ca Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 17 Jul 2019 16:54:48 +0200 Subject: [PATCH 202/247] Divide Apache variables in apache2 and httpd --- sca/applications/cis_apache_24.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/sca/applications/cis_apache_24.yml b/sca/applications/cis_apache_24.yml index d773ceb45..6ecb13c21 100644 --- a/sca/applications/cis_apache_24.yml +++ b/sca/applications/cis_apache_24.yml @@ -26,12 +26,20 @@ requirements: - 'f:/etc/apache2/apache2.conf' - 'f:/etc/httpd/conf/httpd.conf' +# In case your installation is located in: /etc/apache2 use this block of variables +#variables: +# $main-conf: /etc/apache2/apache2.conf +# $conf-dirs: /etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled +# $ssl-confs: /etc/apache2/mods-enabled/ssl.conf +# $request-confs: /etc/apache2/mods-enabled/reqtimeout.conf +# $traceen: /etc/apache2/apache2.conf,/etc/apache2/conf-enabled/security.conf + variables: - $main-conf: /etc/httpd/conf/httpd.conf,/etc/apache2/apache2.conf - $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d,/etc/apache2/conf-enabled,/etc/apache2/mods-enabled,/etc/apache2/sites-enabled - $ssl-confs: /etc/httpd/conf.d/ssl.conf,/etc/apache2/mods-enabled/ssl.conf - $request-confs: /etc/httpd/conf/httpd.conf,/etc/apache2/mods-enabled/reqtimeout.conf - $traceen: /etc/httpd/conf/httpd.conf,/etc/apache2/apache2.conf,/etc/apache2/conf-enabled/security.conf + $main-conf: /etc/httpd/conf/httpd.conf + $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d + $ssl-confs: /etc/httpd/conf.d/ssl.conf + $request-confs: /etc/httpd/conf/httpd.conf + $traceen: /etc/httpd/conf/httpd.conf #2.3 Disable WebDAV Modules checks: From 50a1ef572ccb68cb2fa6495f80ed459df6e71bcd Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Mon, 22 Jul 2019 06:29:13 -0700 Subject: [PATCH 203/247] Fix several checks and typos in SCA policies --- sca/generic/sca_unix_audit.yml | 4 ++-- sca/rhel/5/cis_rhel5_linux.yml | 1 - sca/rhel/6/cis_rhel6_linux.yml | 1 - sca/sles/11/cis_sles11_linux.yml | 1 - 4 files changed, 2 insertions(+), 5 deletions(-) diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index c9ec929e7..39d6a7a7f 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -9,7 +9,7 @@ policy: id: "unix_audit" - file: "unix_audit.yml" + file: "sca_unix_audit.yml" name: "System audit for Unix based systems" description: "Guidance for establishing a secure configuration for Unix based systems." references: @@ -233,7 +233,7 @@ checks: remediation: "Edit the /etc/pam.d/common-auth file and add the auth line below: #auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900" condition: all rules: - - 'f:/etc/pam.d/common-auth -> r:^auth\s*\t*required\s*\t*pam_tally2.so\s*\t*onerr=fail\s*\t*audit\s*\t*silent\s*\t*deny=\d+\s*\t*unlock_time=\d+$' + - 'f:/etc/pam.d/common-auth -> !r:^# && r:auth\s*\t*required\s*\t*pam_tally2.so && r:onerr=fail && r:audit && r:silent && r:deny\s*=\s*\d && r:unlock_time\s*=\s*\d\d\d+' - id: 4017 title: "Ensure password hashing algorithm is SHA-512" diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index 1fa933e10..ae09e4e9b 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -31,7 +31,6 @@ requirements: variables: $sshd_file: /etc/ssh/sshd_config - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # 1.1.1 /tmp: partition diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index 54cc3905e..deace3514 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -32,7 +32,6 @@ requirements: variables: $sshd_file: /etc/ssh/sshd_config - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # 1.1.2 /tmp: partition diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index e3e002f23..dae52f841 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -28,7 +28,6 @@ requirements: variables: $sshd_file: /etc/ssh/sshd_config - $rc_dirs: /etc/rc.d/rc2.d,/etc/rc.d/rc3.d,/etc/rc.d/rc4.d,/etc/rc.d/rc5.d checks: # Section 1.1 - Filesystem Configuration From eb1c9b9a80fb9bf9ac1221c98fc97462909b93e5 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Mon, 29 Jul 2019 04:02:47 -0700 Subject: [PATCH 204/247] Fix Apache policy --- sca/applications/cis_apache_24.yml | 43 +++++++++++++++++------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/sca/applications/cis_apache_24.yml b/sca/applications/cis_apache_24.yml index 6ecb13c21..17907be3d 100644 --- a/sca/applications/cis_apache_24.yml +++ b/sca/applications/cis_apache_24.yml @@ -9,6 +9,10 @@ # # Based on: # Center for Internet Security Benchmark for Apache 2.4 v1.5.0 - 06-12-2019 +# +# RPM based distributions locate its Apache configuration files under /etc/httpd +# Otherwise, Debian-based distros do it under /etc/apache2 +# Adapt this policy to each case by commuting the commented block of variables as well as the requirement rules policy: id: "cis_apache" @@ -19,12 +23,20 @@ policy: - https://www.cisecurity.org/cis-benchmarks/ requirements: - title: "Check that Apache is installed on the system" + title: "Check that Apache is installed on the system. If your Apache installation is located at /etc/apache2, review the policy file" description: "Requirements for running the SCA scan against the Apache policy." condition: any rules: - - 'f:/etc/apache2/apache2.conf' - 'f:/etc/httpd/conf/httpd.conf' +# - 'f:/etc/apache2/apache2.conf' + +variables: + $main-conf: /etc/httpd/conf/httpd.conf + $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d + $ssl-confs: /etc/httpd/conf.d/ssl.conf + $request-confs: /etc/httpd/conf/httpd.conf + $traceen: /etc/httpd/conf/httpd.conf + $enabled-modules: httpd -M # In case your installation is located in: /etc/apache2 use this block of variables #variables: @@ -33,13 +45,7 @@ requirements: # $ssl-confs: /etc/apache2/mods-enabled/ssl.conf # $request-confs: /etc/apache2/mods-enabled/reqtimeout.conf # $traceen: /etc/apache2/apache2.conf,/etc/apache2/conf-enabled/security.conf - -variables: - $main-conf: /etc/httpd/conf/httpd.conf - $conf-dirs: /etc/httpd/conf.d,/etc/httpd/modsecurity.d - $ssl-confs: /etc/httpd/conf.d/ssl.conf - $request-confs: /etc/httpd/conf/httpd.conf - $traceen: /etc/httpd/conf/httpd.conf +# $enabled-modules: apachectl -M #2.3 Disable WebDAV Modules checks: @@ -55,7 +61,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_dav.html condition: none rules: - - 'c:httpd -M -> r:dav_\.+module' + - 'c:$enabled-modules -> r:dav_\.+module' #2.4 Disable Status Module - id: 9001 @@ -70,7 +76,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_status.html condition: none rules: - - 'c:httpd -M -> r:status_module' + - 'c:$enabled-modules -> r:status_module' #2.5 Disable Autoindex Module - id: 9002 @@ -85,7 +91,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_autoindex.html condition: none rules: - - 'c:httpd -M -> r:autoindex_module' + - 'c:$enabled-modules -> r:autoindex_module' #2.6 Disable Proxy Modules - id: 9003 @@ -100,7 +106,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_proxy.html condition: none rules: - - 'c:httpd -M -> r:proxy_' + - 'c:$enabled-modules -> r:proxy_' #2.7 Disable User Directories Modules - id: 9004 @@ -115,7 +121,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_userdir.html condition: none rules: - - 'c:httpd -M -> userdir_' + - 'c:$enabled-modules -> userdir_' #2.8 Disable Info Module - id: 9005 @@ -130,7 +136,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_info.html condition: none rules: - - 'c:httpd -M -> r:info_module' + - 'c:$enabled-modules -> r:info_module' #3.2 Give the Apache User Account an Invalid Shell - id: 9006 @@ -192,8 +198,8 @@ checks: - https://httpd.apache.org/docs/2.4/mod/mod_include.html condition: none rules: - - 'd:$conf-dirs -> conf -> !r:^# && r:options && r:includes\Includes' - - 'f:$main-conf -> !r:^# && r:options && r:includes\Includes' + - 'd:$conf-dirs -> conf -> !r:^# && r:options && r:includes|Includes' + - 'f:$main-conf -> !r:^# && r:options && r:includes|Includes' #5.4.2 Remove the Apache user manual - id: 9010 @@ -385,7 +391,7 @@ checks: - https://httpd.apache.org/docs/2.4/mod/core.html#keepalive condition: none rules: - - 'f:$main-conf -> !r:^# && r:keepalive|KeepAlive && r:\s+Off' + - 'f:$main-conf -> !r:^# && r:keepalive|KeepAlive && r:\s+off|\s+Off' #9.3:Set MaxKeepAliveRequests to 100 or greater - id: 9022 @@ -510,4 +516,3 @@ checks: condition: all rules: - 'f:$main-conf -> !r:^# && r:limitrequestbody|LimitRequestBody && n:\s(\d+) compare <= 102400' - From ce82f8a8f633d0abcd8326c8d98246ec2d9fae75 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 30 Jul 2019 06:15:23 -0700 Subject: [PATCH 205/247] Update macOS policies --- sca/darwin/15/cis_apple_macOS_10.11.yml | 10 +++++----- sca/darwin/16/cis_apple_macOS_10.12.yml | 4 ++-- sca/darwin/17/cis_apple_macOS_10.13.yml | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 8dba03748..5d57c1027 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -13,8 +13,8 @@ policy: id: "cis_apple_macos_10_11" file: "cis_apple_macOS_10.11.yml" - name: "CIS Apple OSX 10.11 Benchmark" - description: "This document, CIS Apple OSX 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple OSX 10.11. This guide was tested against Apple OSX 10.11." + name: "CIS Apple macOS 10.11 Benchmark" + description: "This document, CIS Apple macOS 10.11 Benchmark, provides prescriptive guidance for establishing a secure configuration posture for Apple macOS 10.11. This guide was tested against Apple macOS 10.11." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -23,8 +23,8 @@ requirements: description: "Requirements for running the SCA scan against MacOS 10.11 (El Capitan)." condition: any rules: - - 'c:sw_vers -> r:^ProductVersion:\t*10\p11' - - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:.*10\p11' + - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p11' + - 'c:system_profiler SPSoftwareDataType -> r:System Version:.*10\p11' - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p11' checks: @@ -379,7 +379,7 @@ checks: - cis: ["5.11"] condition: none rules: - - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel && r:fail_safe' + - 'f:/etc/pam.d/screensaver -> r:group=admin,wheel|group=wheel,admin && r:fail_safe' # 5.18 System Integrity Protection status (Scored) - id: 7528 diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 62a264170..d940588f4 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -23,8 +23,8 @@ requirements: description: "Requirements for running the SCA scan against MacOS 10.12 (Sierra)." condition: any rules: - - 'c:sw_vers -> r:^ProductVersion:\t*10\p12' - - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p12' + - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p12' + - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*10\p12' - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p12' checks: diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 624eaea43..a0f128b26 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -19,13 +19,13 @@ policy: - https://www.cisecurity.org/cis-benchmarks/ requirements: - title: "Check MacOS version" + title: "Check MacOS version (is 10.13 or higher?)" description: "Requirements for running the SCA scan against MacOS 10.13 (High Sierra)." condition: any rules: - - 'c:sw_vers -> r:^ProductVersion:\t*10\p13' - - 'c:system_profiler SPSoftwareDataType -> r:^\s*System Version:\.*10\p13' - - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\s*10\p13' + - 'c:sw_vers -> r:^ProductVersion:\t*\s*10\p\d+' + - 'c:system_profiler SPSoftwareDataType -> r:System Version:\.*10\p\d+' + - 'c:defaults read loginwindow SystemVersionStampAsString -> r:^\t*\s*10\p\d+' checks: # 1.1 Verify all Apple provided software is current (Scored) From 8e7c685c8a5e3182ee9efabdf4d00e1ab6c23eb2 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 30 Jul 2019 06:16:16 -0700 Subject: [PATCH 206/247] Update web vulnerabilites policy --- sca/applications/web_vulnerabilities.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 6b9120129..165aec89c 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -1,5 +1,5 @@ # Security Configuration Assessment -# Checks for auditing Linux systems +# Checks for web-related vulnerabilities on Linux systems # Copyright (C) 2015-2019, Wazuh Inc. # # This program is a free software; you can redistribute it From 56d39621df8dabd49740e1ca2c0491d5cacccd72 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 04:10:15 -0700 Subject: [PATCH 207/247] Final review of Debian policies --- sca/debian/cis_debian7_L2.yml | 2 +- sca/debian/cis_debian8_L1.yml | 2 +- sca/debian/cis_debian8_L2.yml | 2 +- sca/debian/cis_debian9_L1.yml | 2 +- sca/debian/cis_debian9_L2.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index 6779b485d..f978a5952 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -20,7 +20,7 @@ policy: requirements: title: "Check Debian version" - description: "Requirements for running the SCA scan against Debian/Ubuntu" + description: "Requirements for running the SCA scan against Debian/Ubuntu." condition: all rules: - 'f:/etc/debian_version' diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 13ea29dfa..0e353019d 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -345,7 +345,7 @@ checks: - cis_csc: ["13", "5.1"] condition: none rules: - - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' + - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu' - id: 2025 title: "Ensure GDM login banner is configured" diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index 651114d55..ac447a0d5 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -20,7 +20,7 @@ policy: requirements: title: "Check Debian version" - description: "Requirements for running the SCA scan against Debian/Ubuntu" + description: "Requirements for running the SCA scan against Debian/Ubuntu." condition: all rules: - 'f:/etc/debian_version' diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 31a563bb3..5a1f40462 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -319,7 +319,7 @@ checks: - cis_csc: ["5.1"] condition: none rules: - - 'f:/etc/issue -> r:\v|\r|\m|\s|Debian' + - 'f:/etc/issue -> r:\\v|\\r|\\m|\\s|Debian|Ubuntu' - id: 3023 title: "Ensure GDM login banner is configured" diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index dfa04952e..de7cb8d2d 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -20,7 +20,7 @@ policy: requirements: title: "Check Debian version" - description: "Requirements for running the SCA scan against Debian/Ubuntu" + description: "Requirements for running the SCA scan against Debian/Ubuntu." condition: all rules: - 'f:/etc/debian_version' From 28d1455d549371f71b9997df6a9af1c90e04acfe Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 04:10:39 -0700 Subject: [PATCH 208/247] Normalize the location of the variables section --- sca/applications/web_vulnerabilities.yml | 8 ++++---- sca/generic/sca_unix_audit.yml | 7 +++---- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 165aec89c..621c1f2ef 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -13,10 +13,6 @@ policy: name: "System audit for web-related vulnerabilities" description: "Guidance for establishing a secure configuration for web-related vulnerabilities." -variables: - $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini - $web_dirs: /var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www - requirements: title: Check if web-server files are present description: "Requirements for running the SCA scan against the web-vulnerability policy." @@ -25,6 +21,10 @@ requirements: - 'f:$php.ini' - 'd:$web_dirs' +variables: + $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini + $web_dirs: /var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www + # PHP checks checks: - id: 10500 diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index 39d6a7a7f..4aa196a41 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -15,10 +15,6 @@ policy: references: - https://www.ssh.com/ssh/ -variables: - $sshd_file: /etc/ssh/sshd_config,/opt/ssh/etc/sshd_config - $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd - requirements: title: "Check that the SSH service is installed on the system and password-related files are present on the system" description: "Requirements for running the SCA scan against the Unix based systems policy." @@ -28,6 +24,9 @@ requirements: - 'f:/etc/passwd' - 'f:/etc/shadow' +variables: + $sshd_file: /etc/ssh/sshd_config,/opt/ssh/etc/sshd_config + $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd checks: - id: 4000 From 192dd1a99bb91081e6fdda9319a56b0f73ef2dab Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 04:13:31 -0700 Subject: [PATCH 209/247] Fix typo in policies header --- sca/applications/cis_apache_24.yml | 2 +- sca/applications/cis_mysql5-6_community.yml | 2 +- sca/applications/cis_mysql5-6_enterprise.yml | 2 +- sca/applications/web_vulnerabilities.yml | 2 +- sca/darwin/15/cis_apple_macOS_10.11.yml | 2 +- sca/darwin/16/cis_apple_macOS_10.12.yml | 2 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 2 +- sca/debian/cis_debian7_L1.yml | 2 +- sca/debian/cis_debian7_L2.yml | 2 +- sca/debian/cis_debian8_L1.yml | 2 +- sca/debian/cis_debian8_L2.yml | 2 +- sca/debian/cis_debian9_L1.yml | 2 +- sca/debian/cis_debian9_L2.yml | 2 +- sca/generic/sca_unix_audit.yml | 2 +- sca/rhel/5/cis_rhel5_linux.yml | 2 +- sca/rhel/6/cis_rhel6_linux.yml | 2 +- sca/rhel/7/cis_rhel7_linux.yml | 2 +- sca/sles/11/cis_sles11_linux.yml | 2 +- sca/sles/12/cis_sles12_linux.yml | 2 +- sca/sunos/cis_solaris11.yml | 2 +- sca/windows/acsc_office2016.yml | 2 +- sca/windows/cis_win10_enterprise_L1.yml | 2 +- sca/windows/cis_win10_enterprise_L2.yml | 3 +-- sca/windows/cis_win2012r2_domainL1.yml | 2 +- sca/windows/cis_win2012r2_domainL2.yml | 3 +-- sca/windows/cis_win2012r2_memberL1.yml | 2 +- sca/windows/cis_win2012r2_memberL2.yml | 2 +- sca/windows/sca_win_audit.yml | 2 +- 28 files changed, 28 insertions(+), 30 deletions(-) diff --git a/sca/applications/cis_apache_24.yml b/sca/applications/cis_apache_24.yml index 17907be3d..c6b583e25 100644 --- a/sca/applications/cis_apache_24.yml +++ b/sca/applications/cis_apache_24.yml @@ -2,7 +2,7 @@ # CIS Checks for Apache # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index 9664b9b9e..b88f32bc1 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -2,7 +2,7 @@ # CIS Checks for Oracle MySQL Community Edition 5.6 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index 99b1641fe..df3fdcd6a 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -2,7 +2,7 @@ # CIS Checks for Oracle MySQL Entreprise Edition 5.6 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 621c1f2ef..6433c87a4 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -2,7 +2,7 @@ # Checks for web-related vulnerabilities on Linux systems # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 5d57c1027..01dae7c3c 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -2,7 +2,7 @@ # CIS Checks for MacOS 10.11 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index d940588f4..6a364e39f 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -2,7 +2,7 @@ # CIS Checks for MacOS 10.12 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index a0f128b26..839ebb450 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -2,7 +2,7 @@ # CIS Checks for MacOS 10.13 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index c48f86c90..2af3b9c2c 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -2,7 +2,7 @@ # Level 1 CIS Checks for Debian Linux 7 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/debian/cis_debian7_L2.yml b/sca/debian/cis_debian7_L2.yml index f978a5952..eb70abcc1 100644 --- a/sca/debian/cis_debian7_L2.yml +++ b/sca/debian/cis_debian7_L2.yml @@ -2,7 +2,7 @@ # Level 2 CIS Checks for Debian Linux 7 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/debian/cis_debian8_L1.yml b/sca/debian/cis_debian8_L1.yml index 0e353019d..575991659 100644 --- a/sca/debian/cis_debian8_L1.yml +++ b/sca/debian/cis_debian8_L1.yml @@ -2,7 +2,7 @@ # Level 1 CIS Checks for Debian Linux 8 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/debian/cis_debian8_L2.yml b/sca/debian/cis_debian8_L2.yml index ac447a0d5..50dfd78dd 100644 --- a/sca/debian/cis_debian8_L2.yml +++ b/sca/debian/cis_debian8_L2.yml @@ -2,7 +2,7 @@ # Level 2 CIS Checks for Debian Linux 8 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 5a1f40462..4229865a1 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -2,7 +2,7 @@ # Level 1 CIS Checks for Debian Linux 9 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/debian/cis_debian9_L2.yml b/sca/debian/cis_debian9_L2.yml index de7cb8d2d..09157c062 100644 --- a/sca/debian/cis_debian9_L2.yml +++ b/sca/debian/cis_debian9_L2.yml @@ -2,7 +2,7 @@ # Level 2 CIS Checks for Debian Linux 9 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index 4aa196a41..086b4b9ff 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -2,7 +2,7 @@ # Audit for UNIX systems # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index ae09e4e9b..04c308df0 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -2,7 +2,7 @@ # CIS Checks for RHEL 5 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index deace3514..fbcaa3a1e 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -2,7 +2,7 @@ # CIS Checks for RHEL 6 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index a8f53f479..ce87d398c 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -2,7 +2,7 @@ # CIS Checks for RHEL 7 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index dae52f841..305967fc3 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -2,7 +2,7 @@ # CIS Checks for SUSE SLES 11 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index b90e7f5a0..d392a8b95 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -2,7 +2,7 @@ # CIS Checks for SUSE SLES 12 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 575d7209e..91514f9f6 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -2,7 +2,7 @@ # CIS Checks for Oracle Solaris 11 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml index d6a22b835..0a97585b7 100644 --- a/sca/windows/acsc_office2016.yml +++ b/sca/windows/acsc_office2016.yml @@ -2,7 +2,7 @@ # Checks for Microsoft Office 2016 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index c20df82b7..a8f08f376 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -2,7 +2,7 @@ # CIS Checks for Windows 10 Enterprise L1 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 6e1d05d96..5a20bffc2 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -2,7 +2,7 @@ # CIS Checks for Windows 10 Enterprise L2 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation @@ -1258,4 +1258,3 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' - diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index f2c8e8f97..bd7f2d24e 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -2,7 +2,7 @@ # CIS Checks for Windows 2012 R2 Domain Controller L1 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index f63088482..5c8f701d0 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -2,7 +2,7 @@ # CIS Checks for Windows Server 2012 R2 Domain Controller L2 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation @@ -602,4 +602,3 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' - diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index ff4a55af9..e23a84f4f 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -2,7 +2,7 @@ # CIS Checks for Windows 2012 R2 Member Server L1 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index c5e3ce692..b3b98f97b 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -2,7 +2,7 @@ # CIS Checks for Windows 2012 R2 Member Server L2 # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index 834d48ab1..f8df6bd22 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -2,7 +2,7 @@ # Checks for Windows audit # Copyright (C) 2015-2019, Wazuh Inc. # -# This program is a free software; you can redistribute it +# This program is free software; you can redistribute it # and/or modify it under the terms of the GNU General Public # License (version 2) as published by the FSF - Free Software # Foundation From 0b4ded580a17243b456858bb9567647b01acbfee Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 06:48:39 -0700 Subject: [PATCH 210/247] Final review SCA policies for Unix --- sca/generic/sca_unix_audit.yml | 48 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index 086b4b9ff..f0966794a 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -16,7 +16,7 @@ policy: - https://www.ssh.com/ssh/ requirements: - title: "Check that the SSH service is installed on the system and password-related files are present on the system" + title: "Check that the SSH service and password-related files are present on the system" description: "Requirements for running the SCA scan against the Unix based systems policy." condition: any rules: @@ -30,7 +30,7 @@ variables: checks: - id: 4000 - title: "SSH Hardening - 1: Port should not be 22" + title: "SSH Hardening: Port should not be 22" description: "The ssh daemon should not be listening on port 22 (the default value) for incoming connections." rationale: "Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port." remediation: "Change the Port option value in the sshd_config file." @@ -42,7 +42,7 @@ checks: - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22\s\t*$' - id: 4001 - title: "SSH Hardening - 2: Protocol should be set to 2" + title: "SSH Hardening: Protocol should be set to 2" description: "The SSH protocol should not be 1." rationale: "The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. Version 1 of the SSH protocol has weaknesses." remediation: "Change the Protocol option value in the sshd_config file." @@ -54,7 +54,7 @@ checks: - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2\s*\t*$' - id: 4002 - title: "SSH Hardening - 3: Root account should not be able to log in" + title: "SSH Hardening: Root account should not be able to log in" description: "The option PermitRootLogin should be set to no." rationale: "The option PermitRootLogin specifies whether root can log in using ssh. If you want log in as root, you should use the option \"Match\" and restrict it to a few IP addresses." remediation: "Change the PermitRootLogin option value in the sshd_config file." @@ -63,7 +63,7 @@ checks: - 'f:$sshd_file -> r:^\s*PermitRootLogin\s*\t*no' - id: 4003 - title: "SSH Hardening - 4: No Public Key authentication" + title: "SSH Hardening: No Public Key authentication" description: "The option PubkeyAuthentication should be set yes." rationale: "Access only by public key. Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password." remediation: "Change the PubkeyAuthentication option value in the sshd_config file." @@ -75,7 +75,7 @@ checks: - 'f:$sshd_file -> r:^\s*PubkeyAuthentication\s*\t*yes' - id: 4004 - title: "SSH Hardening - 5: Password Authentication should be disabled" + title: "SSH Hardening: Password Authentication should be disabled" description: "The option PasswordAuthentication should be set to no." rationale: "The option PasswordAuthentication specifies whether we should use password-based authentication. Use public key authentication instead of passwords." remediation: "Change the PasswordAuthentication option value in the sshd_config file." @@ -87,7 +87,7 @@ checks: - 'f:$sshd_file -> r:^\s*PasswordAuthentication\s*\t*no' - id: 4005 - title: "SSH Hardening - 6: Empty passwords should not be allowed" + title: "SSH Hardening: Empty passwords should not be allowed" description: "The option PermitEmptyPasswords should be set to no." rationale: "The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. Accounts with null passwords are a bad practice." remediation: "Change the PermitEmptyPasswords option value in the sshd_config file." @@ -99,7 +99,7 @@ checks: - 'f:$sshd_file -> r:^\s*PermitEmptyPasswords\s*\t*no' - id: 4006 - title: "SSH Hardening - 7: Rhost or shost should not be used for authentication" + title: "SSH Hardening: Rhost or shost should not be used for authentication" description: "The option IgnoreRhosts should be set to yes." rationale: "The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication." remediation: "Change the IgnoreRhosts option value in the sshd_config file." @@ -111,7 +111,7 @@ checks: - 'f:$sshd_file -> r:^\s*\t*IgnoreRhosts\s*\t*yes' - id: 4007 - title: "SSH Hardening - 8: Grace Time should be one minute or less." + title: "SSH Hardening: Grace Time should be one minute or less." description: "The option LoginGraceTime should be set to 60 or less." rationale: "The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. 30 seconds is the recommended time for avoiding open connections without authenticate." remediation: "Change the LoginGraceTime option value in the sshd_config file." @@ -123,7 +123,7 @@ checks: - 'f:$sshd_file -> n:^\s*LoginGraceTime\s*\t*(\d+)s compare <= 60' - id: 4008 - title: "SSH Hardening - 9: Wrong Maximum number of authentication attempts" + title: "SSH Hardening: Wrong Maximum number of authentication attempts" description: "The option MaxAuthTries should be set to 4 or less." rationale: "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. This should be set to 4." remediation: "Change the MaxAuthTries option value in the sshd_config file." @@ -135,7 +135,7 @@ checks: - 'f:$sshd_file -> n:^\s*MaxAuthTries\s*\t*(\d+) compare <= 4' - id: 4009 - title: "Ensure SSH HostbasedAuthentication is disabled" + title: "SSH Hardening: Ensure SSH HostbasedAuthentication is disabled" description: "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts , or /etc/hosts.equiv , along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." rationale: "Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf, disabling the ability to use .rhosts files in SSH provides an additional layer of protection." remediation: "Edit the /etc/ssh/sshd_config file to set the parameter as follows: HostbasedAuthentication no" @@ -146,25 +146,25 @@ checks: condition: all rules: - 'f:$sshd_file -> r:^\s*\t*HostbasedAuthentication\s*\t*no' + - id: 4010 - title: "Ensure password creation requirements are configured" + title: "Ensure retry option for passwords is less than 3" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy." compliance: - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_cracklib.so\.+try_first_pass|^password\s*\t*required\s*\t*pam_pwquality.so\.+try_first_pass' - - 'f:$pam_d_files -> r:^password\s*\t*requisite\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*requisite\s*\t*pam_pwquality.so\.+retry=|^password\s*\t*required\s*\t*pam_cracklib.so\.+retry=|^password\s*\t*required\s*\t*pam_pwquality.so\.+retry= && n:retry=(\d+) compare < 3' + - 'f:$pam_d_files -> r:password && r:requisite|required && r:pam_cracklib.so|pam_pwquality.so && n:retry\s*=\s*(\d+) compare <= 3' - id: 4011 title: "Ensure passwords are longer than 14 characters" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy." compliance: - cis_csc: ["4.4", "5.7", "16.12"] references: @@ -177,53 +177,53 @@ checks: title: "Ensure passwords contain at least one digit" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy." compliance: - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:dcredit\s*\t*=' - id: 4013 title: "Ensure passwords contain at least one lowercase character" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy." compliance: - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:lcredit\s*\t*=' - id: 4014 title: "Ensure passwords contain at least one uppercase character" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy." compliance: - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ucredit\s*\t*=' - id: 4015 title: "Ensure passwords contain at least one special character" description: "The pam_pwquality.so module and pam_cracklib.so module (depending on the Linux distribution used) checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more." rationale: "Strong passwords protect systems from being hacked through brute force methods." - remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy" + remediation: "Edit the /etc/pam.d/common-password and /etc/security/pwquality.conf files, or the /etc/pam.d/password-auth and /etc/pam.d/system-auth files, to include the appropriate options for pam_pwquality.so or pam_cracklib.so and to conform to site policy." compliance: - cis_csc: ["4.4", "5.7", "16.12"] references: - https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ condition: all rules: - - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit=-1' + - 'f:$pam_d_files -> r:pam_cracklib.so && r:ocredit\s*\t*=' - id: 4016 title: "Ensure lockout for failed password attempts is configured" From d6e7eee671a886bcc13a51255f35bb3e68e62afd Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 09:25:01 -0700 Subject: [PATCH 211/247] Final review of RHEL policies --- sca/rhel/5/cis_rhel5_linux.yml | 24 ++++++++++++------------ sca/rhel/6/cis_rhel6_linux.yml | 26 +++++++++++++++----------- sca/rhel/7/cis_rhel7_linux.yml | 16 ++++++++-------- 3 files changed, 35 insertions(+), 31 deletions(-) diff --git a/sca/rhel/5/cis_rhel5_linux.yml b/sca/rhel/5/cis_rhel5_linux.yml index 04c308df0..80e94beb6 100644 --- a/sca/rhel/5/cis_rhel5_linux.yml +++ b/sca/rhel/5/cis_rhel5_linux.yml @@ -472,7 +472,7 @@ checks: - CCE-4330-7 condition: none rules: - - 'c:rpm -qa telnet-server -> r:\.' + - 'c:rpm -qa telnet-server -> r:telnet-server' # Remove rsh-server (Scored) - id: 4527 @@ -488,7 +488,7 @@ checks: - CCE-4308-3 condition: none rules: - - 'c:rpm -qa rsh-server -> r:\.' + - 'c:rpm -qa rsh-server -> r:rsh-server' - id: 4528 title: "Remove NIS Client" @@ -504,7 +504,7 @@ checks: - CCE-4348-9 (uninstall) condition: none rules: - - 'c:rpm -qa ypbind -> r:\.' + - 'c:rpm -qa ypbind -> r:ypbind' # 2.1.6 Remove NIS Server (Scored) - id: 4529 @@ -521,7 +521,7 @@ checks: - CCE-4348-9 (uninstall) condition: none rules: - - 'c:rpm -qa ypserv -> r:\.' + - 'c:rpm -qa ypserv -> r:ypserv' # 2.1.7 Remove tftp (Scored) - id: 4530 @@ -538,7 +538,7 @@ checks: - CCE-3916-4 (uninstall) condition: none rules: - - 'c:rpm -qa tftpd -> r:\.' + - 'c:rpm -qa tftpd -> r:tftpd' # 2.1.9 Remove talk (Scored) - id: 4531 @@ -552,7 +552,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa talk-server -> r:\.' + - 'c:rpm -qa talk-server -> r:talk-server' ############################################### # 3 Special Purpose Services @@ -624,7 +624,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa vsftpd -> r:\.' + - 'c:rpm -qa vsftpd -> r:vsftpd' # 3.11 Remove HTTP Server (Not Scored) - id: 4537 @@ -638,7 +638,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa httpd -> r:\.' + - 'c:rpm -qa httpd -> r:httpd' # 3.12 Remove Dovecot (IMAP and POP3 services) (Not Scored) - id: 4538 @@ -652,7 +652,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa dovecot -> r:\.' + - 'c:rpm -qa dovecot -> r:dovecot' # 3.13 Remove Samba (Not Scored) - id: 4539 @@ -666,7 +666,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa samba -> r:\.' + - 'c:rpm -qa samba -> r:samba' # 3.14 Remove HTTP Proxy Server (Not Scored) - id: 4540 @@ -680,7 +680,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa squid -> r:\.' + - 'c:rpm -qa squid -> r:squid' # 3.15 Remove SNMP Server (Not Scored) - id: 4541 @@ -694,7 +694,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa net-snmp -> r:\.' + - 'c:rpm -qa net-snmp -> r:net-snmp' ############################################### # 4 Network Configuration and Firewalls diff --git a/sca/rhel/6/cis_rhel6_linux.yml b/sca/rhel/6/cis_rhel6_linux.yml index fbcaa3a1e..c7d16d41d 100644 --- a/sca/rhel/6/cis_rhel6_linux.yml +++ b/sca/rhel/6/cis_rhel6_linux.yml @@ -234,7 +234,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'f:/etc/grub.conf -> r:selinux=0|enforcing=0' + - 'f:/etc/grub.conf,/boot/grub/grub.conf -> r:selinux=0|enforcing=0' # 1.6.1.2 Set selinux state - id: 5014 @@ -249,7 +249,10 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:/etc/selinux/config -> r:^SELINUX=enforcing$' + - 'c:sestatus -> r:^SELinux status:\s+enabled$' + - 'c:sestatus -> r:^Current mode:\s+enforcing$' + - 'c:sestatus -> r:^Mode from config file:\s+enforcing$' + - 'f:/etc/selinux/config -> r:^\s*SELINUX\s*=\s*enforcing' # 1.6.1.3 Set selinux policy - id: 5015 @@ -263,7 +266,8 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:/etc/selinux/config -> r:^SELINUXTYPE=targeted$' + - 'c:sestatus -> r:^Loaded policy name:\s+targeted$' + - 'f:/etc/selinux/config -> r:^\s*SELINUXTYPE\s*=\s*targeted|^\s*SELINUXTYPE\s*=\s*mls' # 1.6.1.4 Remove SETroubleshoot - id: 5016 @@ -277,7 +281,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa setroubleshoot -> r:\.' + - 'c:rpm -qa setroubleshoot -> r:setroubleshoot' # 1.6.1.5 Disable MCS Translation service mcstrans - id: 5017 @@ -291,7 +295,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa mcstrans -> r:\.' + - 'c:rpm -qa mcstrans -> r:mcstrans' ############################################### # 1.4 Secure Boot Settings @@ -309,7 +313,7 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:/boot/grub/grub.cfg -> !r:^# && r:password --md5' + - 'f:/boot/grub/grub.cfg,/boot/grub/grub.conf -> !r:^# && r:password --md5' # 1.4.3 Require Authentication for Single-User Mode (Scored) - id: 5019 @@ -324,7 +328,7 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE=/sbin/sulogin' + - 'f:/etc/sysconfig/init -> !r:^# && r:SINGLE\s*=\s*/sbin/sulogin' # 1.4.4 Disable Interactive Boot (Scored) - id: 5020 @@ -339,7 +343,7 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:/etc/sysconfig/init -> r:^PROMPT=no$' + - 'f:/etc/sysconfig/init -> r:^PROMPT\s*=\s*no$' ############################################### # 1.5 Additional Process Hardening @@ -407,7 +411,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:chkconfig --list -> r:rsh|rlogin|rsh && r::on' + - 'c:chkconfig --list -> r:rsh|rlogin|rexec && r::on' # 2.3.1 Remove NIS Client (Scored) @@ -423,7 +427,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa ypbind -> r:\.' + - 'c:rpm -qa ypbind -> r:ypbind' # 2.2.16 Remove NIS Server (Scored) - id: 5026 @@ -487,7 +491,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa xorg-x11* -> r:\.' + - 'c:rpm -qa xorg-x11* -> r:^xorg-x11' # 2.2.3 Disable Avahi Server (Scored) - id: 5030 diff --git a/sca/rhel/7/cis_rhel7_linux.yml b/sca/rhel/7/cis_rhel7_linux.yml index ce87d398c..b827d43d3 100644 --- a/sca/rhel/7/cis_rhel7_linux.yml +++ b/sca/rhel/7/cis_rhel7_linux.yml @@ -265,9 +265,9 @@ checks: - cis: ["1.6.1.4"] - pci_dss: ["2.2.4"] - nist_800_53: ["CM.1"] - condition: all + condition: none rules: - - 'c:rpm -q setroubleshoot -> r:^package setroubleshoot is not installed$' + - 'c:rpm -qa setroubleshoot -> r:setroubleshoot' # 1.6.1.5 Disable MCS Translation service mcstrans - id: 5516 @@ -279,9 +279,9 @@ checks: - cis: ["1.6.1.5"] - pci_dss: ["2.2.4"] - nist_800_53: ["CM.1"] - condition: all + condition: none rules: - - 'c:rpm -q mcstrans -> r:^package mcstrans is not installed$' + - 'c:rpm -qa mcstrans -> r:mcstrans' ############################################### # 1.4 Secure Boot Settings @@ -299,7 +299,7 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:/boot/grub2/grub.cfg -> r:^GRUB2_PASSWORD=\.+' + - 'f:/boot/grub2/grub.cfg -> r:^GRUB2_PASSWORD\s*=\.+' ############################################### # 1.5 Additional Process Hardening @@ -442,9 +442,9 @@ checks: - cis_csc: ["2"] - pci_dss: ["2.2.3"] - nist_800_53: ["CM.1"] - condition: all + condition: none rules: - - 'c:rpm -q ypbind -> r:^package ypbind is not installed$' + - 'c:rpm -qa ypbind -> r:ypbind' # 2.1.7 Remove xinetd (Scored) - id: 5527 @@ -552,7 +552,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa xorg-x11* -> r:^xorg-x11\.+' + - 'c:rpm -qa xorg-x11* -> r:^xorg-x11' # 2.2.3 Disable Avahi Server (Scored) - id: 5534 From b736218b7122ac3a1edf7b6fb8213b3095d6f27f Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 09:25:13 -0700 Subject: [PATCH 212/247] Final review of SLES policies --- sca/sles/11/cis_sles11_linux.yml | 6 +++--- sca/sles/12/cis_sles12_linux.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 305967fc3..7258a4ce8 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -418,7 +418,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa xorg-x11* -> r:\.' + - 'c:rpm -qa xorg-x11* -> r:^xorg-x11' # 2.2.3 Disable Avahi Server (Scored) - id: 6027 @@ -515,7 +515,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:chkconfig --list cyrus -> r:cyrus && r::on' + - 'c:chkconfig --list -> r:cyrus && r::on' # 2.2.12 Remove Samba (Not Scored) - id: 6034 @@ -587,7 +587,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa ypbind -> r:\.' + - 'c:rpm -qa ypbind -> r:ypbind' ############################################### # 3 Network Configuration and Firewalls diff --git a/sca/sles/12/cis_sles12_linux.yml b/sca/sles/12/cis_sles12_linux.yml index d392a8b95..586b8bcdb 100644 --- a/sca/sles/12/cis_sles12_linux.yml +++ b/sca/sles/12/cis_sles12_linux.yml @@ -412,7 +412,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa xorg-x11* -> r:\.' + - 'c:rpm -qa xorg-x11* -> r:^xorg-x11' # 2.2.3 Disable Avahi Server (Scored) - id: 6527 @@ -582,7 +582,7 @@ checks: - nist_800_53: ["CM.1"] condition: none rules: - - 'c:rpm -qa ypbind -> r:\.' + - 'c:rpm -qa ypbind -> r:ypbind' ############################################### # 3 Network Configuration and Firewalls @@ -877,7 +877,7 @@ checks: - pci_dss: ["4.1"] - hipaa: ["164.312.a.2.IV", "164.312.e.1", "164.312.e.2.I", "164.312.e.2.II"] - nist_800_53: ["SC.8"] - condition: none + condition: all rules: - 'f:$sshd_file -> !r:^\s*\t*# && r:PermitEmptyPasswords\s*\t*no' From 3d2707e37fd5cf11bc17b0d57c4cf8fec591bf99 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 09:25:29 -0700 Subject: [PATCH 213/247] Update Solaris 11 policy --- sca/sunos/cis_solaris11.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 91514f9f6..8f9034d20 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -48,7 +48,7 @@ checks: - cis: ["2.2"] condition: none rules: - - 'c:netstat -an -> r:.25\s*\t* && !r:127.0.0.1.25|::1' + - 'c:netstat -an -> r:.25\s*\t*|:25\s*\t* && !r:127.0.0.1|::1' - id: 7002 title: "Disable RPC Encryption Key" @@ -407,8 +407,8 @@ checks: - cis: ["6.8"] condition: all rules: - - 'f:/etc/pam.conf -> r:^rlogin\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' - - 'f:/etc/pam.conf -> r:^rsh\s*\t*auth sufficient\s*\t*pam_rhosts_auth.so.1' + - 'f:/etc/pam.conf -> r:^\s*\t*rlogin && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' + - 'f:/etc/pam.conf -> r:^rsh && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - id: 7029 title: "Restrict FTP Use" @@ -449,7 +449,7 @@ checks: - cis: ["6.10"] condition: all rules: - - 'f:/etc/default/login -> n:^SLEEPTIME\p(\d+) compare >= 4' + - 'f:/etc/default/login -> n:^SLEEPTIME\s*\t*=\s*\t*(\d+) compare >= 4' - id: 7031 title: "Remove Autologin Capabilities from the GNOME desktop" @@ -460,9 +460,9 @@ checks: - cis: ["6.11"] condition: all rules: - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin\s*\t*auth\s*\t*required\s*\t*pam_unix_cred.so.1' - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin\s*\t*auth\s*\t*sufficient\s*\t*pam_allow.so.1' - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin\s*\t*account\s*\t*sufficient\s*\t*pam_allow.so.1' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin && r:auth && r:required && r:pam_unix_cred.so.1' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin && r:auth && r:sufficient && r:pam_allow.so.1' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin && r:account && r:sufficient && r:pam_allow.so.1' - id: 7032 title: "Set Default Screen Lock for GNOME Users" @@ -503,7 +503,7 @@ checks: - cis: ["6.14"] condition: none rules: - - 'f:/etc/default/login -> !r:^CONSOLE\p/dev/console' + - 'f:/etc/default/login -> !r:^CONSOLE\s*\t*=\s*\t*/dev/console' - id: 7035 title: "Set Retry Limit for Account Lockout" @@ -514,8 +514,8 @@ checks: - cis: ["6.15"] condition: all rules: - - 'f:/etc/default/login -> n:^RETRIES\p(\d+) compare <=3' - - 'f:/etc/security/policy.conf -> r:^LOCK_AFTER_RETRIES\pyes' + - 'f:/etc/default/login -> n:^RETRIES\s*\t*=\s*\t*(\d+) compare <=3' + - 'f:/etc/security/policy.conf -> r:^LOCK_AFTER_RETRIES\s*\t*=\s*\t*yes' - id: 7036 title: "Secure the GRUB Menu (Intel)" @@ -539,9 +539,9 @@ checks: - cis: ["7.1"] condition: all rules: - - 'f:/etc/default/passwd -> n:^maxweeks\(\d+) compare <= 13' - - 'f:/etc/default/passwd -> r:^minweeks\p1' - - 'f:/etc/default/passwd -> !r:^warnweeks\p4' + - 'f:/etc/default/passwd -> !r:^# && r:maxweeks|MAXWEEKS && n:=\s*\t*(\d+) compare <= 13' + - 'f:/etc/default/passwd -> !r:^# && r:minweeks|MINWEEKS && n:=\s*\t*(\d+) compare == 1' + - 'f:/etc/default/passwd -> !r:^# && r:warnweeks|WARNWEEKS && n:=\s*\t*(\d+) compare == 4' - id: 7038 title: "Set Strong Password Creation Policies" From 317a803ac42e1ed074de78eca6aa0e98906857ab Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 31 Jul 2019 10:07:55 -0700 Subject: [PATCH 214/247] Review SCA Windows generic policy --- sca/windows/acsc_office2016.yml | 4 +- sca/windows/sca_win_audit.yml | 83 ++++++++++++++++----------------- 2 files changed, 43 insertions(+), 44 deletions(-) diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml index 0a97585b7..efa5c7c37 100644 --- a/sca/windows/acsc_office2016.yml +++ b/sca/windows/acsc_office2016.yml @@ -14,14 +14,14 @@ policy: id: "acsc_office2016" file: "acsc_office2016.yml" - name: "System audit for Office 2016 vulnerabilities" + name: "Benchmark for Office 2016 vulnerabilities" description: "Guidance for establishing a secure configuration for Office 2016 vulnerabilities." references: - https://www.cisecurity.org/cis-benchmarks/ - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf requirements: - title: "Check that the installed Office is version 2016" + title: "Check that Office 2016 is installed" description: "Requirements for running the CIS benchmark against Office 2016" condition: any rules: diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index f8df6bd22..47dfcb38b 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -26,7 +26,7 @@ checks: title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." compliance: - cis_csc: ["16"] condition: all @@ -39,7 +39,7 @@ checks: title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits." compliance: - cis_csc: ["6"] condition: all @@ -52,7 +52,7 @@ checks: title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media." compliance: - cis_csc: ["5.1"] condition: all @@ -65,7 +65,7 @@ checks: title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers." compliance: - cis_csc: ["5.1"] condition: all @@ -116,7 +116,7 @@ checks: title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes." compliance: - cis_csc: ["16"] condition: all @@ -129,7 +129,7 @@ checks: title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key." compliance: - cis_csc: ["13"] condition: all @@ -142,7 +142,7 @@ checks: title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name." compliance: - cis_csc: ["13"] condition: all @@ -168,7 +168,7 @@ checks: title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." - remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration." compliance: - cis_csc: ["16"] condition: all @@ -181,7 +181,7 @@ checks: title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior." compliance: - cis_csc: ["16.5"] condition: all @@ -220,7 +220,7 @@ checks: title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers." compliance: - cis_csc: ["13"] condition: all @@ -233,7 +233,7 @@ checks: title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." - remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session." compliance: - cis_csc: ["3"] condition: all @@ -272,7 +272,7 @@ checks: title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts." compliance: - cis_csc: ["16"] condition: all @@ -285,7 +285,7 @@ checks: title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication." compliance: - cis_csc: ["16.14"] condition: all @@ -298,7 +298,7 @@ checks: title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users." compliance: - cis_csc: ["14, 16"] condition: all @@ -311,7 +311,7 @@ checks: title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares." compliance: - cis_csc: ["14, 16"] condition: all @@ -324,7 +324,7 @@ checks: title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously." compliance: - cis_csc: ["14, 16"] condition: all @@ -337,7 +337,7 @@ checks: title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts." compliance: - cis_csc: ["14, 16"] condition: all @@ -350,7 +350,7 @@ checks: title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change." compliance: - cis_csc: ["16.14"] condition: all @@ -363,7 +363,7 @@ checks: title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level." compliance: - cis_csc: ["13"] condition: all @@ -376,7 +376,7 @@ checks: title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements." compliance: - cis_csc: ["13"] condition: all @@ -387,9 +387,9 @@ checks: - id: 14028 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients." compliance: - cis_csc: ["13"] condition: all @@ -400,9 +400,9 @@ checks: - id: 14029 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers." compliance: - cis_csc: ["13"] references: @@ -417,7 +417,7 @@ checks: title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems." condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -428,7 +428,7 @@ checks: title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)." compliance: - cis_csc: ["14.4"] condition: all @@ -441,7 +441,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state." compliance: - cis_csc: ["9.2"] condition: all @@ -454,7 +454,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state." compliance: - cis_csc: ["9.2"] condition: all @@ -491,7 +491,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - id: 14036 - title: "LM authentication not allowed (disable weak passwords)" + title: "Ensure LM authentication is not allowed (disable weak passwords)" compliance: - pci_dss: ["10.6.1", "11.4"] - hipaa: ["164.312.b"] @@ -590,7 +590,7 @@ checks: title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis_csc: ["16"] references: @@ -606,7 +606,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis_csc: ["9"] references: @@ -621,7 +621,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis_csc: ["9"] references: @@ -634,9 +634,9 @@ checks: - id: 14046 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis_csc: ["8"] references: @@ -651,7 +651,7 @@ checks: title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis_csc: ["16.5"] references: @@ -666,8 +666,7 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" - compliance: + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog. ) compliance: - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -834,7 +833,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 14061 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2) - Notify for download and auto install (Notify before downloading any updates) 3) - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4) - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5) - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -862,7 +861,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["9"] references: @@ -877,7 +876,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["9"] references: @@ -944,7 +943,7 @@ checks: title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers." rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication." compliance: - cis_csc: ["9.1", "9.2"] condition: all @@ -957,7 +956,7 @@ checks: title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- None allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- Authenticated allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- Authenticated without exceptions allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.'" rationale: "Unauthenticated RPC communication can create a security vulnerability." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients." compliance: - cis_csc: ["9.1", "9.2"] condition: all From fad6d217defeab972e6e5bcfe2ed9ee70382a26f Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 1 Aug 2019 11:38:17 +0200 Subject: [PATCH 215/247] Change Solaris processes rules --- sca/sunos/cis_solaris11.yml | 65 ++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 8f9034d20..d5f078a37 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -34,10 +34,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" compliance: - cis: ["2.1"] - condition: none + condition: any rules: - - 'p:gdm' - - 'p:cde' + - 'p:svcs -Ho state svc:/application/graphical-login/gdm:default -> r:disabled' + - 'not p:svcs -Ho state svc:/application/graphical-login/gdm:default' - id: 7001 title: "Configure sendmail Service for Local-Only Mode" @@ -57,9 +57,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" compliance: - cis: ["2.3"] - condition: none + condition: any rules: - - 'p:keyserv' + - 'p:svcs -Ho state svc:/network/rpc/keyserv -> r:disabled' + - 'not p:svcs -Ho state svc:/network/rpc/keyserv' - id: 7003 title: "Disable NIS Server Services" @@ -70,12 +71,8 @@ checks: - cis: ["2.4"] condition: none rules: - - 'p:ypserv' - - 'p:ypbind' - - 'p:ypxfr' - - 'p:rpc.yppasswdd' - - 'p:rpc.ypupdated' - - 'f:/etc/init.d/nis' + - 'p:svcs -Ho state svc:/network/nis/server -> r:online' + - 'p:svcs -Ho state svc:/network/nis/domain -> r:online' - id: 7004 title: "Disable NIS Client Services" @@ -86,12 +83,8 @@ checks: - cis: ["2.5"] condition: none rules: - - 'p:ypserv' - - 'p:ypbind' - - 'p:ypxfr' - - 'p:rpc.yppasswdd' - - 'p:rpc.ypupdated' - - 'f:/etc/init.d/nis' + - 'p:svcs -Ho state svc:/network/nis/client -> r:online' + - 'p:svcs -Ho state svc:/network/nis/domain -> r:online' - id: 7005 title: "Disable Kerberos TGT Expiration Warning" @@ -100,9 +93,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" compliance: - cis: ["2.6"] - condition: none + condition: any rules: - - 'p:ktkt_warnd' + - 'p:svcs -Ho state svc:/network/security/ktkt_warn -> r:disabled' + - 'not p:svcs -Ho state svc:/network/security/ktkt_warn' - id: 7006 title: "Disable Generic Security Services (GSS)" @@ -111,9 +105,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" compliance: - cis: ["2.7"] - condition: none + condition: any rules: - - 'p:gssd' + - 'p:svcs -Ho state svc:/network/rpc/gss -> r:disabled' + - 'not p:svcs -Ho state svc:/network/rpc/gss' - id: 7007 title: "Disable Removable Volume Manager" @@ -124,7 +119,8 @@ checks: - cis: ["2.8"] condition: none rules: - - 'p:smserverd' + - 'p:svcs -Ho state svc:/system/filesystem/rmvolmgr -> r:online' + - 'p:svcs -Ho state svc:/network/rpc/smserver -> r:online' - id: 7008 title: "Disable automount Service" @@ -133,9 +129,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" compliance: - cis: ["2.9"] - condition: none + condition: any rules: - - 'p:automountd' + - 'p:svcs -Ho state svc:/system/filesystem/autofs -> r:disabled' + - 'not p:svcs -Ho state svc:/system/filesystem/autofs' - id: 7009 title: "Disable Apache Service" @@ -146,10 +143,10 @@ checks: - cis: ["2.10"] references: - http://httpd.apache.org/docs/2.0/misc/security_tips.html - condition: none + condition: any rules: - - 'p:apache' - - 'p:httpd' + - 'p:svcs -Ho state svc:/network/http:apache22 -> r:disabled' + - 'not p:svcs -Ho state svc:/network/http:apache22' - id: 7010 title: "Disable Local-only RPC Port Mapping Service" @@ -158,9 +155,10 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." compliance: - cis: ["2.11"] - condition: none + condition: any rules: - - 'p:rpcbind' + - 'p:svcs -Ho state svc:/network/rpc/bind -> r:disabled' + - 'not p:svcs -Ho state svc:/network/rpc/bind' - id: 7011 title: "Configure TCP Wrappers" @@ -184,9 +182,10 @@ checks: remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" compliance: - cis: ["2.13"] - condition: all + condition: any rules: - - 'p:telnet' + - 'p:svcs -Ho state svc:/network/telnet -> r:disabled' + - 'not p:svcs -Ho state svc:/network/telnet' # 3 Kernel Tuning - id: 7013 @@ -363,7 +362,7 @@ checks: - cis: ["6.4"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 4' + - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 3' - id: 7025 title: "Disable Rhost-based Authentication for SSH" @@ -374,7 +373,7 @@ checks: - cis: ["6.5"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+yes' - id: 7026 title: "Disable root login for SSH" From be5a678ae6929e88046d6bbc31aaa550c41e1f43 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 1 Aug 2019 14:05:18 +0200 Subject: [PATCH 216/247] Fix Solaris syntax --- sca/sunos/cis_solaris11.yml | 114 +++++++++++++++++------------------- 1 file changed, 54 insertions(+), 60 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index d5f078a37..0147e0304 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -198,15 +198,15 @@ checks: condition: all rules: - 'f:/etc/coreadm.conf' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_PATTERN\p\.+' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_CONTENT\pdefault' - - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_PATTERN\pcore' - - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_CONTENT\pdefault' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_ENABLED\pyes|^COREADM_GLOB_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_SETID_ENABLED\pyes|^COREADM_GLOB_SETID_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_SETID_ENABLED\pno' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_LOG_ENABLED\pyes' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_PATTERN\s*\t*=\s*\t*\.+' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_CONTENT\s*\t*=\s*\t*default' + - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_PATTERN\s*\t*=\s*\t*core' + - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_CONTENT\s*\t*=\s*\t*default' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_ENABLED\s*\t*=\s*\t*yes|^COREADM_GLOB_ENABLED\s*\t*=\s*\t*no' + - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_ENABLED\s*\t*=\s*\t*no' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_SETID_ENABLED\s*\t*=\s*\t*yes|^COREADM_GLOB_SETID_ENABLED\s*\t*=\s*\t*no' + - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_SETID_ENABLED\s*\t*=\s*\t*no' + - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_LOG_ENABLED\s*\t*=\s*\t*yes' - id: 7014 title: "Enable Stack Protection" @@ -218,8 +218,8 @@ checks: condition: all rules: - 'f:/etc/system' - - 'f:/etc/system -> r:^\s*\t*noexec_user_stack\p1' - - 'f:/etc/system -> r:^\s*\t*noexec_user_stack_log\p1' + - 'f:/etc/system -> r:^\s*\t*noexec_user_stack\s*\t*=\s*\t*1' + - 'f:/etc/system -> r:^\s*\t*noexec_user_stack_log\s*\t*=\s*\t*1' - id: 7015 title: "Enable Strong TCP Sequence Number Generation" @@ -230,7 +230,7 @@ checks: - cis: ["3.3"] condition: all rules: - - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\p2' + - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\s*\t*=\s*\t*2' # 4 Auditing and Logging - id: 7016 @@ -340,7 +340,7 @@ checks: condition: all rules: - 'f:/etc/default/keyserv' - - 'f:/etc/default/keyserv -> r:^ENABLE\sNOBODY\sKEYS\pNO' + - 'f:/etc/default/keyserv -> r:^ENABLE\sNOBODY\sKEYS\s*\t*=\s*\t*NO' - id: 7023 title: "Disable X11 Forwarding for SSH" @@ -551,18 +551,18 @@ checks: - cis: ["7.2"] condition: all rules: - - 'f:/etc/default/passwd -> n:^passlength\p(\d) compare <= 8' - - 'f:/etc/default/passwd -> r:^namecheck\pyes' - - 'f:/etc/default/passwd -> n:^history\p(\d+) compare >= 10' - - 'f:/etc/default/passwd -> n:^mindiff\p(\d+) compare >= 3' - - 'f:/etc/default/passwd -> n:^minalpha\p(\d+) compare >= 2' - - 'f:/etc/default/passwd -> n:^minupper\p(\d+) compare >= 1' - - 'f:/etc/default/passwd -> n:^minlower\p(\d+) compare >= 1' - - 'f:/etc/default/passwd -> n:^minnonalpha\p(\d+) compare >= 1' - - 'f:/etc/default/passwd -> r:^maxrepeats\p0' - - 'f:/etc/default/passwd -> r:^whitespace\pyes' - - 'f:/etc/default/passwd -> r:^dictiondbdir\p/var/passwd' - - 'f:/etc/default/passwd -> r:^dictionlist\p/usr/share/lib/dict/words' + - 'f:/etc/default/passwd -> n:^passlength\s*\t*=\s*\t*(\d) compare <= 8' + - 'f:/etc/default/passwd -> r:^namecheck\s*\t*=\s*\t*yes' + - 'f:/etc/default/passwd -> n:^history\s*\t*=\s*\t*(\d+) compare >= 10' + - 'f:/etc/default/passwd -> n:^mindiff\s*\t*=\s*\t*(\d+) compare >= 3' + - 'f:/etc/default/passwd -> n:^minalpha\s*\t*=\s*\t*(\d+) compare >= 2' + - 'f:/etc/default/passwd -> n:^minupper\s*\t*=\s*\t*(\d+) compare >= 1' + - 'f:/etc/default/passwd -> n:^minlower\s*\t*=\s*\t*(\d+) compare >= 1' + - 'f:/etc/default/passwd -> n:^minnonalpha\s*\t*=\s*\t*(\d+) compare >= 1' + - 'f:/etc/default/passwd -> r:^maxrepeats\s*\t*=\s*\t*0' + - 'f:/etc/default/passwd -> r:^whitespace\s*\t*=\s*\t*yes' + - 'f:/etc/default/passwd -> r:^dictiondbdir\s*\t*=\s*\t*/var/passwd' + - 'f:/etc/default/passwd -> r:^dictionlist\s*\t*=\s*\t*/usr/share/lib/dict/words' - id: 7039 title: "Set Default umask for users" @@ -573,7 +573,7 @@ checks: - cis: ["7.3"] condition: none rules: - - 'f:/etc/default/login -> !r:^# && !r:^umask\p027|^umask\p077' + - 'f:/etc/default/login -> !r:^# && !r:^umask\s*\t*=\s*\t*027|^umask\s*\t*=\s*\t*077' - id: 7040 title: "Set Default File Creation Mask for FTP Users" @@ -582,9 +582,9 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # if [ \"`grep '^Umask' proftpd.conf`\" ]; then awk '/^Umask/ { $2 = \"027\" } { print }' proftpd.conf > proftpd.conf.CIS mv proftpd.conf.CIS proftpd.conf else echo \"Umask 027\" >> proftpd.conf fi" compliance: - cis: ["7.4"] - condition: none + condition: all rules: - - 'f:/etc/proftpd.conf -> !r:^# && !r:^umask\s*027' + - 'f:/etc/proftpd.conf -> !r:^# && !r:^Umask\s*\t*027' - id: 7041 title: "Set \"mesg n\" as Default for All Users" @@ -642,7 +642,7 @@ checks: - cis: ["8.4"] condition: all rules: - - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s+/etc/issue' + - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s*\t*/etc/issue' - id: 7046 title: "Check that the Banner Setting for telnet is Null" @@ -653,7 +653,7 @@ checks: - cis: ["8.5"] condition: all rules: - - 'f:/etc/default/telnetd -> r:BANNER=$' + - 'f:/etc/default/telnetd -> r:BANNER=""$' # 9 System Maintenance - id: 7047 @@ -669,28 +669,28 @@ checks: - 'f:/etc/shadow -> r:lp && !r::NL:|:NP:' - 'f:/etc/shadow -> r:adm && !r::NL:|:NP:' - 'f:/etc/shadow -> r:bin && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:gdm && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:noaccess && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:nobody && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:nobody4 && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:openldap && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:unknown && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:webservd && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:gdm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:noaccess && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:nobody && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:nobody4 && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:openldap && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:unknown && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:webservd && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - 'f:/etc/shadow -> r:mysql && !r::NL:|:NP:' - 'f:/etc/shadow -> r:nuuc && !r::NL:|:NP:' - 'f:/etc/shadow -> r:postgres && !r::NL:|:NP:' - 'f:/etc/shadow -> r:smmsp && !r::NL:|:NP:' - 'f:/etc/shadow -> r:sys && !r::NL:|:NP:' - 'f:/etc/shadow -> r:uucp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:aiuser && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:dhcpserv && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:dladm && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:ftp && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:netadm && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:netcfg && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:pkg5srv && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:svctag && !r::\p*LK\p*:' - - 'f:/etc/shadow -> r:xvm && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:aiuser && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:dhcpserv && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:dladm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:ftp && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:netadm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:netcfg && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:pkg5srv && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:svctag && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' + - 'f:/etc/shadow -> r:xvm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - 'f:/etc/shadow -> r:upnp && !r::NL:|:NP:' - 'f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:' @@ -725,21 +725,15 @@ checks: - cis: ["9.6"] condition: none rules: - - 'f:/etc/profile -> r:.' - - 'f:/etc/environment -> r:.' - - 'f:/.profile -> r:.' - - 'f:/.bash_profile -> r:.' - - 'f:/.bashrc -> r:.' + - 'f:/etc/profile -> r::.' + - 'f:/root/.profile -> r::.' + - 'f:/root/.bashrc -> r::.' - 'f:/etc/profile -> r:::' - - 'f:/etc/environment -> r:::' - - 'f:/.profile -> r:::' - - 'f:/.bash_profile -> r:::' - - 'f:/.bashrc -> r:::' + - 'f:/root/.profile -> r:::' + - 'f:/root/.bashrc -> r:::' - 'f:/etc/profile -> r::$' - - 'f:/etc/environment -> r::$' - - 'f:/.profile -> r::$' - - 'f:/.bash_profile -> r::$' - - 'f:/.bashrc -> r::$' + - 'f:/root/.profile -> r::$' + - 'f:/root/.bashrc -> r::$' - id: 7051 title: "Check That Users Are Assigned Home Directories" @@ -750,4 +744,4 @@ checks: - cis: ["9.12"] condition: none rules: - - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*:\S+:\.*' + - 'f:/etc/passwd -> r:\w+:\.*:\d*:\d*:\.*::\.*' From 815c44a6f081073f30b39527b59882c086b9f4cc Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 6 Aug 2019 08:34:04 +0200 Subject: [PATCH 217/247] Check svcs and coreadm in Solaris --- sca/sunos/cis_solaris11.yml | 65 +++++++++++++++++++------------------ 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 0147e0304..e92105b12 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -36,8 +36,8 @@ checks: - cis: ["2.1"] condition: any rules: - - 'p:svcs -Ho state svc:/application/graphical-login/gdm:default -> r:disabled' - - 'not p:svcs -Ho state svc:/application/graphical-login/gdm:default' + - 'c:svcs -Ho state svc:/application/graphical-login/gdm:default -> r:disabled' + - 'not c:svcs -Ho state svc:/application/graphical-login/gdm:default' - id: 7001 title: "Configure sendmail Service for Local-Only Mode" @@ -59,8 +59,8 @@ checks: - cis: ["2.3"] condition: any rules: - - 'p:svcs -Ho state svc:/network/rpc/keyserv -> r:disabled' - - 'not p:svcs -Ho state svc:/network/rpc/keyserv' + - 'c:svcs -Ho state svc:/network/rpc/keyserv -> r:disabled' + - 'not c:svcs -Ho state svc:/network/rpc/keyserv' - id: 7003 title: "Disable NIS Server Services" @@ -71,8 +71,8 @@ checks: - cis: ["2.4"] condition: none rules: - - 'p:svcs -Ho state svc:/network/nis/server -> r:online' - - 'p:svcs -Ho state svc:/network/nis/domain -> r:online' + - 'c:svcs -Ho state svc:/network/nis/server -> r:online' + - 'c:svcs -Ho state svc:/network/nis/domain -> r:online' - id: 7004 title: "Disable NIS Client Services" @@ -83,8 +83,8 @@ checks: - cis: ["2.5"] condition: none rules: - - 'p:svcs -Ho state svc:/network/nis/client -> r:online' - - 'p:svcs -Ho state svc:/network/nis/domain -> r:online' + - 'c:svcs -Ho state svc:/network/nis/client -> r:online' + - 'c:svcs -Ho state svc:/network/nis/domain -> r:online' - id: 7005 title: "Disable Kerberos TGT Expiration Warning" @@ -95,8 +95,8 @@ checks: - cis: ["2.6"] condition: any rules: - - 'p:svcs -Ho state svc:/network/security/ktkt_warn -> r:disabled' - - 'not p:svcs -Ho state svc:/network/security/ktkt_warn' + - 'c:svcs -Ho state svc:/network/security/ktkt_warn -> r:disabled' + - 'not c:svcs -Ho state svc:/network/security/ktkt_warn' - id: 7006 title: "Disable Generic Security Services (GSS)" @@ -107,8 +107,8 @@ checks: - cis: ["2.7"] condition: any rules: - - 'p:svcs -Ho state svc:/network/rpc/gss -> r:disabled' - - 'not p:svcs -Ho state svc:/network/rpc/gss' + - 'c:svcs -Ho state svc:/network/rpc/gss -> r:disabled' + - 'not c:svcs -Ho state svc:/network/rpc/gss' - id: 7007 title: "Disable Removable Volume Manager" @@ -119,8 +119,8 @@ checks: - cis: ["2.8"] condition: none rules: - - 'p:svcs -Ho state svc:/system/filesystem/rmvolmgr -> r:online' - - 'p:svcs -Ho state svc:/network/rpc/smserver -> r:online' + - 'c:svcs -Ho state svc:/system/filesystem/rmvolmgr -> r:online' + - 'c:svcs -Ho state svc:/network/rpc/smserver -> r:online' - id: 7008 title: "Disable automount Service" @@ -131,8 +131,8 @@ checks: - cis: ["2.9"] condition: any rules: - - 'p:svcs -Ho state svc:/system/filesystem/autofs -> r:disabled' - - 'not p:svcs -Ho state svc:/system/filesystem/autofs' + - 'c:svcs -Ho state svc:/system/filesystem/autofs -> r:disabled' + - 'not c:svcs -Ho state svc:/system/filesystem/autofs' - id: 7009 title: "Disable Apache Service" @@ -145,8 +145,8 @@ checks: - http://httpd.apache.org/docs/2.0/misc/security_tips.html condition: any rules: - - 'p:svcs -Ho state svc:/network/http:apache22 -> r:disabled' - - 'not p:svcs -Ho state svc:/network/http:apache22' + - 'c:svcs -Ho state svc:/network/http:apache22 -> r:disabled' + - 'not c:svcs -Ho state svc:/network/http:apache22' - id: 7010 title: "Disable Local-only RPC Port Mapping Service" @@ -157,8 +157,8 @@ checks: - cis: ["2.11"] condition: any rules: - - 'p:svcs -Ho state svc:/network/rpc/bind -> r:disabled' - - 'not p:svcs -Ho state svc:/network/rpc/bind' + - 'c:svcs -Ho state svc:/network/rpc/bind -> r:disabled' + - 'not c:svcs -Ho state svc:/network/rpc/bind' - id: 7011 title: "Configure TCP Wrappers" @@ -184,8 +184,8 @@ checks: - cis: ["2.13"] condition: any rules: - - 'p:svcs -Ho state svc:/network/telnet -> r:disabled' - - 'not p:svcs -Ho state svc:/network/telnet' + - 'c:svcs -Ho state svc:/network/telnet -> r:disabled' + - 'not c:svcs -Ho state svc:/network/telnet' # 3 Kernel Tuning - id: 7013 @@ -197,16 +197,16 @@ checks: - cis: ["3.1"] condition: all rules: - - 'f:/etc/coreadm.conf' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_PATTERN\s*\t*=\s*\t*\.+' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_CONTENT\s*\t*=\s*\t*default' - - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_PATTERN\s*\t*=\s*\t*core' - - 'f:/etc/coreadm.conf -> r:^COREADM_INIT_CONTENT\s*\t*=\s*\t*default' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_ENABLED\s*\t*=\s*\t*yes|^COREADM_GLOB_ENABLED\s*\t*=\s*\t*no' - - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_ENABLED\s*\t*=\s*\t*no' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_SETID_ENABLED\s*\t*=\s*\t*yes|^COREADM_GLOB_SETID_ENABLED\s*\t*=\s*\t*no' - - 'f:/etc/coreadm.conf -> r:^COREADM_PROC_SETID_ENABLED\s*\t*=\s*\t*no' - - 'f:/etc/coreadm.conf -> r:^COREADM_GLOB_LOG_ENABLED\s*\t*=\s*\t*yes' + - 'c:coreadm' + - 'c:coreadm -> r:global core file pattern: /var/cores/core_%n_%f_%u_%g_%t_%p' + - 'c:coreadm -> r:global core file content: default' + - 'c:coreadm -> r:init core file pattern: core' + - 'c:coreadm -> r:init core file content: default' + - 'c:coreadm -> r:global core dumps: enabled' + - 'c:coreadm -> r:per-process core dumps: disabled' + - 'c:coreadm -> r:global setid core dumps: enabled' + - 'c:coreadm -> r:per-process setid core dumps: disabled' + - 'c:coreadm -> r:global core dump logging: enabled' - id: 7014 title: "Enable Stack Protection" @@ -231,6 +231,7 @@ checks: condition: all rules: - 'f:/etc/default/inetinit -> r:^TCP_STRONG_ISS\s*\t*=\s*\t*2' + - 'c:ipadm show-prop -p _strong_iss -co current tcp -> r:2' # 4 Auditing and Logging - id: 7016 From 18d0c4a5cd82e1873a7993db699f1b6c052eef31 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 6 Aug 2019 11:32:29 +0200 Subject: [PATCH 218/247] Change the args for svcs --- sca/sunos/cis_solaris11.yml | 58 ++++++++++++++++--------------------- 1 file changed, 25 insertions(+), 33 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index e92105b12..5f100f0cc 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -34,10 +34,9 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/application/graphical-login/gdm:default" compliance: - cis: ["2.1"] - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/application/graphical-login/gdm:default -> r:disabled' - - 'not c:svcs -Ho state svc:/application/graphical-login/gdm:default' + - 'c:svcs -xv svc:/application/graphical-login/gdm:default -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7001 title: "Configure sendmail Service for Local-Only Mode" @@ -57,10 +56,9 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" compliance: - cis: ["2.3"] - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/network/rpc/keyserv -> r:disabled' - - 'not c:svcs -Ho state svc:/network/rpc/keyserv' + - 'c:svcs -xv svc:/network/rpc/keyserv -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7003 title: "Disable NIS Server Services" @@ -69,10 +67,10 @@ checks: remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/server # svcadm disable svc:/network/nis/domain" compliance: - cis: ["2.4"] - condition: none + condition: all rules: - - 'c:svcs -Ho state svc:/network/nis/server -> r:online' - - 'c:svcs -Ho state svc:/network/nis/domain -> r:online' + - 'c:svcs -xv svc:/network/nis/server -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' + - 'c:svcs -xv svc:/network/nis/domain -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7004 title: "Disable NIS Client Services" @@ -81,10 +79,10 @@ checks: remediation: "To disable this service, run the following commands: # svcadm disable svc:/network/nis/client # svcadm disable svc:/network/nis/domain" compliance: - cis: ["2.5"] - condition: none + condition: all rules: - - 'c:svcs -Ho state svc:/network/nis/client -> r:online' - - 'c:svcs -Ho state svc:/network/nis/domain -> r:online' + - 'c:svcs -xv svc:/network/nis/client -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' + - 'c:svcs -xv svc:/network/nis/domain -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7005 title: "Disable Kerberos TGT Expiration Warning" @@ -93,10 +91,9 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/security/ktkt_warn" compliance: - cis: ["2.6"] - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/network/security/ktkt_warn -> r:disabled' - - 'not c:svcs -Ho state svc:/network/security/ktkt_warn' + - 'c:svcs -xv svc:/network/security/ktkt_warn -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7006 title: "Disable Generic Security Services (GSS)" @@ -105,10 +102,9 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/gss" compliance: - cis: ["2.7"] - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/network/rpc/gss -> r:disabled' - - 'not c:svcs -Ho state svc:/network/rpc/gss' + - 'c:svcs -xv svc:/network/rpc/gss -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7007 title: "Disable Removable Volume Manager" @@ -117,10 +113,10 @@ checks: remediation: "To disable this service, run the following commands: # svcadm disable svc:/system/filesystem/rmvolmgr # svcadm disable svc:/network/rpc/smserver" compliance: - cis: ["2.8"] - condition: none + condition: all rules: - - 'c:svcs -Ho state svc:/system/filesystem/rmvolmgr -> r:online' - - 'c:svcs -Ho state svc:/network/rpc/smserver -> r:online' + - 'c:svcs -xv svc:/system/filesystem/rmvolmgr -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' + - 'c:svcs -xv svc:/network/rpc/smserver -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7008 title: "Disable automount Service" @@ -129,10 +125,9 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/system/filesystem/autofs" compliance: - cis: ["2.9"] - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/system/filesystem/autofs -> r:disabled' - - 'not c:svcs -Ho state svc:/system/filesystem/autofs' + - 'c:svcs -xv svc:/system/filesystem/autofs -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7009 title: "Disable Apache Service" @@ -143,10 +138,9 @@ checks: - cis: ["2.10"] references: - http://httpd.apache.org/docs/2.0/misc/security_tips.html - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/network/http:apache22 -> r:disabled' - - 'not c:svcs -Ho state svc:/network/http:apache22' + - 'c:svcs -xv svc:/network/http:apache22 -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7010 title: "Disable Local-only RPC Port Mapping Service" @@ -155,10 +149,9 @@ checks: remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." compliance: - cis: ["2.11"] - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/network/rpc/bind -> r:disabled' - - 'not c:svcs -Ho state svc:/network/rpc/bind' + - 'c:svcs -xv svc:/network/rpc/bind -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7011 title: "Configure TCP Wrappers" @@ -182,10 +175,9 @@ checks: remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" compliance: - cis: ["2.13"] - condition: any + condition: all rules: - - 'c:svcs -Ho state svc:/network/telnet -> r:disabled' - - 'not c:svcs -Ho state svc:/network/telnet' + - 'c:svcs -xv svc:/network/telnet -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' # 3 Kernel Tuning - id: 7013 From 652dd7059689faf6957bdcbccfe186935e886833 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Tue, 6 Aug 2019 13:52:55 +0200 Subject: [PATCH 219/247] Solaris rules revision after Test: all passed --- sca/sunos/cis_solaris11.yml | 130 ++++++++++++++++++------------------ 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 5f100f0cc..cd7149a74 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -210,8 +210,8 @@ checks: condition: all rules: - 'f:/etc/system' - - 'f:/etc/system -> r:^\s*\t*noexec_user_stack\s*\t*=\s*\t*1' - - 'f:/etc/system -> r:^\s*\t*noexec_user_stack_log\s*\t*=\s*\t*1' + - 'f:/etc/system -> r:\s*\t*noexec_user_stack\s*\t*=\s*\t*1' + - 'f:/etc/system -> r:\s*\t*noexec_user_stack_log\s*\t*=\s*\t*1' - id: 7015 title: "Enable Strong TCP Sequence Number Generation" @@ -289,7 +289,7 @@ checks: - 'f:/etc/security/audit_event -> r:^\d+:AUE_PRIOCNTLSYS:\.+cis\.*' - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEGID:\.+cis\.*' - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETEUID:\.+cis\.*' - - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPRIV:\.+cis\.*' + - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPPRIV:\.+cis\.*' - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETSID:\.+cis\.*' - 'f:/etc/security/audit_event -> r:^\d+:AUE_SETPGID:\.+cis\.*' @@ -304,11 +304,11 @@ checks: rules: - 'c:auditconfig -getcond -> audit condition = auditing' - 'c:auditconfig -getpolicy -> r:active audit policies = argv,cnt,zonename' - - 'c:auditconfig -getflags -> r:active user default audit flags = lo(0x1000,0x1000)' - - 'c:auditconfig -getnaflags -> r:active non-attributable audit flags = lo(0x1000,0x1000)' - - 'c:auditconfig -getplugin audit_binfile -> r:audit_binfile (active)' + - 'c:auditconfig -getflags -> r:active user default audit flags = cis,ex,aa,ua,as,ss,lo,ft\(0x1000000800f1080,0x1000000800f1080\)' + - 'c:auditconfig -getnaflags -> r:active non-attributable audit flags = lo\(0x1000,0x1000\)' + - 'c:auditconfig -getplugin audit_binfile -> r:audit_binfile \(active\)' - 'c:userattr audit_flags root -> r:lo,ad,ft,ex,cis:no' - - 'd:/var/spool/cron/crontabs -> r:/usr/sbin/audit -n' + - 'f:/var/spool/cron/crontabs/root -> r:/usr/sbin/audit -n' # 5 File/Directory Permissions/Access - id: 7021 @@ -333,7 +333,7 @@ checks: condition: all rules: - 'f:/etc/default/keyserv' - - 'f:/etc/default/keyserv -> r:^ENABLE\sNOBODY\sKEYS\s*\t*=\s*\t*NO' + - 'f:/etc/default/keyserv -> r:^ENABLE_NOBODY_KEYS\s*\t*=\s*\t*NO' - id: 7023 title: "Disable X11 Forwarding for SSH" @@ -399,8 +399,8 @@ checks: - cis: ["6.8"] condition: all rules: - - 'f:/etc/pam.conf -> r:^\s*\t*rlogin && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - - 'f:/etc/pam.conf -> r:^rsh && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' + - 'f:/etc/pam.conf -> r:^#rlogin && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' + - 'f:/etc/pam.conf -> r:^#rsh && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - id: 7029 title: "Restrict FTP Use" @@ -409,28 +409,28 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." compliance: - cis: ["6.9"] - condition: none + condition: all rules: - - 'f:/etc/ftpd/ftpusers -> r:^root' - - 'f:/etc/ftpd/ftpusers -> r:^daemon' - - 'f:/etc/ftpd/ftpusers -> r:^bin' - - 'f:/etc/ftpd/ftpusers -> r:^sys' - 'f:/etc/ftpd/ftpusers -> r:^adm' - - 'f:/etc/ftpd/ftpusers -> r:^uucp' - - 'f:/etc/ftpd/ftpusers -> r:^nuucp' - - 'f:/etc/ftpd/ftpusers -> r:^smmsp' - - 'f:/etc/ftpd/ftpusers -> r:^listen' + - 'f:/etc/ftpd/ftpusers -> r:^aiuser' + - 'f:/etc/ftpd/ftpusers -> r:^bin' + - 'f:/etc/ftpd/ftpusers -> r:^daemon' - 'f:/etc/ftpd/ftpusers -> r:^gdm' + - 'f:/etc/ftpd/ftpusers -> r:^listen' - 'f:/etc/ftpd/ftpusers -> r:^lp' - - 'f:/etc/ftpd/ftpusers -> r:^webservd' + - 'f:/etc/ftpd/ftpusers -> r:^noaccess' + - 'f:/etc/ftpd/ftpusers -> r:^nobody' + - 'f:/etc/ftpd/ftpusers -> r:^nobody4' + - 'f:/etc/ftpd/ftpusers -> r:^nuucp' + - 'f:/etc/ftpd/ftpusers -> r:^openldap' - 'f:/etc/ftpd/ftpusers -> r:^postgres' + - 'f:/etc/ftpd/ftpusers -> r:^root' + - 'f:/etc/ftpd/ftpusers -> r:^smmsp' - 'f:/etc/ftpd/ftpusers -> r:^svctag' - - 'f:/etc/ftpd/ftpusers -> r:^openldap' + - 'f:/etc/ftpd/ftpusers -> r:^sys' - 'f:/etc/ftpd/ftpusers -> r:^unknown' - - 'f:/etc/ftpd/ftpusers -> r:^aiuser' - - 'f:/etc/ftpd/ftpusers -> r:^nobody' - - 'f:/etc/ftpd/ftpusers -> r:^nobody4' - - 'f:/etc/ftpd/ftpusers -> r:^noaccess' + - 'f:/etc/ftpd/ftpusers -> r:^uucp' + - 'f:/etc/ftpd/ftpusers -> r:^webservd' - id: 7030 title: "Set Delay between Failed Login Attempts to 4" @@ -452,9 +452,9 @@ checks: - cis: ["6.11"] condition: all rules: - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin && r:auth && r:required && r:pam_unix_cred.so.1' - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin && r:auth && r:sufficient && r:pam_allow.so.1' - - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin && r:account && r:sufficient && r:pam_allow.so.1' + - 'f:/etc/pam.conf -> r:^#gdm-autologin && r:auth && r:required && r:pam_unix_cred.so.1' + - 'f:/etc/pam.conf -> r:^#gdm-autologin && r:auth && r:sufficient && r:pam_allow.so.1' + - 'f:/etc/pam.conf -> r:^#gdm-autologin && r:account && r:sufficient && r:pam_allow.so.1' - id: 7032 title: "Set Default Screen Lock for GNOME Users" @@ -482,9 +482,9 @@ checks: - 'not f:/etc/cron.d/cron.deny' - 'not f:/etc/cron.d/at.deny' - 'f:/etc/cron.d/cron.allow' - - 'f:/etc/cron.d/cron.allow -> !r:^root$' + - 'f:/etc/cron.d/cron.allow -> r:^root$' - 'f:/etc/cron.d/at.allow' - - 'not f:/etc/cron.d/at.allow -> !r:^# && r:\w' + - 'c:wc -l /etc/cron.d/at.allow -> r:\s0\s' - id: 7034 title: "Restrict root Login to System Console" @@ -493,9 +493,9 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/CONSOLE=/ { print \"CONSOLE=/dev/console\"; next }; { print }' login > login.CIS # mv login.CIS login" compliance: - cis: ["6.14"] - condition: none + condition: all rules: - - 'f:/etc/default/login -> !r:^CONSOLE\s*\t*=\s*\t*/dev/console' + - 'f:/etc/default/login -> r:^CONSOLE\s*\t*=\s*\t*/dev/console' - id: 7035 title: "Set Retry Limit for Account Lockout" @@ -564,9 +564,9 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/#UMASK=/ { $1 = \"UMASK=027\" } { print }' login > login.CIS # mv login.CIS login" compliance: - cis: ["7.3"] - condition: none + condition: all rules: - - 'f:/etc/default/login -> !r:^# && !r:^umask\s*\t*=\s*\t*027|^umask\s*\t*=\s*\t*077' + - 'f:/etc/default/login -> r:^UMASK\s*\t*=\s*\t*027' - id: 7040 title: "Set Default File Creation Mask for FTP Users" @@ -586,10 +586,10 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # for file in profile .login ; do if [ \"`grep mesg $file`\" ]; then awk '$1 == \"mesg\" { $2 = \"n\" } { print }' $file > $file.CIS mv $file.CIS $file else echo mesg n >> $file fi done" compliance: - cis: ["7.5"] - condition: none + condition: all rules: - - 'f:/etc/.login -> !r:^mesg\s*n' - - 'f:/etc/profile -> !r:^mesg\s*n' + - 'f:/etc/.login -> r:^mesg\s*n' + - 'f:/etc/profile -> r:^mesg\s*n' # 8 Warning Banners - id: 7042 @@ -658,34 +658,34 @@ checks: - cis: ["9.3"] condition: none rules: - - 'f:/etc/shadow -> r:daemon && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:lp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:adm && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:bin && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:gdm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:noaccess && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:nobody && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:nobody4 && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:openldap && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:unknown && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:webservd && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:mysql && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:nuuc && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:postgres && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:smmsp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:sys && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:uucp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:aiuser && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:dhcpserv && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:dladm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:ftp && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:netadm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:netcfg && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:pkg5srv && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:svctag && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:xvm && !r::\s*\t*=\s*\t**LK\s*\t*=\s*\t**:' - - 'f:/etc/shadow -> r:upnp && !r::NL:|:NP:' - - 'f:/etc/shadow -> r:zfssnap && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^daemon: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^lp: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^adm: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^bin: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^gdm: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^noaccess: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^nobody: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^nobody4: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^openldap: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^unknown: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^webservd: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^mysql: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^nuuc: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^postgres: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^smmsp: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^sys: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^uucp: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^aiuser: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^dhcpserv: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^dladm: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^ftp: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^netadm: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^netcfg: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^pkg5srv: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^svctag: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^xvm: && !r::\p*LK\p*:' + - 'f:/etc/shadow -> r:^upnp: && !r::NL:|:NP:' + - 'f:/etc/shadow -> r:^zfssnap: && !r::NL:|:NP:' - id: 7048 title: "Ensure Password Fields are Not Empty" From 7b83b4137da7f17c985f14180f7fcd5994f273d7 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 7 Aug 2019 02:58:13 -0700 Subject: [PATCH 220/247] Delete Office 2016 SCA policy --- sca/windows/acsc_office2016.yml | 727 -------------------------------- 1 file changed, 727 deletions(-) delete mode 100644 sca/windows/acsc_office2016.yml diff --git a/sca/windows/acsc_office2016.yml b/sca/windows/acsc_office2016.yml deleted file mode 100644 index efa5c7c37..000000000 --- a/sca/windows/acsc_office2016.yml +++ /dev/null @@ -1,727 +0,0 @@ -# Security Configuration Assessment -# Checks for Microsoft Office 2016 -# Copyright (C) 2015-2019, Wazuh Inc. -# -# This program is free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation -# -# Based on -# Australian Cyber Security Centre Hardening Microsoft Office Guide - May 2018 (https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf) -# Center for Internet Security Microsoft Office 2016 v1.1.0 - 11-30-2016 - -policy: - id: "acsc_office2016" - file: "acsc_office2016.yml" - name: "Benchmark for Office 2016 vulnerabilities" - description: "Guidance for establishing a secure configuration for Office 2016 vulnerabilities." - references: - - https://www.cisecurity.org/cis-benchmarks/ - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - -requirements: - title: "Check that Office 2016 is installed" - description: "Requirements for running the CIS benchmark against Office 2016" - condition: any - rules: - - 'r:HKEY_LOCAL_MACHINE\SAM\SAM' - -checks: -# ACSC - Attack Surface Reduction - - id: 14500 - title: "Ensure 'Attack Surface Reduction' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - - - id: 14501 - title: "Ensure 'Block executable content from email client and webmail' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - - - id: 14502 - title: "Ensure 'block Office applications from creating child processes' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' - - - id: 14503 - title: "Ensure 'block Office applications from creating executable content' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' - - - id: 14504 - title: "Ensure 'block Office applications from injecting code into other processes' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' - - - id: 14505 - title: "Ensure 'block JavaScript and VBScript from launching downloaded executable content' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' - - - id: 14506 - title: "Ensure 'block execution of potentially obfuscated scripts' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - - - id: 14507 - title: "Ensure 'block Win32 API calls from Office macro' is set to 'Enabled'" - description: "Attack Surface Reduction (ASR)2is a new security feature introduced in Microsoft Windows 10, version 1709 as partof Windows Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' - -# ACSC - Active X - - id: 14508 - title: "Ensure 'Disable All Active X' is set to 'Enabled'" - description: "While ActiveX controls can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, ActiveX controls should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\common\security -> disableallactivex -> 1' - -# ACSC - Add-ins - - id: 14509 - title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Excel" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency -> restricttolist -> 1' - - - id: 14510 - title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Excel" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\resiliency\addinlist -> policyon -> 1' - - - id: 14511 - title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for PowerPoint" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency -> restricttolist -> 1' - - - id: 14512 - title: "Ensure 'List of managed add-ins' is set to 'Enabled' for PowerPoint" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\resiliency\addinlist -> policyon -> 1' - - - id: 14513 - title: "Ensure 'Block all unmanaged add-ins' is set to 'Enabled' for Word" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency -> restricttolist -> 1' - - - id: 14514 - title: "Ensure 'List of managed add-ins' is set to 'Enabled' for Word" - description: "While add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office, they can also be used by an adversary to gain unauthorised access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\resiliency\addinlist -> policyon -> 1' - -# ACSC - Extension Hardening - - id: 14515 - title: "Ensure 'Extension Hardening functionality' in Microsoft Excel is enabled" - description: "Extension Hardening mitigates a number of scenarios whereby an adversary would deceive users into opening malicious Microsoft Excel files. By default, users will be warned when file content or MIME type doesn’t match the file extension;however, users can still allow such files to open. As such, it is important that only Microsoft Excel files that pass integrity checks are allowed to be opened. To reduce this risk, Extension Hardening functionality should be enabled for Microsoft Excel." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security -> extensionhardening -> 2' - -# ACSC - File Type Blocking - - id: 14516 - title: "Ensure 'dBase III / IV files' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> dbasefiles -> 2' - - - id: 14517 - title: "Ensure 'Dif and Sylk files' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> difandsylkfiles -> 2' - - - id: 14518 - title: "Ensure 'Excel 2 macrosheets and add-in files' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2macros -> 2' - - - id: 14519 - title: "Ensure 'Excel 2 worksheets' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl2worksheets -> 2' - - - id: 14520 - title: "Ensure 'Excel 3 macrosheets and add-in files' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3macros -> 2' - - - id: 14521 - title: "Ensure 'Excel 3 worksheets and add-in files' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl3worksheets -> 2' - - - id: 14522 - title: "Ensure 'Excel 4 macrosheets and add-in files' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4macros -> 2' - - - id: 14523 - title: "Ensure 'Excel 4 workbooks are blocked' in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4workbooks -> 2' - - - id: 14524 - title: "Ensure 'Excel 4 worksheets are blocked' in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl4worksheets -> 2' - - - id: 14525 - title: "Ensure 'Excel 95 workbooks are blocked' in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl95workbooks -> 2' - - - id: 14526 - title: "Ensure 'Excel 95-97 workbooks and templates' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> xl9597workbooksandtemplates -> 2' - - - id: 14527 - title: "Ensure 'Set default file block behavior' is set to 'Enabled' (Blocked files are not opened) in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> openinprotectedview -> 0' - - - id: 14528 - title: "Ensure 'Web pages and Excel 2003 XML spreadsheets' are blocked in Microsoft Excel" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\fileblock -> htmlandxmlssfiles -> 2' - -# CIS 2.22 - Office Converters - - id: 14529 - title: "Ensure 'Block Opening of Pre-Release Versions of File Formats New to PowerPoint Through the Compatibility Pack for Office and PowerPoint Converter' is set to Enabled" - description: "This policy setting controls whether users with the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats installed can open Office Open XML files saved with pre-release versions of PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. The recommended state for this setting is: Enabled." - rationale: "The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats enables users of Microsoft PowerPoint 2000, PowerPoint 2002, and Office PowerPoint 2003 to open files saved in the Office Open XML format used by PowerPoint. PowerPoint Open XML files usually have the following extensions: .pptx, .pptm, .potx, .potm, .ppsx, .ppsm, .ppam, .thmx, .xml. By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of PowerPoint. If this configuration is changed through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of PowerPoint, but not by others, which can lead to inconsistent file opening functionality." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Office 2016 Converters\\Block Opening of Pre-Release Versions of File Formats New to PowerPoint 2016 Through the Compatibility Pack for Office 2013 and PowerPoint 2016 Converter" - compliance: - - cis: ["2.22.1"] - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> powerpoint12betafilesfromconverters -> 2' - -# ACSC - File Type Blocking (Cont'd) - - id: 14530 - title: "Ensure 'Set default file block behavior' is set to 'Enabled' (Blocked files are not opened) in Microsoft Powerpoint" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\fileblock -> openinprotectedview -> 0' - - - id: 14531 - title: "Ensure 'Set default file block behavior' is set to 'Enabled' (Blocked files are not opened) in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> openinprotectedview -> 0' - - - id: 14532 - title: "Ensure 'Word 2 and earlier binary documents and templates' are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word2files -> 2' - - - id: 14533 - title: "Ensure 'Word 6.0 binary documents and templates' are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word60files -> 2' - - - id: 14534 - title: "Ensure 'Word 95 binary documents and templates' are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word95files -> 2' - - - id: 14535 - title: "Ensure 'Word 97 binary documents and templates' are blocked in Microsoft Word" - description: "File Type Blocking can be used to block insecure file types such as legacy, binary and beta file types from opening in Microsoft Office. By failing to block such file types, an adversary can exploit vulnerabilities in these file types to execute malicious code on workstations. To reduce this risk, insecure file types should be prevented from opening in Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\fileblock -> word97files -> 2' - -# ACSC - Hidden Markup - - id: 14536 - title: "Ensure 'Make hidden markup visible' is set to 'Enabled' in Microsoft PowerPoint" - description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\options -> markupopensave -> 1' - - - id: 14537 - title: "Ensure 'Make hidden markup visible' is set to 'Enabled' in Microsoft Word" - description: "To assist users in collaborating on the development of Microsoft Office files, Microsoft Office allows users to track changes relating to insertions, deletions and formatting of content, as well as providing the ability to make comments. Users may choose to either view or hide these markups. If markup content is hidden, users may be unaware that sensitive changes or comments may still be included when Microsoft Office files are distributed to external parties or released into the public domain. To reduce this risk, users should be made aware of hidden markup in Microsoft Office files." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\options -> showmarkupopensave -> 1' - -# ACSC - Office File Validation - - id: 14538 - title: "Ensure 'Turn off error reporting for files that fail file validation' is set to 'Enabled' in Microsoft Office" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security\filevalidation -> disablereporting -> 1' - - - id: 14539 - title: "Ensure 'Turn off file validation' is set to 'Disabled' in Microsoft Excel" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> enableonload -> 1' - - - id: 14540 - title: "Ensure 'Turn off file validation' is set to 'Disabled' in Microsoft PowerPoint" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> enableonload -> 1' - - - id: 14541 - title: "Ensure 'Turn off file validation' is set to 'Disabled' in Microsoft Word" - description: "Office File Validation (OFV) checks that the format of a Microsoft Office file conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing. Alternatively, OFV can be configured to open Microsoft Office files in Protected View in an enforced read-only state or simply block them from opening. If Microsoft Office is configured to disable OFV, users may be unaware that they are opening a Microsoft Office file that may be malicious in nature. To reduce this risk, OFV functionality should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> enableonload -> 1' - -# ACSC - Protected View - - id: 14542 - title: "Ensure 'Do not open files from the Internet zone in Protected View' is set to 'Disabled' in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableinternetfilesinpv -> 0' - - - id: 14543 - title: "Ensure 'Do not open files in unsafe locations in Protected View' is set to 'Disabled' in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableunsafelocationsinpv -> 0' - - - id: 14544 - title: "Ensure 'Set document behaviour if file validation fails' is set to 'Enabled' (Block files) in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\filevalidation -> openinprotectedview -> 0' - - - id: 14545 - title: "Ensure 'Turn off Protected View for attachments opened from Outlook' is set to 'Disabled' in Microsoft Excel" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\protectedview -> disableattachmentsinpv -> 0' - - - id: 14546 - title: "Ensure 'Do not open files from the Internet zone in Protected View' is set to 'Disabled' in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableinternetfilesinpv -> 0' - - - id: 14547 - title: "Ensure 'Do not open files in unsafe locations in Protected View' is set to 'Disabled' in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv -> 0' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableunsafelocationsinpv' - - - id: 14548 - title: "Ensure 'Set document behaviour if file validation fails' is set to 'Enabled' (Block files) in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\filevalidation -> openinprotectedview -> 0' - - - id: 14549 - title: "Ensure 'Turn off Protected View for attachments opened from Outlook' is set to 'Disabled' in Microsoft PowerPoint" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: any - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\protectedview -> disableattachmentsinpv -> 0' - - - id: 14550 - title: "Ensure 'Do not open files from the Internet zone in Protected View' is set to 'Disabled' in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableinternetfilesinpv -> 0' - - - id: 14551 - title: "Ensure 'Do not open files in unsafe locations in Protected View' is set to 'Disabled' in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableunsafelocationsinpv -> 0' - - - id: 14552 - title: "Ensure 'Set document behaviour if file validation fails' is set to 'Enable' (Block files) in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\filevalidation -> openinprotectedview -> 0' - - - id: 14553 - title: "Ensure 'Turn off Protected View for attachments opened from Outlook' is set to 'Disabled' in Microsoft Word" - description: "Protected View can be used to open Microsoft Office files from untrusted locations in a sandboxed environment. By default, Protected View is enabled for Microsoft Office files that have been downloaded from the Internet, opened from a defined unsafe location or opened as an attachment from Microsoft Outlook. However, organisations can choose to disable Protected View for any or all of these scenarios. If so, an adversary could exploit any of these avenues to deliver a malicious Microsoft Office file to a user’s workstation. To reduce this risk, Protected View should be enabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\protectedview -> disableattachmentsinpv -> 0' - -# ACSC - Trusted Documents - - id: 14554 - title: "Ensure 'Turn off trusted documents' is set to 'Enabled' in Microsoft Excel" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disabletrusteddocuments -> 1' - - - id: 14555 - title: "Ensure 'Turn off Trusted Documents on the network' is set to 'Enabled' in Microsoft Excel" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\excel\security\trusted documents -> disablenetworktrusteddocuments -> 1' - - - id: 14556 - title: "Ensure 'Turn off trusted documents' is set to 'Enabled' in Microsoft Powerpoint" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disabletrusteddocuments -> 1' - - - id: 14557 - title: "Ensure 'Turn off Trusted Documents on the network' is set to 'Enabled' in Microsoft Powerpoint" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security\trusted documents -> disablenetworktrusteddocuments -> 1' - - - id: 14558 - title: "Ensure 'Turn off trusted documents' is set to 'Enabled' in Microsoft Word" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disabletrusteddocuments -> 1' - - - id: 14559 - title: "Ensure 'Turn off Trusted Documents on the network' is set to 'Enabled' in Microsoft Word" - description: "Macros, ActiveX controls and other active content in trusted documents are assumed to be safe by Microsoft Office. An adversary can exploit this trust by modifying trusted documents to contain malicious code. To reduce this risk, trusted documents should be disabled for Microsoft Office." - references: - - https://acsc.gov.au/publications/protect/Hardening_MS_Office_2016.pdf - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\word\security\trusted documents -> disablenetworktrusteddocuments -> 1' - -# CIS 2.24 - Privacy - - id: 14560 - title: "Ensure 'Disable Opt-in Wizard on First Run' is set to Enabled" - description: "This policy setting controls whether users see the Opt-in Wizard the first time they run a Microsoft Office application. The recommended state for this setting is: Enabled." - rationale: "By default, the Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Disable Opt-in Wizard on First Run" - compliance: - - cis: ["2.24.1.1"] - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\general -> shownfirstrunoptin -> 1' - - - id: 14561 - title: "Ensure 'Enable Customer Experience Improvement Program' is set to Disabled" - description: "This policy setting controls whether users can participate in the Microsoft Office Customer Experience Improvement Program to help improve Microsoft Office. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. The recommended state for this setting is: Disabled" - rationale: "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Enable Customer Experience Improvement Program" - compliance: - - cis: ["2.24.1.2"] - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> qmenable -> 0' - - - id: 14562 - title: "Ensure 'Allow including screenshot with Office Feedback' is set to Disabled" - description: "This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Allow including screenshot with Office Feedback" - compliance: - - cis: ["2.24.1.3"] - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> includescreenshot -> 0' - - - id: 14563 - title: "Ensure 'Send Office Feedback' is set to Disabled" - description: "This policy setting manages the Office Feedback Tool (a.k.a. Send a Smile). The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. The recommended state for this setting is: Disabled." - rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send Office Feedback" - compliance: - - cis: ["2.24.1.4"] - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\feedback -> enabled -> 0' - - - id: 14564 - title: "Ensure 'Send personal information' is set to Disabled" - description: "This policy setting controls whether users can send personal information to Office. When users choose to send information Office applications automatically send information to Office." - rationale: "Due to privacy concerns, users should not be able to send data to any third party unless approved by the System Administrators." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Send personal information" - compliance: - - cis: ["2.24.1.5"] - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> sendcustomerdata -> 0' - - - id: 14565 - title: "Ensure 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled" - description: "This policy setting controls whether Microsoft Office Diagnostics is enabled. Office Diagnostics enables Microsoft to diagnose system problems by periodically downloading a small file to the computer. If you enable this policy setting, Office Diagnostics collects information about specific errors and the IP address of the computer. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. If you disable this policy setting, users will not receive updates from Office Diagnostics. If you do not configure this policy setting, this policy setting is not enabled, but users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run an Office application. The recommended state for this setting is: Disabled." - rationale: "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies." - remediation: "To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\\Administrative Templates\\Microsoft Office 2016\\Privacy\\Trust Center\\Automatically Receive Small Updates to Improve Reliability" - compliance: - - cis: ["2.24.1.6"] - condition: all - rules: - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata' - - 'r:HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common -> updatereliabilitydata -> 0' From 697eb8775fb1d5c96ceebe1467ff242ca8ca0290 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Wed, 7 Aug 2019 05:03:33 -0700 Subject: [PATCH 221/247] Fix typos in Win10 Enterprise L2 SCA policy --- sca/windows/cis_win10_enterprise_L2.yml | 254 ++++++++++++------------ 1 file changed, 127 insertions(+), 127 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 5a20bffc2..1e86d3eef 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -31,7 +31,7 @@ checks: title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers." compliance: - cis: ["2.3.4.2"] - cis_csc: ["5.1"] @@ -59,7 +59,7 @@ checks: title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark." rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." - remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer" + remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer." compliance: - cis: ["2.3.14.1"] - cis_csc: ["16.14"] @@ -74,7 +74,7 @@ checks: title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" compliance: - cis: ["5.2"] - cis_csc: ["9.1", "9.2"] @@ -88,7 +88,7 @@ checks: title: "Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'" description: "Windows service for application access to downloaded maps. This service is started on- demand by application accessing downloaded maps." rationale: "Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Downloaded Maps Manager" compliance: - cis: ["5.4"] - cis_csc: ["9.1", "9.2"] @@ -116,7 +116,7 @@ checks: title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" compliance: - cis: ["5.9"] - cis_csc: ["9.1", "9.2"] @@ -130,7 +130,7 @@ checks: title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" compliance: - cis: ["5.12"] - cis_csc: ["9.1", "9.2"] @@ -144,7 +144,7 @@ checks: title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" compliance: - cis: ["5.15"] - cis_csc: ["9.1", "9.2"] @@ -158,7 +158,7 @@ checks: title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" compliance: - cis: ["5.16"] - cis_csc: ["9.1", "9.2"] @@ -172,7 +172,7 @@ checks: title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" compliance: - cis: ["5.17"] - cis_csc: ["9.1", "9.2"] @@ -186,7 +186,7 @@ checks: title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" compliance: - cis: ["5.18"] - cis_csc: ["9.1", "9.2"] @@ -200,7 +200,7 @@ checks: title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" compliance: - cis: ["5.19"] - cis_csc: ["9.1", "9.2"] @@ -214,7 +214,7 @@ checks: title: "Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'" description: "Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address." rationale: "The function of this service is to provide a \"demand dial\" type of functionality. In a high security environment, it is preferred that any remote \"dial\" connections (whether they be legacy dial-in POTS or VPN) are initiated by the user, not automatically by the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Access Auto Connection Manager" compliance: - cis: ["5.20"] - cis_csc: ["9.1", "9.2"] @@ -228,7 +228,7 @@ checks: title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" compliance: - cis: ["5.21"] - cis_csc: ["9.1", "9.2"] @@ -242,7 +242,7 @@ checks: title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" compliance: - cis: ["5.22"] - cis_csc: ["9.1", "9.2"] @@ -256,7 +256,7 @@ checks: title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" compliance: - cis: ["5.23"] - cis_csc: ["9.1", "9.2"] @@ -270,7 +270,7 @@ checks: title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" compliance: - cis: ["5.25"] - cis_csc: ["9.1", "9.2"] @@ -283,8 +283,8 @@ checks: - id: 13518 title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'" description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." - rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" + rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" compliance: - cis: ["5.27"] - cis_csc: ["9.1", "9.2"] @@ -312,7 +312,7 @@ checks: title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" compliance: - cis: ["5.33"] - cis_csc: ["9.1", "9.2"] @@ -326,7 +326,7 @@ checks: title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" compliance: - cis: ["5.34"] - cis_csc: ["9.1", "9.2"] @@ -340,7 +340,7 @@ checks: title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" compliance: - cis: ["5.37"] - cis_csc: ["9.1", "9.2"] @@ -354,7 +354,7 @@ checks: title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" compliance: - cis: ["5.38"] - cis_csc: ["9.1", "9.2"] @@ -368,7 +368,7 @@ checks: title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" compliance: - cis: ["5.39"] - cis_csc: ["9.1", "9.2"] @@ -383,7 +383,7 @@ checks: title: "Ensure 'Allow Online Tips' is set to 'Disabled'" description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - cis: ["18.1.3"] - cis_csc: ["9.1"] @@ -398,7 +398,7 @@ checks: title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: ["18.4.4"] - cis_csc: ["9"] @@ -414,7 +414,7 @@ checks: title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: ["18.4.6"] - cis_csc: ["9"] @@ -430,7 +430,7 @@ checks: title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: ["18.4.8"] - cis_csc: ["9"] @@ -446,7 +446,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: ["18.4.11"] - cis_csc: ["9"] @@ -462,7 +462,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: - cis: ["18.4.12"] - cis_csc: ["9"] @@ -477,7 +477,7 @@ checks: # 18.5 Network - id: 13531 title: "Ensure 'Enable Font Providers' is set to 'Disabled'" - description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Fonts\\Enable Font Providers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: @@ -491,9 +491,9 @@ checks: - id: 13532 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.9.1"] - cis_csc: ["9"] @@ -511,7 +511,7 @@ checks: - id: 13533 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -531,9 +531,9 @@ checks: - id: 13534 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" - description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." + description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services. Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.10.2"] - cis_csc: ["9.1", "9.2"] @@ -545,9 +545,9 @@ checks: - id: 13535 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" - description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" + description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - cis: ["18.5.19.2.1"] - cis_csc: ["9"] @@ -559,7 +559,7 @@ checks: - id: 13536 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." + description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -581,7 +581,7 @@ checks: - id: 13537 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" - description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." + description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -596,9 +596,9 @@ checks: # 18.8 System - id: 13538 title: "Ensure 'Turn off access to the Store' is set to 'Enabled'" - description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. The recommended state for this setting is: Enabled." rationale: "The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off access to the Store. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.22.1.1"] - cis_csc: ["2"] @@ -612,7 +612,7 @@ checks: title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." rationale: "Users might download drivers that include malicious code." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP." compliance: - cis: ["18.8.22.1.2"] - cis_csc: ["7"] @@ -624,7 +624,7 @@ checks: - id: 13540 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" - description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." + description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: @@ -638,9 +638,9 @@ checks: - id: 13541 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" - description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." + description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting. Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.4"] - cis_csc: ["13"] @@ -652,9 +652,9 @@ checks: - id: 13542 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.5"] - cis_csc: ["13"] @@ -666,9 +666,9 @@ checks: - id: 13543 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.8"] condition: all @@ -679,9 +679,9 @@ checks: - id: 13544 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" - description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.9"] - cis_csc: ["13"] @@ -693,9 +693,9 @@ checks: - id: 13545 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" - description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.10"] - cis_csc: ["13"] @@ -707,7 +707,7 @@ checks: - id: 13546 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" - description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -723,7 +723,7 @@ checks: title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.12"] - cis_csc: ["13"] @@ -735,9 +735,9 @@ checks: - id: 13548 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.13"] - cis_csc: ["13"] @@ -749,9 +749,9 @@ checks: - id: 13549 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.14"] - cis_csc: ["13"] @@ -766,9 +766,9 @@ checks: - id: 13550 title: "Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" - description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic." + description: "This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. The recommended state for this setting is: Enabled: Automatic." rationale: "Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: ["18.8.25.1"] - cis_csc: ["1.6"] @@ -796,9 +796,9 @@ checks: - id: 13552 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" - description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." + description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.44.5.1"] - cis_csc: ["13"] @@ -810,9 +810,9 @@ checks: - id: 13553 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" - description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." + description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] @@ -824,7 +824,7 @@ checks: - id: 13554 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" - description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." + description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: @@ -838,9 +838,9 @@ checks: - id: 13555 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] @@ -852,9 +852,9 @@ checks: - id: 13556 title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" - description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled." rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.49.1.2"] - cis_csc: ["9.1", "9.2"] @@ -867,9 +867,9 @@ checks: # 18.9 Windows Components - id: 13557 title: "Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" - description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled." + description: "Manages a Windows app's ability to share data between users who have installed the app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. The recommended state for this setting is: Disabled." rationale: "Users of a system could accidentally share sensitive data with other users on the same system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App Package Deployment\\Allow a Windows app to share application data between users. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppxPackageManager.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: ["18.9.4.1"] - cis_csc: ["14.4", "14.6"] @@ -881,7 +881,7 @@ checks: - id: 13558 title: "Ensure 'Allow Use of Camera' is set to 'Disabled'" - description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: @@ -895,9 +895,9 @@ checks: - id: 13559 title: "Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" - description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." + description: "This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - cis: ["18.9.16.2"] - cis_csc: ["13"] @@ -909,9 +909,9 @@ checks: - id: 13560 title: "Ensure 'Turn off location' is set to 'Enabled'" - description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." + description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.39.2"] - cis_csc: ["13"] @@ -923,7 +923,7 @@ checks: - id: 13561 title: "Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" - description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." + description: "This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled." rationale: "In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Messaging\\Allow Message Service Cloud Sync Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: @@ -937,9 +937,9 @@ checks: - id: 13562 title: "Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled'" - description: "This setting determines whether the Address bar drop-down functionality is available in Microsoft Edge. The recommended state for this setting is: Disabled." + description: "This setting determines whether the Address bar drop-down functionality is available in Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Having Address bar drop-down list suggestions sent out to be processed is considered a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - cis: ["18.9.45.1"] - cis_csc: ["13"] @@ -951,9 +951,9 @@ checks: - id: 13563 title: "Ensure 'Allow Adobe Flash' is set to 'Disabled'" - description: "This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. The recommended state for this setting is: Disabled." - rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Adobe Flash Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." + description: "This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. The recommended state for this setting is: Disabled." + rationale: "Adobe Flash is a very insecure product and has been a frequent attack vector on the web. In more highly security-sensitive environments, Adobe Flash should be disabled completely to eliminate this attack vector. Note: This setting will not prevent or remove Adobe Flash usage from other web browsers, so we recommend also uninstalling Adobe Flash completely from all systems in highly security-sensitive environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow Adobe Flash. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer)." compliance: - cis: ["18.9.45.2"] - cis_csc: ["7.2"] @@ -965,9 +965,9 @@ checks: - id: 13564 title: "Ensure 'Allow InPrivate Browsing' is set to 'Disabled'" - description: "This setting lets you decide whether employees can browse using InPrivate website browsing. The recommended state for this setting is: Disabled." + description: "This setting lets you decide whether employees can browse using InPrivate website browsing. The recommended state for this setting is: Disabled." rationale: "Even though web filter logs can monitor traffic to and from websites, it is always a good practice to try and keep multiple source of logs. It can also be helpful to keep user from privately browsing in order to troubleshoot malicious site visits if a machine has become compromised." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow InPrivate Browsing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off InPrivate browsing, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Allow InPrivate Browsing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off InPrivate browsing, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - cis: ["18.9.45.3"] - cis_csc: ["7"] @@ -979,9 +979,9 @@ checks: - id: 13565 title: "Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" - description: "This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop- ups to appear in secondary windows. The recommended state for this setting is: Enabled." + description: "This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop- ups to appear in secondary windows. The recommended state for this setting is: Enabled." rationale: "The Pop-up Blocker serves an important purpose by blocking malicious popups and helping prevent the machine from being compromised." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Pop-up Blocker Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off Pop-up Blocker, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Pop-up Blocker. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Turn off Pop-up Blocker, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - cis: ["18.9.45.6"] - cis_csc: ["7"] @@ -993,9 +993,9 @@ checks: - id: 13566 title: "Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" - description: "This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. The recommended state for this setting is: Disabled." + description: "This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. The recommended state for this setting is: Disabled." rationale: "Having search suggestions sent out to be processed is considered a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1507 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1507 Administrative Templates, this setting was named Stops address bar from showing search suggestions. In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was renamed to Turn off address bar search suggestions, but it was finally renamed to Configure search suggestions in Address bar starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1507 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1507 Administrative Templates, this setting was named Stops address bar from showing search suggestions. In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was renamed to Turn off address bar search suggestions, but it was finally renamed to Configure search suggestions in Address bar starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - cis: ["18.9.45.7"] - cis_csc: ["13"] @@ -1007,9 +1007,9 @@ checks: - id: 13567 title: "Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled'" - description: "This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. The recommended state for this setting is: Enabled." - rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." + description: "This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. The recommended state for this setting is: Enabled." + rationale: "Users should not have access to developer settings and experimental features. Vulnerabilities could be introduced if these settings are not properly managed." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - cis: ["18.9.45.9"] - cis_csc: ["3"] @@ -1021,9 +1021,9 @@ checks: - id: 13568 title: "Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" - description: "This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. The recommended state for this setting is: Enabled." + description: "This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. The recommended state for this setting is: Enabled." rationale: "WebRTC is a Real-Time Communications open source project supported by all major browsers. Allowing a system's local IP address to be shared may be considered a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Don't allow WebRTC to share the LocalHost IP address, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MicrosoftEdge.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Microsoft Windows 10 Release 1511 Administrative Templates, this setting was named Don't allow WebRTC to share the LocalHost IP address, but it was renamed starting with the Windows 10 Release 1607 & Server 2016 Administrative Templates." compliance: - cis: ["18.9.45.10"] - cis_csc: ["7.2"] @@ -1035,9 +1035,9 @@ checks: - id: 13569 title: "Ensure 'Turn off Push To Install service' is set to 'Enabled'" - description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether users can push Apps to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Enabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Push to Install\\Turn off Push To Install service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - cis: ["18.9.57.1"] - cis_csc: ["9.1", "9.2"] @@ -1049,9 +1049,9 @@ checks: - id: 13570 title: "Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'" - description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to configure remote access to computers by using Remote Desktop Services. The recommended state for this setting is: Disabled." rationale: "Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.58.3.2.1"] condition: all @@ -1062,9 +1062,9 @@ checks: - id: 13571 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1", "9.2"] @@ -1076,9 +1076,9 @@ checks: - id: 13572 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1", "9.2"] @@ -1090,9 +1090,9 @@ checks: - id: 13573 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" - description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1", "9.2"] @@ -1104,9 +1104,9 @@ checks: - id: 13574 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" - description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." + description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.10.1"] - cis_csc: ["16.5"] @@ -1120,9 +1120,9 @@ checks: - id: 13575 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" - description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." + description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.10.2"] - cis_csc: ["16.5"] @@ -1134,9 +1134,9 @@ checks: - id: 13576 title: "Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" - description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." + description: "This policy setting allows search and Cortana to search cloud sources like OneDrive and SharePoint. The recommended state for this setting is: Enabled: Disable Cloud Search." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Cloud Search: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cloud Search. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: - cis: ["18.9.60.2"] - cis_csc: ["9.1", "9.2"] @@ -1148,9 +1148,9 @@ checks: - id: 13577 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" - description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." - rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." + rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: ["18.9.65.1"] condition: all @@ -1161,9 +1161,9 @@ checks: - id: 13578 title: "Ensure 'Turn off the Store application' is set to 'Enabled'" - description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education." + description: "This setting denies or allows access to the Store application. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet and MSKB 3135657, this policy setting does not apply to any Windows 10 editions other than Enterprise and Education." rationale: "Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Store\\Turn off the Store application. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinStoreUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates, or by the Group Policy template WindowsStore.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer)." compliance: - cis: ["18.9.68.5"] - cis_csc: ["2"] @@ -1178,8 +1178,8 @@ checks: - id: 13579 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  (0x0) Disabled (default)  (0x1) Basic membership  (0x2) Advanced membership. The recommended state for this setting is: Disabled." - rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." + description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\". Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership. The recommended state for this setting is: Disabled." + rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.76.3.2"] @@ -1191,9 +1191,9 @@ checks: - id: 13580 title: "Ensure 'Configure Watson events' is set to 'Disabled'" - description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled." rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.76.9.1"] - cis_csc: ["13"] @@ -1205,9 +1205,9 @@ checks: - id: 13581 title: "Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" - description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether suggested apps in Windows Ink Workspace are allowed. The recommended state for this setting is: Disabled." rationale: "This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Ink Workspace\\Allow suggested apps in Windows Ink Workspace. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - cis: ["18.9.84.1"] - cis_csc: ["13"] @@ -1219,9 +1219,9 @@ checks: - id: 13582 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" - description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.85.3"] - cis_csc: ["7"] @@ -1233,9 +1233,9 @@ checks: - id: 13583 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.97.2.2"] - cis_csc: ["3.4"] @@ -1247,9 +1247,9 @@ checks: - id: 13584 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" - description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." + description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.98.1"] - cis_csc: ["3.4"] From 2dc28cb5b3696b274a7fcd30e517385426a15eea Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 7 Aug 2019 14:15:30 +0200 Subject: [PATCH 222/247] Add references to cis_win2012r2_domainL2.yml --- sca/windows/cis_win2012r2_domainL2.yml | 85 +++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 9 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 5c8f701d0..c6c6c61b0 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -32,10 +32,12 @@ checks: title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers." compliance: - cis: ["2.3.4.2"] - cis_csc: ["5.1"] + references: + - 'CCE-37942-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -47,12 +49,13 @@ checks: title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.5"] - cis_csc: ["9"] references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36868-8' + - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -63,12 +66,13 @@ checks: title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.7"] - cis_csc: ["9"] references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-38065-9' + - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -79,12 +83,13 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.10"] - cis_csc: ["9"] references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-37846-3' + - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -95,12 +100,13 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.11"] - cis_csc: ["9"] references: - - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36051-1' + - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -116,6 +122,8 @@ checks: compliance: - cis: ["18.5.9.1"] - cis_csc: ["9"] + references: + - 'CCE-38170-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -136,6 +144,8 @@ checks: compliance: - cis: ["18.5.9.2"] - cis_csc: ["9"] + references: + - 'CCE-37959-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -156,6 +166,8 @@ checks: compliance: - cis: ["18.5.10.2"] - cis_csc: ["9.1"] + references: + - 'CCE-37699-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -184,6 +196,8 @@ checks: compliance: - cis: ["18.5.20.1"] - cis_csc: ["15.4"] + references: + - 'CCE-37481-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -206,6 +220,8 @@ checks: compliance: - cis: ["18.5.20.2"] - cis_csc: ["15.4"] + references: + - 'CCE-36109-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -220,6 +236,8 @@ checks: compliance: - cis: ["18.8.22.1.2"] - cis_csc: ["13"] + references: + - 'CCE-37911-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -234,6 +252,8 @@ checks: compliance: - cis: ["18.8.22.1.3"] - cis_csc: ["13"] + references: + - 'CCE-36203-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -248,6 +268,8 @@ checks: compliance: - cis: ["18.8.22.1.4"] - cis_csc: ["13"] + references: + - 'CCE-37163-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -261,6 +283,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.7"] + references: + - 'CCE-36352-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -275,6 +299,8 @@ checks: compliance: - cis: ["18.8.22.1.8"] - cis_csc: ["13"] + references: + - 'CCE-36884-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -289,6 +315,8 @@ checks: compliance: - cis: ["18.8.22.1.9"] - cis_csc: ["13"] + references: + - 'CCE-38275-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -303,6 +331,8 @@ checks: compliance: - cis: ["18.8.22.1.10"] - cis_csc: ["13"] + references: + - 'CCE-37090-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -317,6 +347,8 @@ checks: compliance: - cis: ["18.8.22.1.11"] - cis_csc: ["13"] + references: + - 'CCE-36628-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -331,6 +363,8 @@ checks: compliance: - cis: ["18.8.22.1.12"] - cis_csc: ["13"] + references: + - 'CCE-36174-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -345,6 +379,8 @@ checks: compliance: - cis: ["18.8.22.1.13"] - cis_csc: ["13"] + references: + - 'CCE-35964-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -359,6 +395,8 @@ checks: compliance: - cis: ["18.8.26.1"] - cis_csc: ["16.5"] + references: + - 'CCE-36343-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -373,6 +411,8 @@ checks: compliance: - cis: ["18.8.44.5.1"] - cis_csc: ["13"] + references: + - 'CCE-38161-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -387,6 +427,8 @@ checks: compliance: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] + references: + - 'CCE-36648-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -401,6 +443,8 @@ checks: compliance: - cis: ["18.8.46.1"] - cis_csc: ["13"] + references: + - 'CCE-36931-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -415,6 +459,8 @@ checks: compliance: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] + references: + - 'CCE-37843-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -430,6 +476,8 @@ checks: compliance: - cis: ["18.9.39.2"] - cis_csc: ["13"] + references: + - 'CCE-36886-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -443,6 +491,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.2.1"] + references: + - 'CCE-37708-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -457,6 +507,8 @@ checks: compliance: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1"] + references: + - 'CCE-37696-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -471,6 +523,8 @@ checks: compliance: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1"] + references: + - 'CCE-37778-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -485,6 +539,8 @@ checks: compliance: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1"] + references: + - 'CCE-37477-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -500,6 +556,7 @@ checks: - cis: ["18.9.58.3.10.1"] - cis_csc: ["16.5"] references: + - 'CCE-37562-6' - https://workbench.cisecurity.org/benchmarks/766 condition: all rules: @@ -515,6 +572,8 @@ checks: compliance: - cis: ["18.9.58.3.10.2"] - cis_csc: ["16.5"] + references: + - 'CCE-37949-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -529,6 +588,8 @@ checks: compliance: - cis: ["18.9.60.3"] - cis_csc: ["13"] + references: + - 'CCE-36937-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -569,6 +630,8 @@ checks: compliance: - cis: ["18.9.85.3"] - cis_csc: ["7"] + references: + - 'CCE-37524-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -583,6 +646,8 @@ checks: compliance: - cis: ["18.9.97.2.2"] - cis_csc: ["3.4"] + references: + - 'CCE-37927-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -597,6 +662,8 @@ checks: compliance: - cis: ["18.9.98.1"] - cis_csc: ["3.4"] + references: + - 'CCE-36499-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' From ac99c5e77bf0b56e31ccc0219c589bf708d70be6 Mon Sep 17 00:00:00 2001 From: JuantAldea Date: Wed, 7 Aug 2019 14:48:47 +0200 Subject: [PATCH 223/247] Remove multiple spaces --- sca/windows/cis_win2012r2_domainL2.yml | 132 ++++++++++++------------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index c6c6c61b0..dca8b97eb 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -30,7 +30,7 @@ requirements: checks: - id: 11500 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers." compliance: @@ -47,9 +47,9 @@ checks: # Section 18.4 - MSS (Legacy) - id: 11501 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" - description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." + description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.5"] - cis_csc: ["9"] @@ -64,9 +64,9 @@ checks: - id: 11502 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" - description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." + description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.7"] - cis_csc: ["9"] @@ -81,7 +81,7 @@ checks: - id: 11503 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: @@ -98,9 +98,9 @@ checks: - id: 11504 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.11"] - cis_csc: ["9"] @@ -116,9 +116,9 @@ checks: # Section 18.5 - Network - id: 11505 title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.9.1"] - cis_csc: ["9"] @@ -138,7 +138,7 @@ checks: - id: 11506 title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" - description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." + description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -160,7 +160,7 @@ checks: - id: 11507 title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" - description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." + description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -176,9 +176,9 @@ checks: - id: 11508 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" - description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" + description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - cis: ["18.5.19.2.1"] - cis_csc: ["9"] @@ -190,7 +190,7 @@ checks: - id: 11509 title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" - description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." + description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -214,7 +214,7 @@ checks: - id: 11510 title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" - description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." + description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -230,7 +230,7 @@ checks: - id: 11511 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" - description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." + description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: @@ -246,9 +246,9 @@ checks: - id: 11512 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" - description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." + description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting. Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.3"] - cis_csc: ["13"] @@ -262,9 +262,9 @@ checks: - id: 11513 title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.4"] - cis_csc: ["13"] @@ -278,7 +278,7 @@ checks: - id: 11514 title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -293,9 +293,9 @@ checks: - id: 11515 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" - description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.8"] - cis_csc: ["13"] @@ -309,9 +309,9 @@ checks: - id: 11516 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" - description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.9"] - cis_csc: ["13"] @@ -325,7 +325,7 @@ checks: - id: 11517 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" - description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -341,9 +341,9 @@ checks: - id: 11518 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.11"] - cis_csc: ["13"] @@ -357,9 +357,9 @@ checks: - id: 11519 title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.12"] - cis_csc: ["13"] @@ -373,9 +373,9 @@ checks: - id: 11520 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.13"] - cis_csc: ["13"] @@ -389,7 +389,7 @@ checks: - id: 11521 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" - description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." + description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -405,9 +405,9 @@ checks: - id: 11522 title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" - description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." + description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.44.5.1"] - cis_csc: ["13"] @@ -421,9 +421,9 @@ checks: - id: 11523 title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" - description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." + description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] @@ -437,9 +437,9 @@ checks: - id: 11524 title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" - description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." + description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.46.1"] - cis_csc: ["13"] @@ -453,9 +453,9 @@ checks: - id: 11525 title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" - description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] @@ -470,9 +470,9 @@ checks: # Section 18.9 - System - id: 11526 title: "Ensure 'Turn off location' is set to 'Enabled'" - description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." + description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.39.2"] - cis_csc: ["13"] @@ -486,9 +486,9 @@ checks: - id: 11527 title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" - description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.2.1"] references: @@ -501,9 +501,9 @@ checks: - id: 11528 title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1"] @@ -517,9 +517,9 @@ checks: - id: 11529 title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" - description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1"] @@ -533,9 +533,9 @@ checks: - id: 11530 title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" - description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1"] @@ -549,9 +549,9 @@ checks: - id: 11531 title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" - description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." + description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.10.1"] - cis_csc: ["16.5"] @@ -566,9 +566,9 @@ checks: - id: 11532 title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" - description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." + description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.10.2"] - cis_csc: ["16.5"] @@ -582,7 +582,7 @@ checks: - id: 11533 title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" - description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." + description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: @@ -598,8 +598,8 @@ checks: - id: 11534 title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" - description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." - rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." + description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." + rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: ["18.9.65.1"] @@ -611,8 +611,8 @@ checks: - id: 11535 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." - rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." + description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." + rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.76.3.2"] @@ -624,9 +624,9 @@ checks: - id: 11536 title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" - description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.85.3"] - cis_csc: ["7"] @@ -640,9 +640,9 @@ checks: - id: 11537 title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.97.2.2"] - cis_csc: ["3.4"] @@ -656,7 +656,7 @@ checks: - id: 11538 title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" - description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." + description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: From 3d50606d38d93ef1e7477c3e1917989bea2a2175 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Wed, 7 Aug 2019 14:50:09 +0200 Subject: [PATCH 224/247] Add references to cis_win2012r2_memberL1.yml --- sca/windows/cis_win2012r2_memberL1.yml | 762 +++++++++++++++++-------- 1 file changed, 530 insertions(+), 232 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index e23a84f4f..b0fa87d0f 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -32,12 +32,14 @@ checks: # Section 1.1 - Password Policies - id: 12000 title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" - description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." + description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0." rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - cis: ["1.1.2"] - cis_csc: ["16.5"] + references: + - 'CCE-37167-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -54,6 +56,8 @@ checks: compliance: - cis: ["2.3.1.2"] - cis_csc: ["16"] + references: + - 'CCE-36147-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -68,6 +72,8 @@ checks: compliance: - cis: ["2.3.1.4"] - cis_csc: ["16"] + references: + - 'CCE-37615-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -78,10 +84,12 @@ checks: title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." compliance: - cis: ["2.3.2.1"] - cis_csc: ["6.2"] + references: + - 'CCE-37850-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -90,13 +98,15 @@ checks: - id: 12004 title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" - description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits." default_value: "Disabled." compliance: - cis: ["2.3.2.2"] - cis_csc: ["6"] + references: + - 'CCE-35907-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -107,10 +117,12 @@ checks: title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media." compliance: - cis: ["2.3.4.1"] - cis_csc: ["5.1"] + references: + - 'CCE-37701-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' @@ -118,12 +130,14 @@ checks: - id: 12006 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, you should allow only Administrators, not users, to do so on servers, because printer driver installation on a server may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers." compliance: - cis: ["2.3.4.2"] - cis_csc: ["5.1"] + references: + - 'CCE-37942-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -132,12 +146,14 @@ checks: - id: 12007 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" - description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" + description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)." compliance: - cis: ["2.3.6.1"] - cis_csc: ["13"] + references: + - 'CCE-36142-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -146,12 +162,14 @@ checks: - id: 12008 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" + description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)." compliance: - cis: ["2.3.6.2"] - cis_csc: ["13"] + references: + - 'CCE-37130-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -160,12 +178,14 @@ checks: - id: 12009 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" + description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)." compliance: - cis: ["2.3.6.3"] - cis_csc: ["13"] + references: + - 'CCE-37222-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -174,12 +194,14 @@ checks: - id: 12010 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes." compliance: - cis: ["2.3.6.4"] - cis_csc: ["16"] + references: + - 'CCE-37508-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -188,12 +210,14 @@ checks: - id: 12011 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" - description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." - rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." + rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key." compliance: - cis: ["2.3.6.6"] - cis_csc: ["13"] + references: + - 'CCE-37614-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -202,12 +226,14 @@ checks: - id: 12012 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name." compliance: - cis: ["2.3.7.1"] - cis_csc: ["13"] + references: + - 'CCE-36056-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -216,12 +242,14 @@ checks: - id: 12013 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." - rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." + description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." + rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - cis: ["2.3.7.2"] - cis_csc: ["8"] + references: + - 'CCE-37637-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -230,12 +258,14 @@ checks: - id: 12014 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" - description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." + description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." - remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" + remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit." compliance: - cis: ["2.3.7.3"] - cis_csc: ["16.5"] + references: + - 'CCE-38235-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' @@ -244,12 +274,14 @@ checks: - id: 12015 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" - description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." + description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." - remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration." compliance: - cis: ["2.3.7.7"] - cis_csc: ["16"] + references: + - 'CCE-37622-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' @@ -258,12 +290,14 @@ checks: - id: 12016 title: "Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" - description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled." + description: "Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled." rationale: "By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account - such as user rights assignments, account lockout, or the account being disabled - are not considered or applied after the account is authenticated. User privileges are not updated, and (more importantly) disabled accounts are still able to unlock the console of the computer." - remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation" + remediation: "To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Require Domain Controller Authentication to unlock workstation." compliance: - cis: ["2.3.7.8"] - cis_csc: ["16.9"] + references: + - 'CCE-38240-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -272,12 +306,14 @@ checks: - id: 12017 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" - description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." + description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior." compliance: - cis: ["2.3.7.9"] - cis_csc: ["16.5"] + references: + - 'CCE-38333-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -286,12 +322,14 @@ checks: - id: 12018 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" + description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)." compliance: - cis: ["2.3.8.1"] - cis_csc: ["13"] + references: + - 'CCE-36325-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -300,12 +338,14 @@ checks: - id: 12019 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" + description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)." compliance: - cis: ["2.3.8.2"] - cis_csc: ["13"] + references: + - 'CCE-36269-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -314,12 +354,14 @@ checks: - id: 12020 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" - description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers." compliance: - cis: ["2.3.8.3"] - cis_csc: ["13"] + references: + - 'CCE-37863-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -328,12 +370,14 @@ checks: - id: 12021 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" - description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." + description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." - remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session." compliance: - cis: ["2.3.9.1"] - cis_csc: ["3"] + references: + - 'CCE-38046-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -343,12 +387,14 @@ checks: - id: 12022 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" + description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)." compliance: - cis: ["2.3.9.2"] - cis_csc: ["13"] + references: + - 'CCE-37864-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -357,12 +403,14 @@ checks: - id: 12023 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" + description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)." compliance: - cis: ["2.3.9.3"] - cis_csc: ["13"] + references: + - 'CCE-35988-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -371,12 +419,14 @@ checks: - id: 12024 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" - description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." + description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire." compliance: - cis: ["2.3.9.4"] - cis_csc: ["16"] + references: + - 'CCE-37972-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -385,14 +435,15 @@ checks: - id: 12025 title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" - description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers." + description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers." rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" + remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level." compliance: - cis: ["2.3.9.5"] - cis_csc: ["14"] references: - https://support.microsoft.com/en-us/help/3161561/ms16-075-and-ms16-076-description-of-the-security-update-for-windows-n + - 'CCE-36170-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -401,12 +452,14 @@ checks: - id: 12026 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" - description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." - rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" + description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." + rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts." compliance: - cis: ["2.3.10.2"] - cis_csc: ["16"] + references: + - 'CCE-36316-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -415,12 +468,14 @@ checks: - id: 12027 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" - description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." - rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" + description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)" + remediation: "To establish the recommended configuration via GP, set the following U path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares." compliance: - cis: ["2.3.10.3"] - cis_csc: ["16"] + references: + - 'CCE-36316-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -429,12 +484,14 @@ checks: - id: 12028 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" - description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." + description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users." compliance: - cis: ["2.3.10.5"] - cis_csc: ["14", "16"] + references: + - 'CCE-36148-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -443,12 +500,14 @@ checks: - id: 12029 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" - description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." + description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." - remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" + remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously." compliance: - cis: ["2.3.10.6"] - cis_csc: ["14.1", "16"] + references: + - 'CCE-38258-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -457,12 +516,14 @@ checks: - id: 12030 title: "Configure 'Network access: Remotely accessible registry paths'" - description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths." compliance: - cis: ["2.3.10.7"] - cis_csc: ["14", "16"] + references: + - 'CCE-37194-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -471,12 +532,14 @@ checks: - id: 12031 title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" - description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - cis: ["2.3.10.8"] - cis_csc: ["14", "16"] + references: + - 'CCE-36347-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -485,12 +548,14 @@ checks: - id: 12032 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares." compliance: - cis: ["2.3.10.9"] - cis_csc: ["14", "16"] + references: + - 'CCE-36021-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -499,12 +564,14 @@ checks: - id: 12033 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." + description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)" rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously." compliance: - cis: ["2.3.10.10"] - cis_csc: ["14", "16"] + references: + - 'CCE-38095-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -513,12 +580,14 @@ checks: - id: 12034 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." - rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)" + rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts." compliance: - cis: ["2.3.10.11"] - cis_csc: ["14", "16"] + references: + - 'CCE-37623-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -527,12 +596,14 @@ checks: - id: 12035 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" - description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM." compliance: - cis: ["2.3.11.1"] - cis_csc: ["14", "16"] + references: + - 'CCE-38341-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -541,12 +612,14 @@ checks: - id: 12036 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" - description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." rationale: "NULL sessions are less secure because by definition they are unauthenticated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback." compliance: - cis: ["2.3.11.2"] - cis_csc: ["14"] + references: + - 'CCE-37035-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -555,12 +628,14 @@ checks: - id: 12037 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" - description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." + description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities." compliance: - cis: ["2.3.11.3"] - cis_csc: ["16.9"] + references: + - 'CCE-38047-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -569,12 +644,14 @@ checks: - id: 12038 title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" - description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." + description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." - remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" + remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos." compliance: - cis: ["2.3.11.4"] - cis_csc: ["16.14"] + references: + - 'CCE-37755-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -583,12 +660,14 @@ checks: - id: 12039 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change." compliance: - cis: ["2.3.11.5"] - cis_csc: ["16.14"] + references: + - 'CCE-36326-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -597,12 +676,14 @@ checks: - id: 12040 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" - description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." + description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire." compliance: - cis: ["2.3.11.6"] - cis_csc: ["16"] + references: + - 'CCE-36270-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -611,12 +692,14 @@ checks: - id: 12041 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" - description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." - rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." + rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level." compliance: - cis: ["2.3.11.7"] - cis_csc: ["13"] + references: + - 'CCE-36173-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -624,12 +707,14 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - id: 12042 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" - description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." + description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" compliance: - cis: ["2.3.11.8"] - cis_csc: ["13"] + references: + - 'CCE-36858-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -638,12 +723,14 @@ checks: - id: 12043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" compliance: - cis: ["2.3.11.9"] - cis_csc: ["13"] + references: + - 'CCE-37553-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -652,7 +739,7 @@ checks: - id: 12044 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" compliance: @@ -660,6 +747,8 @@ checks: - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 + references: + - 'CCE-37835-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -668,12 +757,14 @@ checks: - id: 12045 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" - description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." + description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" compliance: - cis: ["2.3.13.1"] - cis_csc: ["5.1"] + references: + - 'CCE-36788-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -682,11 +773,13 @@ checks: - id: 12046 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" - description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" compliance: - cis: ["2.3.15.1"] + references: + - 'CCE-37885-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -695,12 +788,14 @@ checks: - id: 12047 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" - description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." + description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" compliance: - cis: ["2.3.15.2"] - cis_csc: ["14.4"] + references: + - 'CCE-37644-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -709,12 +804,14 @@ checks: - id: 12048 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" - description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." + description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" compliance: - cis: ["2.3.17.1"] - cis_csc: ["5.1"] + references: + - 'CCE-36494-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -723,12 +820,14 @@ checks: - id: 12049 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" - description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" compliance: - cis: ["2.3.17.2"] - cis_csc: ["16"] + references: + - 'CCE-36863-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -737,12 +836,14 @@ checks: - id: 12050 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" - description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." + description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" compliance: - cis: ["2.3.17.3"] - cis_csc: ["5.1"] + references: + - 'CCE-37029-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -751,12 +852,14 @@ checks: - id: 12051 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" - description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." + description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" compliance: - cis: ["2.3.17.4"] - cis_csc: ["5.1"] + references: + - 'CCE-36864-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -765,12 +868,14 @@ checks: - id: 12052 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" - description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." - rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" + description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." + rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" compliance: - cis: ["2.3.17.5"] - cis_csc: ["5.1"] + references: + - 'CCE-36533-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -779,12 +884,14 @@ checks: - id: 12053 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." - rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" compliance: - cis: ["2.3.17.6"] - cis_csc: ["5.1"] + references: + - 'CCE-37057-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -793,12 +900,14 @@ checks: - id: 12054 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" - description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." + description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" compliance: - cis: ["2.3.17.7"] - cis_csc: ["5.1"] + references: + - 'CCE-36869-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -807,12 +916,14 @@ checks: - id: 12055 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" - description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" compliance: - cis: ["2.3.17.8"] - cis_csc: ["5.1"] + references: + - 'CCE-36866-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -821,11 +932,13 @@ checks: - id: 12056 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" compliance: - cis: ["2.3.17.9"] + references: + - 'CCE-37064-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -835,12 +948,14 @@ checks: # Section 9.1 - Domain Profile - id: 12057 title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" compliance: - cis: ["9.1.1"] - cis_csc: ["9.2"] + references: + - 'CCE-36062-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -849,12 +964,14 @@ checks: - id: 12058 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" compliance: - cis: ["9.1.2"] - cis_csc: ["9.2"] + references: + - 'CCE-38117-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -863,12 +980,14 @@ checks: - id: 12059 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" compliance: - cis: ["9.1.3"] - cis_csc: ["9.2"] + references: + - 'CCE-36146-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -877,11 +996,13 @@ checks: - id: 12060 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - cis: ["9.1.4"] + references: + - 'CCE-38041-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -890,12 +1011,14 @@ checks: - id: 12061 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - cis: ["9.1.5"] - cis_csc: ["6.2"] + references: + - 'CCE-37482-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -904,12 +1027,14 @@ checks: - id: 12062 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" compliance: - cis: ["9.1.6"] - cis_csc: ["6.3"] + references: + - 'CCE-36088-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -918,12 +1043,14 @@ checks: - id: 12063 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" compliance: - cis: ["9.1.7"] - cis_csc: ["6.2"] + references: + - 'CCE-37523-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -932,12 +1059,14 @@ checks: - id: 12064 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" compliance: - cis: ["9.1.8"] - cis_csc: ["6.2"] + references: + - 'CCE-36393-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -947,12 +1076,14 @@ checks: # Section 9.2 - Private Profile - id: 12065 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" compliance: - cis: ["9.2.1"] - cis_csc: ["9.2"] + references: + - 'CCE-38239-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -961,12 +1092,14 @@ checks: - id: 12066 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" compliance: - cis: ["9.2.2"] - cis_csc: ["9.2"] + references: + - 'CCE-38042-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -975,12 +1108,14 @@ checks: - id: 12067 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" compliance: - cis: ["9.2.3"] - cis_csc: ["9.2"] + references: + - 'CCE-38332-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -989,11 +1124,13 @@ checks: - id: 12068 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - cis: ["9.2.4"] + references: + - 'CCE-37621-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1002,12 +1139,14 @@ checks: - id: 12069 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - cis: ["9.2.5"] - cis_csc: ["6.2"] + references: + - 'CCE-37569-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1016,12 +1155,14 @@ checks: - id: 12070 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" compliance: - cis: ["9.2.6"] - cis_csc: ["6.3"] + references: + - 'CCE-38178-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1030,12 +1171,14 @@ checks: - id: 12071 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" compliance: - cis: ["9.2.7"] - cis_csc: ["6.2"] + references: + - 'CCE-35972-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1044,12 +1187,14 @@ checks: - id: 12072 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" compliance: - cis: ["9.2.8"] - cis_csc: ["6.2"] + references: + - 'CCE-37387-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1059,12 +1204,14 @@ checks: # Sectin 9.3 - Public Profile - id: 12073 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" compliance: - cis: ["9.3.1"] - cis_csc: ["9.2"] + references: + - 'CCE-37862-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1073,12 +1220,14 @@ checks: - id: 12074 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" compliance: - cis: ["9.3.2"] - cis_csc: ["9.2"] + references: + - 'CCE-36057-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1087,12 +1236,14 @@ checks: - id: 12075 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" compliance: - cis: ["9.3.3"] - cis_csc: ["9.2"] + references: + - 'CCE-37434-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1101,11 +1252,13 @@ checks: - id: 12076 title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - cis: ["9.3.4"] + references: + - 'CCE-38043-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1114,12 +1267,14 @@ checks: - id: 12077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" compliance: - cis: ["9.3.5"] - cis_csc: ["5.1"] + references: + - 'CCE-37861-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1128,12 +1283,14 @@ checks: - id: 12078 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." + description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - cis: ["9.3.6"] - cis_csc: ["5.1"] + references: + - 'CCE-36268-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1142,12 +1299,14 @@ checks: - id: 12079 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - cis: ["9.3.7"] - cis_csc: ["6.2"] + references: + - 'CCE-37266-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1156,12 +1315,14 @@ checks: - id: 12080 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" compliance: - cis: ["9.3.8"] - cis_csc: ["6.3"] + references: + - 'CCE-36395-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1170,12 +1331,14 @@ checks: - id: 12081 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" compliance: - cis: ["9.3.9"] - cis_csc: ["6.2"] + references: + - 'CCE-37265-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1184,12 +1347,14 @@ checks: - id: 12082 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" compliance: - cis: ["9.3.10"] - cis_csc: ["6.2"] + references: + - 'CCE-36394-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1199,11 +1364,13 @@ checks: # Section 18.1 - Control Panel - id: 12083 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" - description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." + description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " compliance: - cis: ["18.1.1.1"] + references: + - 'CCE-38347-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1212,11 +1379,13 @@ checks: - id: 12084 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" - description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." + description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.1.1.2"] + references: + - 'CCE-38348-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1226,7 +1395,7 @@ checks: # Section 18.2 - LAPS - id: 12085 title: "Ensure LAPS AdmPwd GPO Extension / CSE is installed" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll" compliance: @@ -1239,7 +1408,7 @@ checks: - id: 12086 title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: @@ -1253,7 +1422,7 @@ checks: - id: 12087 title: "Ensure 'Enable Local Admin Password Management' is set to 'Enabled'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Enable Local Admin Password Management Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: @@ -1267,7 +1436,7 @@ checks: - id: 12088 title: "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: Large letters + small letters + numbers + special characters. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Complexity option to Large letters + small letters + numbers + special characters: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: @@ -1281,7 +1450,7 @@ checks: - id: 12089 title: "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 15 or more. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Length option to 15 or more: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: @@ -1295,7 +1464,7 @@ checks: - id: 12090 title: "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'" - description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." + description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled: 30 or fewer. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the Password Age (Days) option to 30 or fewer: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Password Settings Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS)." compliance: @@ -1310,7 +1479,7 @@ checks: # Section 18.3 - MS Security Guide - id: 12091 title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" - description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled." + description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the 'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled." rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: @@ -1320,6 +1489,7 @@ checks: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ + - 'CCE-37069-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1328,7 +1498,7 @@ checks: - id: 12092 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" - description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." + description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: @@ -1338,6 +1508,7 @@ checks: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ + - 'CCE-38444-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' @@ -1347,7 +1518,7 @@ checks: # Section 18.4 - MSS (Legacy) - id: 12093 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." + description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: @@ -1356,6 +1527,7 @@ checks: references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-37067-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1364,7 +1536,7 @@ checks: - id: 12094 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: @@ -1372,6 +1544,7 @@ checks: - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36871-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' @@ -1380,7 +1553,7 @@ checks: - id: 12095 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: @@ -1388,6 +1561,7 @@ checks: - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36535-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1396,7 +1570,7 @@ checks: - id: 12096 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" - description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." + description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: @@ -1404,6 +1578,7 @@ checks: - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-37988-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1412,14 +1587,15 @@ checks: - id: 12097 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" - description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." - rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." + description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." + rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - cis: ["18.4.6"] - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36879-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' @@ -1428,7 +1604,7 @@ checks: - id: 12098 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: @@ -1436,6 +1612,8 @@ checks: - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + references: + - 'CCE-36351-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' @@ -1444,7 +1622,7 @@ checks: - id: 12099 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: @@ -1452,6 +1630,7 @@ checks: - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-37993-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1460,14 +1639,15 @@ checks: - id: 12100 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." - rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." + description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." + rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" compliance: - cis: ["18.4.12"] - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36880-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' @@ -1477,12 +1657,14 @@ checks: # Section 18.5 - Network - id: 12101 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" - rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." + description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" + rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.11.2"] - cis_csc: ["5.1"] + references: + - 'CCE-38002-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1491,12 +1673,14 @@ checks: - id: 12102 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.5.11.3"] - cis_csc: ["5.1"] + references: + - 'CCE-38188-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1505,12 +1689,14 @@ checks: - id: 12103 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." + description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.5.21.1"] - cis_csc: ["12"] + references: + - 'CCE-38338-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1520,12 +1706,14 @@ checks: # Section 18.8 - System - id: 12104 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" - description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " + description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.3.1"] - cis_csc: ["16.14"] + references: + - 'CCE-36925-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1534,12 +1722,14 @@ checks: - id: 12105 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.14.1"] - cis_csc: ["8"] + references: + - 'CCE-37912-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1548,12 +1738,14 @@ checks: - id: 12106 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" - description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." + description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.21.2"] - cis_csc: ["3.7"] + references: + - 'CCE-36169-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1562,12 +1754,14 @@ checks: - id: 12107 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" - description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." + description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.21.3"] - cis_csc: ["3.7"] + references: + - 'CCE-36169-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1576,12 +1770,14 @@ checks: - id: 12108 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" - description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." + description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.21.4"] - cis_csc: ["3.7"] + references: + - 'CCE-37712-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1590,12 +1786,14 @@ checks: - id: 12109 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" - description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.27.1"] - cis_csc: ["5"] + references: + - 'CCE-38353-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1604,12 +1802,14 @@ checks: - id: 12110 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" - description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." + description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.27.2"] - cis_csc: ["16.9"] + references: + - 'CCE-37838-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1618,12 +1818,14 @@ checks: - id: 12111 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" - description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." + description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.27.3"] - cis_csc: ["16.9"] + references: + - 'CCE-35894-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1632,12 +1834,14 @@ checks: - id: 12112 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" - description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.27.4"] - cis_csc: ["16.5"] + references: + - 'CCE-35893-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1646,12 +1850,14 @@ checks: - id: 12113 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" - description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - cis: ["18.8.27.6"] - cis_csc: ["16.5"] + references: + - 'CCE-37528-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1660,12 +1866,14 @@ checks: - id: 12114 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.35.1"] - cis_csc: ["9.1"] + references: + - 'CCE-36388-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1674,12 +1882,14 @@ checks: - id: 12115 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.35.2"] - cis_csc: ["5.1"] + references: + - 'CCE-37281-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1688,7 +1898,7 @@ checks: - id: 12116 title: "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" - description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled." rationale: "Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Enable RPC Endpoint Mapper Client Authentication Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -1696,6 +1906,8 @@ checks: - cis_csc: ["9.1"] references: - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr + references: + - 'CCE-37346-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -1705,12 +1917,14 @@ checks: # Section 18.9 - Windows Components - id: 12117 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" - description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." + description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.6.1"] - cis_csc: ["16.9"] + references: + - 'CCE-38354-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1719,12 +1933,14 @@ checks: - id: 12118 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" - description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." + description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.8.1"] - cis_csc: ["8.3"] + references: + - 'CCE-37636-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1733,12 +1949,14 @@ checks: - id: 12119 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" - description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." + description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.8.2"] - cis_csc: ["8.3"] + references: + - 'CCE-38217-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1747,12 +1965,14 @@ checks: - id: 12120 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" - description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." + description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.8.3"] - cis_csc: ["8.3"] + references: + - 'CCE-36875-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1761,12 +1981,14 @@ checks: - id: 12121 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" - description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.15.1"] - cis_csc: ["16"] + references: + - 'CCE-37534-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1775,12 +1997,14 @@ checks: - id: 12122 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" - description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.15.2"] - cis_csc: ["16"] + references: + - 'CCE-36512-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1789,12 +2013,14 @@ checks: - id: 12123 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.1.1"] - cis_csc: ["6.3"] + references: + - 'CCE-37775-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1803,12 +2029,14 @@ checks: - id: 12124 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.1.2"] - cis_csc: ["6.3"] + references: + - 'CCE-37948-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1817,12 +2045,14 @@ checks: - id: 12125 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.2.1"] - cis_csc: ["6.3"] + references: + - 'CCE-37145-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1831,12 +2061,14 @@ checks: - id: 12126 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.2.2"] - cis_csc: ["6.3"] + references: + - 'CCE-37695-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1845,12 +2077,14 @@ checks: - id: 12127 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.3.1"] - cis_csc: ["6.3"] + references: + - 'CCE-38276-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1859,12 +2093,14 @@ checks: - id: 12128 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.3.2"] - cis_csc: ["6.3"] + references: + - 'CCE-37526-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1873,12 +2109,14 @@ checks: - id: 12129 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.4.1"] - cis_csc: ["6.3"] + references: + - 'CCE-36160-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1887,12 +2125,14 @@ checks: - id: 12130 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.4.2"] - cis_csc: ["6.3"] + references: + - 'CCE-36092-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1901,12 +2141,14 @@ checks: - id: 12131 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" - description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." + description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.30.2"] - cis_csc: ["8.4"] + references: + - 'CCE-37809-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1915,12 +2157,14 @@ checks: - id: 12132 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.30.3"] - cis_csc: ["8.4"] + references: + - 'CCE-36660-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1929,12 +2173,14 @@ checks: - id: 12133 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.30.4"] - cis_csc: ["8.4"] + references: + - 'CCE-36809-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1943,12 +2189,14 @@ checks: - id: 12134 title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" compliance: - cis: ["18.9.52.1"] - cis_csc: ["13"] + references: + - 'CCE-36939-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1957,12 +2205,14 @@ checks: - id: 12135 title: "Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled'" - description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." + description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the legacy OneDrive/SkyDrive client. The recommended state for this setting is: Enabled. Note: Despite the name of this setting, it is applicable to the legacy OneDrive client on any Windows OS." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the legacy OneDrive/SkyDrive client." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage on Windows 8.1 Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). We strongly recommend you only use either that version of the template or a newer one. Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version." compliance: - cis: ["18.9.52.2"] - cis_csc: ["13"] + references: + - 'CCE-36939-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive' @@ -1971,12 +2221,14 @@ checks: - id: 12136 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" - description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." + description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.2.2"] - cis_csc: ["16.4"] + references: + - 'CCE-36223-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1985,12 +2237,14 @@ checks: - id: 12137 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" - description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." + description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.2"] - cis_csc: ["13"] + references: + - 'CCE-36509-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1999,12 +2253,14 @@ checks: - id: 12138 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" - description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - cis: ["18.9.58.3.9.1"] - cis_csc: ["16.14"] + references: + - 'CCE-37929-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2013,12 +2269,14 @@ checks: - id: 12139 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" - description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.9.2"] - cis_csc: ["3.4"] + references: + - 'CCE-37567-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2027,12 +2285,14 @@ checks: - id: 12140 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" - description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." + description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.9.3"] - cis_csc: ["3.4"] + references: + - 'CCE-36627-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2041,12 +2301,14 @@ checks: - id: 12141 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" - description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." + description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.58.3.11.1"] - cis_csc: ["14.4"] + references: + - 'CCE-37946-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2055,12 +2317,14 @@ checks: - id: 12142 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" - description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." + description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.11.2"] - cis_csc: ["14.4"] + references: + - 'CCE-38180-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2069,12 +2333,14 @@ checks: - id: 12143 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" - description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." + description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.59.1"] - cis_csc: ["7.2"] + references: + - 'CCE-37126-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2083,12 +2349,14 @@ checks: - id: 12144 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" - description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.60.2"] - cis_csc: ["13.1"] + references: + - 'CCE-38277-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2097,12 +2365,14 @@ checks: - id: 12145 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." + description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - cis: ["18.9.80.1.1"] - cis_csc: ["2"] + references: + - 'CCE-35859-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2111,12 +2381,14 @@ checks: - id: 12146 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" - description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" + description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.81.2.1"] - cis_csc: ["13"] + references: + - 'CCE-37112-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2125,12 +2397,14 @@ checks: - id: 12147 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" - description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.81.3"] - cis_csc: ["13"] + references: + - 'CCE-36978-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2139,12 +2413,14 @@ checks: - id: 12148 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" - description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." + description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.85.1"] - cis_csc: ["5.1"] + references: + - 'CCE-36400-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2153,12 +2429,14 @@ checks: - id: 12149 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" - description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." + description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.85.2"] - cis_csc: ["5.1"] + references: + - 'CCE-36919-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2167,12 +2445,14 @@ checks: - id: 12150 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" - description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.86.1"] - cis_csc: ["16.5"] + references: + - 'CCE-36977-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2181,7 +2461,7 @@ checks: - id: 12151 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" - description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." + description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: @@ -2195,7 +2475,7 @@ checks: - id: 12152 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" - description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." + description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: @@ -2209,12 +2489,14 @@ checks: - id: 12153 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.1.1"] - cis_csc: ["16.13"] + references: + - 'CCE-36310-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2223,12 +2505,14 @@ checks: - id: 12154 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.1.2"] - cis_csc: ["16.13"] + references: + - 'CCE-37726-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2237,12 +2521,14 @@ checks: - id: 12155 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.1.3"] - cis_csc: ["16.13"] + references: + - 'CCE-38318-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2251,12 +2537,14 @@ checks: - id: 12156 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.2.1"] - cis_csc: ["16.13"] + references: + - 'CCE-36254-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2265,12 +2553,14 @@ checks: - id: 12157 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.2.3"] - cis_csc: ["16.13"] + references: + - 'CCE-38223-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2279,12 +2569,14 @@ checks: - id: 12158 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.97.2.4"] - cis_csc: ["16.4"] + references: + - 'CCE-36000-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2293,12 +2585,14 @@ checks: - id: 12159 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.101.2"] - cis_csc: ["4.5"] + references: + - 'CCE-36172-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2307,12 +2601,14 @@ checks: - id: 12160 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" - description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." + description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.101.3"] - cis_csc: ["4.5"] + references: + - 'CCE-36172-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2321,12 +2617,14 @@ checks: - id: 12161 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." + description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.101.4"] - cis_csc: ["4.5"] + references: + - 'CCE-37027-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' From 9bd3074c05ffd287d0c3a4716a9c862f683560e4 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Thu, 8 Aug 2019 08:19:29 +0200 Subject: [PATCH 225/247] Remove double spaces and add dot to end of line --- sca/windows/cis_win2012r2_memberL1.yml | 130 ++++++++++++------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index b0fa87d0f..72320e1f9 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -709,7 +709,7 @@ checks: title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements." compliance: - cis: ["2.3.11.8"] - cis_csc: ["13"] @@ -725,7 +725,7 @@ checks: title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients." compliance: - cis: ["2.3.11.9"] - cis_csc: ["13"] @@ -741,7 +741,7 @@ checks: title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers." compliance: - cis: ["2.3.11.10"] - cis_csc: ["13"] @@ -759,7 +759,7 @@ checks: title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on." compliance: - cis: ["2.3.13.1"] - cis_csc: ["5.1"] @@ -775,7 +775,7 @@ checks: title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems." compliance: - cis: ["2.3.15.1"] references: @@ -806,7 +806,7 @@ checks: title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account." compliance: - cis: ["2.3.17.1"] - cis_csc: ["5.1"] @@ -822,7 +822,7 @@ checks: title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop." compliance: - cis: ["2.3.17.2"] - cis_csc: ["16"] @@ -838,7 +838,7 @@ checks: title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." - remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode." compliance: - cis: ["2.3.17.3"] - cis_csc: ["5.1"] @@ -854,7 +854,7 @@ checks: title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." - remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users." compliance: - cis: ["2.3.17.4"] - cis_csc: ["5.1"] @@ -869,8 +869,8 @@ checks: - id: 12052 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." - rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" + rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation." compliance: - cis: ["2.3.17.5"] - cis_csc: ["5.1"] @@ -884,9 +884,9 @@ checks: - id: 12053 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations." compliance: - cis: ["2.3.17.6"] - cis_csc: ["5.1"] @@ -902,7 +902,7 @@ checks: title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode." compliance: - cis: ["2.3.17.7"] - cis_csc: ["5.1"] @@ -918,7 +918,7 @@ checks: title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation." compliance: - cis: ["2.3.17.8"] - cis_csc: ["5.1"] @@ -932,9 +932,9 @@ checks: - id: 12056 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations." compliance: - cis: ["2.3.17.9"] references: @@ -950,7 +950,7 @@ checks: title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state." compliance: - cis: ["9.1.1"] - cis_csc: ["9.2"] @@ -966,7 +966,7 @@ checks: title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections." compliance: - cis: ["9.1.2"] - cis_csc: ["9.2"] @@ -982,7 +982,7 @@ checks: title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections." compliance: - cis: ["9.1.3"] - cis_csc: ["9.2"] @@ -997,8 +997,8 @@ checks: - id: 12060 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification." compliance: - cis: ["9.1.4"] references: @@ -1013,7 +1013,7 @@ checks: title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name." compliance: - cis: ["9.1.5"] - cis_csc: ["6.2"] @@ -1029,7 +1029,7 @@ checks: title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)." compliance: - cis: ["9.1.6"] - cis_csc: ["6.3"] @@ -1045,7 +1045,7 @@ checks: title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets." compliance: - cis: ["9.1.7"] - cis_csc: ["6.2"] @@ -1061,7 +1061,7 @@ checks: title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections." compliance: - cis: ["9.1.8"] - cis_csc: ["6.2"] @@ -1078,7 +1078,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state." compliance: - cis: ["9.2.1"] - cis_csc: ["9.2"] @@ -1094,7 +1094,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections." compliance: - cis: ["9.2.2"] - cis_csc: ["9.2"] @@ -1110,7 +1110,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections." compliance: - cis: ["9.2.3"] - cis_csc: ["9.2"] @@ -1126,7 +1126,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification." compliance: - cis: ["9.2.4"] references: @@ -1141,7 +1141,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name." compliance: - cis: ["9.2.5"] - cis_csc: ["6.2"] @@ -1157,7 +1157,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)." compliance: - cis: ["9.2.6"] - cis_csc: ["6.3"] @@ -1173,7 +1173,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets." compliance: - cis: ["9.2.7"] - cis_csc: ["6.2"] @@ -1189,7 +1189,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections." compliance: - cis: ["9.2.8"] - cis_csc: ["6.2"] @@ -1206,7 +1206,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state." compliance: - cis: ["9.3.1"] - cis_csc: ["9.2"] @@ -1220,9 +1220,9 @@ checks: - id: 12074 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections." compliance: - cis: ["9.3.2"] - cis_csc: ["9.2"] @@ -1238,7 +1238,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections." compliance: - cis: ["9.3.3"] - cis_csc: ["9.2"] @@ -1254,7 +1254,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." - remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" + remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification." compliance: - cis: ["9.3.4"] references: @@ -1269,7 +1269,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules." compliance: - cis: ["9.3.5"] - cis_csc: ["5.1"] @@ -1285,7 +1285,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules." compliance: - cis: ["9.3.6"] - cis_csc: ["5.1"] @@ -1301,7 +1301,7 @@ checks: title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" + remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name." compliance: - cis: ["9.3.7"] - cis_csc: ["6.2"] @@ -1317,7 +1317,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)." compliance: - cis: ["9.3.8"] - cis_csc: ["6.3"] @@ -1333,7 +1333,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets." compliance: - cis: ["9.3.9"] - cis_csc: ["6.2"] @@ -1349,7 +1349,7 @@ checks: title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections." compliance: - cis: ["9.3.10"] - cis_csc: ["6.2"] @@ -1366,7 +1366,7 @@ checks: title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.1.1.1"] references: @@ -1381,7 +1381,7 @@ checks: title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.1.1.2"] references: @@ -1520,7 +1520,7 @@ checks: title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.1"] - cis_csc: ["16"] @@ -1538,7 +1538,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.2"] - cis_csc: ["9"] @@ -1555,7 +1555,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.3"] - cis_csc: ["9"] @@ -1572,7 +1572,7 @@ checks: title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.4"] - cis_csc: ["9"] @@ -1589,7 +1589,7 @@ checks: title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.6"] - cis_csc: ["9"] @@ -1604,9 +1604,9 @@ checks: - id: 12098 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.8"] - cis_csc: ["8"] @@ -1624,7 +1624,7 @@ checks: title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.9"] - cis_csc: ["16.5"] @@ -1641,7 +1641,7 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.12"] - cis_csc: ["6.3"] @@ -1657,7 +1657,7 @@ checks: # Section 18.5 - Network - id: 12101 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" + description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled." rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -1706,7 +1706,7 @@ checks: # Section 18.8 - System - id: 12104 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" - description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " + description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: @@ -1722,7 +1722,7 @@ checks: - id: 12105 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -1866,7 +1866,7 @@ checks: - id: 12114 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled." rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -2094,7 +2094,7 @@ checks: - id: 12128 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.3.2"] @@ -2126,7 +2126,7 @@ checks: - id: 12130 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.4.2"] @@ -2191,7 +2191,7 @@ checks: title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates." compliance: - cis: ["18.9.52.1"] - cis_csc: ["13"] @@ -2381,7 +2381,7 @@ checks: - id: 12146 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" - description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" + description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data." rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -2585,7 +2585,7 @@ checks: - id: 12159 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: From 61003cf887edaa838be9b8076bada73147383624 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Thu, 8 Aug 2019 08:34:53 +0200 Subject: [PATCH 226/247] Add references to policy Win10_enterprise_L1 --- sca/windows/cis_win10_enterprise_L1.yml | 440 +++++++++++++++++++++--- 1 file changed, 389 insertions(+), 51 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index a8f08f376..7b3557b47 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -31,10 +31,12 @@ checks: title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." - remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." compliance: - cis: ["2.3.1.2"] - cis_csc: ["16"] + references: + - 'CCE-35487-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -45,10 +47,12 @@ checks: title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." compliance: - cis: ["2.3.1.4"] - cis_csc: ["16"] + references: + - 'CCE-32929-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -59,10 +63,12 @@ checks: title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits." compliance: - cis: ["2.3.2.1"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-35533-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -73,10 +79,12 @@ checks: title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits." compliance: - cis: ["2.3.2.2"] - cis_csc: ["6"] + references: + - 'CCE-33046-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -87,10 +95,12 @@ checks: title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators and Interactive Users." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media." compliance: - cis: ["2.3.4.1"] - cis_csc: ["5.1"] + references: + - 'CCE-34355-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -104,6 +114,8 @@ checks: compliance: - cis: ["2.3.6.1"] - cis_csc: ["13"] + references: + - 'CCE-34892-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -118,6 +130,8 @@ checks: compliance: - cis: ["2.3.6.2"] - cis_csc: ["13"] + references: + - 'CCE-35273-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -132,6 +146,8 @@ checks: compliance: - cis: ["2.3.6.3"] - cis_csc: ["13"] + references: + - 'CCE-34893-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -142,10 +158,12 @@ checks: title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled" rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes." compliance: - cis: ["2.3.6.4"] - cis_csc: ["16"] + references: + - 'CCE-34986-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -156,10 +174,12 @@ checks: title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key." compliance: - cis: ["2.3.6.6"] - cis_csc: ["13"] + references: + - 'CCE-35177-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' @@ -174,6 +194,8 @@ checks: compliance: - cis: ["2.3.7.1"] - cis_csc: ["8"] + references: + - 'CCE-35099-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -184,10 +206,12 @@ checks: title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit" rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." - remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" + remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit." compliance: - cis: ["2.3.7.4"] - cis_csc: ["16.5"] + references: + - 'CCE-34900-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -199,10 +223,12 @@ checks: title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." - remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration." compliance: - cis: ["2.3.7.8"] - cis_csc: ["16"] + references: + - 'CCE-35274-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -213,10 +239,12 @@ checks: title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior." compliance: - cis: ["2.3.7.9"] - cis_csc: ["16.5"] + references: + - 'CCE-34988-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -231,6 +259,8 @@ checks: compliance: - cis: ["2.3.8.1"] - cis_csc: ["13"] + references: + - 'CCE-35222-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -245,6 +275,8 @@ checks: compliance: - cis: ["2.3.8.2"] - cis_csc: ["13"] + references: + - 'CCE-34908-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -255,10 +287,12 @@ checks: title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers." compliance: - cis: ["2.3.8.3"] - cis_csc: ["13"] + references: + - 'CCE-33717-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -269,10 +303,12 @@ checks: title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." - remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session." compliance: - cis: ["2.3.9.1"] - cis_csc: ["3"] + references: + - 'CCE-34909-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -287,6 +323,8 @@ checks: compliance: - cis: ["2.3.9.2"] - cis_csc: ["13"] + references: + - 'CCE-35065-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -301,6 +339,8 @@ checks: compliance: - cis: ["2.3.9.3"] - cis_csc: ["13"] + references: + - 'CCE-35182-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -311,10 +351,12 @@ checks: title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire." compliance: - cis: ["2.3.9.4"] - cis_csc: ["16"] + references: + - 'CCE-34911-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -325,10 +367,12 @@ checks: title: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher" description: "This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark." rationale: "The identity of a computer can be spoofed to gain unauthorized access to network resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level" + remediation: "To establish the recommended configuration via GP, set the following UI path to Accept if provided by client (configuring to Required from client also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Server SPN target name validation level." compliance: - cis: ["2.3.9.5"] - cis_csc: ["14"] + references: + - 'CCE-35299-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -339,10 +383,12 @@ checks: title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts." compliance: - cis: ["2.3.10.2"] - cis_csc: ["16"] + references: + - 'CCE-34631-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -353,10 +399,12 @@ checks: title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers" rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares." compliance: - cis: ["2.3.10.3"] - cis_csc: ["16"] + references: + - 'CCE-34723-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -367,10 +415,12 @@ checks: title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication." compliance: - cis: ["2.3.10.4"] - cis_csc: ["16.14"] + references: + - 'CCE-33718-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' @@ -381,10 +431,12 @@ checks: title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users." compliance: - cis: ["2.3.10.5"] - cis_csc: ["14", "16"] + references: + - 'CCE-35367-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -395,10 +447,12 @@ checks: title: "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None)." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously." compliance: - cis: ["2.3.10.6"] - cis_csc: ["14.1", "14.2"] + references: + - 'CCE-34965-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -409,10 +463,12 @@ checks: title: "Ensure 'Network access: Remotely accessible registry paths'" description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2)." rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths." compliance: - cis: ["2.3.10.7"] - cis_csc: ["14", "16"] + references: + - 'CCE-33976-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -423,10 +479,12 @@ checks: title: "Ensure 'Network access: Remotely accessible registry paths and sub-paths'" description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog" rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths" + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP Server SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths and sub-paths." compliance: - cis: ["2.3.10.8"] - cis_csc: ["14", "16"] + references: + - 'CCE-35300-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -437,10 +495,12 @@ checks: title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled" rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares." compliance: - cis: ["2.3.10.9"] - cis_csc: ["14", "16"] + references: + - 'CCE-33563-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -451,7 +511,7 @@ checks: title: "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'" description: "This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy." rationale: "To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM" + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict clients allowed to make remote calls to SAM." compliance: - cis: ["2.3.10.10"] - cis_csc: ["5.1", "9.1", "9.2"] @@ -465,10 +525,12 @@ checks: title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data" - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously." compliance: - cis: ["2.3.10.11"] - cis_csc: ["14", "16"] + references: + - 'CCE-34651-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -479,10 +541,12 @@ checks: title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts." compliance: - cis: ["2.3.10.12"] - cis_csc: ["14", "16"] + references: + - 'CCE-33719-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -493,10 +557,12 @@ checks: title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM." compliance: - cis: ["2.3.11.1"] - cis_csc: ["14", "16"] + references: + - 'CCE-33141-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -507,10 +573,12 @@ checks: title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled" rationale: "NULL sessions are less secure because by definition they are unauthenticated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback." compliance: - cis: ["2.3.11.2"] - cis_csc: ["14"] + references: + - 'CCE-35410-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -521,10 +589,12 @@ checks: title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called HomeGroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities." compliance: - cis: ["2.3.11.3"] - cis_csc: ["16.9"] + references: + - 'CCE-35411-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -535,10 +605,12 @@ checks: title: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting" rationale: "The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." - remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" + remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos." compliance: - cis: ["2.3.11.4"] - cis_csc: ["16.14"] + references: + - 'CCE-35786-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -549,10 +621,12 @@ checks: title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled" rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change." compliance: - cis: ["2.3.11.5"] - cis_csc: ["16.14"] + references: + - 'CCE-35225-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -563,10 +637,12 @@ checks: title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire." compliance: - cis: ["2.3.11.6"] - cis_csc: ["16"] + references: + - 'CCE-34993-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -577,10 +653,12 @@ checks: title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level." compliance: - cis: ["2.3.11.7"] - cis_csc: ["13"] + references: + - 'CCE-35302-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -591,10 +669,12 @@ checks: title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements." compliance: - cis: ["2.3.11.8"] - cis_csc: ["13"] + references: + - 'CCE-33802-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -605,10 +685,12 @@ checks: title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients." compliance: - cis: ["2.3.11.9"] - cis_csc: ["13"] + references: + - 'CCE-35447-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -619,10 +701,12 @@ checks: title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers." compliance: - cis: ["2.3.11.10"] - cis_csc: ["13"] + references: + - 'CCE-35108-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -633,9 +717,11 @@ checks: title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems." compliance: - cis: ["2.3.15.1"] + references: + - 'CCE-35008-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -650,6 +736,8 @@ checks: compliance: - cis: ["2.3.15.2"] - cis_csc: ["14.4", "14.6"] + references: + - 'CCE-35232-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -660,10 +748,12 @@ checks: title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account." compliance: - cis: ["2.3.17.1"] - cis_csc: ["5.1"] + references: + - 'CCE-35338-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -674,10 +764,12 @@ checks: title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop." compliance: - cis: ["2.3.17.2"] - cis_csc: ["16"] + references: + - 'CCE-35458-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -688,10 +780,12 @@ checks: title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." - remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode." compliance: - cis: ["2.3.17.3"] - cis_csc: ["5.1"] + references: + - 'CCE-33784-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -702,10 +796,12 @@ checks: title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." - remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users." compliance: - cis: ["2.3.17.4"] - cis_csc: ["5.1"] + references: + - 'CCE-33785-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -716,10 +812,12 @@ checks: title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation." compliance: - cis: ["2.3.17.5"] - cis_csc: ["5.1"] + references: + - 'CCE-35429-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -730,10 +828,12 @@ checks: title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:  …\\Program Files\\, including subfolders  …\\Windows\\system32\\  …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations." compliance: - cis: ["2.3.17.6"] - cis_csc: ["5.1"] + references: + - 'CCE-35401-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -744,10 +844,12 @@ checks: title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode." compliance: - cis: ["2.3.17.7"] - cis_csc: ["5.1"] + references: + - 'CCE-33788-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -758,10 +860,12 @@ checks: title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation." compliance: - cis: ["2.3.17.8"] - cis_csc: ["5.1"] + references: + - 'CCE-33815-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -772,9 +876,11 @@ checks: title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:  %ProgramFiles%  %Windir%  %Windir%\\system32  HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations." compliance: - cis: ["2.3.17.9"] + references: + - 'CCE-35459-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1063,6 +1169,8 @@ checks: compliance: - cis: ["9.1.1"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33160-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1077,6 +1185,8 @@ checks: compliance: - cis: ["9.1.2"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33063-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1091,6 +1201,8 @@ checks: compliance: - cis: ["9.1.3"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33098-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1104,6 +1216,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" compliance: - cis: ["9.1.4"] + references: + - 'CCE-33062-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -1118,6 +1232,8 @@ checks: compliance: - cis: ["9.1.5"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-34176-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1132,6 +1248,8 @@ checks: compliance: - cis: ["9.1.6"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-35083-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1146,6 +1264,8 @@ checks: compliance: - cis: ["9.1.7"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-35252-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1160,6 +1280,8 @@ checks: compliance: - cis: ["9.1.8"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-35306-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -1174,6 +1296,8 @@ checks: compliance: - cis: ["9.2.1"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33066-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1188,6 +1312,8 @@ checks: compliance: - cis: ["9.2.2"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33161-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1202,6 +1328,8 @@ checks: compliance: - cis: ["9.2.3"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33162-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1215,6 +1343,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" compliance: - cis: ["9.2.4"] + references: + - 'CCE-33065-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -1229,6 +1359,8 @@ checks: compliance: - cis: ["9.2.5"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-33437-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1243,6 +1375,8 @@ checks: compliance: - cis: ["9.2.6"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-34356-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1257,6 +1391,8 @@ checks: compliance: - cis: ["9.2.7"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-33436-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1271,6 +1407,8 @@ checks: compliance: - cis: ["9.2.8"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-34177-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1285,6 +1423,8 @@ checks: compliance: - cis: ["9.3.1"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-35703-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1299,6 +1439,8 @@ checks: compliance: - cis: ["9.3.2"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33069-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1313,6 +1455,8 @@ checks: compliance: - cis: ["9.3.3"] - cis_csc: ["9.2", "9.4"] + references: + - 'CCE-33070-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1326,6 +1470,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" compliance: - cis: ["9.3.4"] + references: + - 'CCE-33068-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1340,6 +1486,8 @@ checks: compliance: - cis: ["9.3.5"] - cis_csc: ["5.1"] + references: + - 'CCE-35537-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1354,6 +1502,8 @@ checks: compliance: - cis: ["9.3.6"] - cis_csc: ["5.1"] + references: + - 'CCE-33099-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1368,6 +1518,8 @@ checks: compliance: - cis: ["9.3.7"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-35117-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1382,6 +1534,8 @@ checks: compliance: - cis: ["9.3.8"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-35421-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1396,6 +1550,8 @@ checks: compliance: - cis: ["9.3.9"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-35116-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1410,6 +1566,8 @@ checks: compliance: - cis: ["9.3.10"] - cis_csc: ["6.2", "6.3"] + references: + - 'CCE-33734-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1424,6 +1582,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera" compliance: - cis: ["18.1.1.1"] + references: + - 'CCE-35799-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1437,6 +1597,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" compliance: - cis: ["18.1.1.2"] + references: + - 'CCE-35800-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1451,6 +1613,8 @@ checks: compliance: - cis: ["18.1.2.2"] - cis_csc: ["13"] + references: + - 'CCE-41387-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' @@ -1549,6 +1713,8 @@ checks: compliance: - cis: ["18.3.1"] - cis_csc: ["5.8", "4.3"] + references: + - 'CCE-35486-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1619,6 +1785,8 @@ checks: compliance: - cis: ["18.3.6"] - cis_csc: ["16.14"] + references: + - 'CCE-35815-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' @@ -1633,6 +1801,8 @@ checks: compliance: - cis: ["18.4.1"] - cis_csc: ["16"] + references: + - 'CCE-35438-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1647,6 +1817,8 @@ checks: compliance: - cis: ["18.4.2"] - cis_csc: ["9"] + references: + - 'CCE-33790-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' @@ -1661,6 +1833,8 @@ checks: compliance: - cis: ["18.4.3"] - cis_csc: ["9"] + references: + - 'CCE-33816-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1671,10 +1845,12 @@ checks: title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes." compliance: - cis: ["18.4.5"] - cis_csc: ["9"] + references: + - 'CCE-34597-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1685,10 +1861,12 @@ checks: title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers." compliance: - cis: ["18.4.7"] - cis_csc: ["9"] + references: + - 'CCE-35405-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' @@ -1703,6 +1881,8 @@ checks: compliance: - cis: ["18.4.9"] - cis_csc: ["8"] + references: + - 'CCE-34022-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' @@ -1717,6 +1897,8 @@ checks: compliance: - cis: ["18.4.10"] - cis_csc: ["16.5"] + references: + - 'CCE-34619-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1727,10 +1909,12 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning." compliance: - cis: ["18.4.13"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-35406-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' @@ -1741,7 +1925,7 @@ checks: title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." - remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeTyp e" + remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeType" compliance: - cis: ["18.5.4.1"] - cis_csc: ["9"] @@ -1759,6 +1943,8 @@ checks: compliance: - cis: ["18.5.4.2"] - cis_csc: ["9"] + references: + - 'CCE-34055-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' @@ -1787,6 +1973,8 @@ checks: compliance: - cis: ["18.5.11.2"] - cis_csc: ["5.1"] + references: + - 'CCE-33107-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1815,6 +2003,8 @@ checks: compliance: - cis: ["18.5.11.4"] - cis_csc: ["5.1"] + references: + - 'CCE-35554-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1845,6 +2035,8 @@ checks: compliance: - cis: ["18.5.21.1"] - cis_csc: ["12"] + references: + - 'CCE-35242-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1859,6 +2051,8 @@ checks: compliance: - cis: ["18.5.21.2"] - cis_csc: ["12"] + references: + - 'CCE-35375-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1873,6 +2067,8 @@ checks: compliance: - cis: ["18.5.23.2.1"] - cis_csc: ["15.4", "15.5"] + references: + - 'CCE-41378-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' @@ -1887,6 +2083,8 @@ checks: compliance: - cis: ["18.8.3.1"] - cis_csc: ["16.14"] + references: + - 'CCE-35802-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1915,6 +2113,8 @@ checks: compliance: - cis: ["18.8.14.1"] - cis_csc: ["8"] + references: + - 'CCE-33231-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1929,6 +2129,8 @@ checks: compliance: - cis: ["18.8.21.2"] - cis_csc: ["3.7", "5.4", "5.5"] + references: + - 'CCE-35384-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1943,6 +2145,8 @@ checks: compliance: - cis: ["18.8.21.3"] - cis_csc: ["3.7", "5.4", "5.5"] + references: + - 'CCE-35384-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1971,6 +2175,8 @@ checks: compliance: - cis: ["18.8.21.5"] - cis_csc: ["3.7", "5.4", "5.5"] + references: + - 'CCE-35776-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1985,6 +2191,8 @@ checks: compliance: - cis: ["18.8.22.1.2"] - cis_csc: ["2"] + references: + - 'CCE-35781-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1999,6 +2207,8 @@ checks: compliance: - cis: ["18.8.22.1.7"] - cis_csc: ["13.1"] + references: + - 'CCE-33783-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -2027,6 +2237,8 @@ checks: compliance: - cis: ["18.8.27.2"] - cis_csc: ["5"] + references: + - 'CCE-33822-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2041,6 +2253,8 @@ checks: compliance: - cis: ["18.8.27.3"] - cis_csc: ["16.9"] + references: + - 'CCE-35207-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2055,6 +2269,8 @@ checks: compliance: - cis: ["18.8.27.4"] - cis_csc: ["16.9"] + references: + - 'CCE-34838-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2069,6 +2285,8 @@ checks: compliance: - cis: ["18.8.27.5"] - cis_csc: ["16.5"] + references: + - 'CCE-34837-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2083,6 +2301,8 @@ checks: compliance: - cis: ["18.8.27.6"] - cis_csc: ["16.5"] + references: + - 'CCE-35291-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2097,6 +2317,8 @@ checks: compliance: - cis: ["18.8.27.7"] - cis_csc: ["16.5"] + references: + - 'CCE-35095-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2139,6 +2361,8 @@ checks: compliance: - cis: ["18.8.33.6.5"] - cis_csc: ["13.2", "13.6"] + references: + - 'CCE-33782-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2153,6 +2377,8 @@ checks: compliance: - cis: ["18.8.33.6.6"] - cis_csc: ["16.5"] + references: + - 'CCE-35462-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -2167,6 +2393,8 @@ checks: compliance: - cis: ["18.8.35.1"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-33801-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2181,6 +2409,8 @@ checks: compliance: - cis: ["18.8.35.2"] - cis_csc: ["5.1"] + references: + - 'CCE-35331-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2195,6 +2425,8 @@ checks: compliance: - cis: ["18.8.36.1"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-35392-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2209,6 +2441,8 @@ checks: compliance: - cis: ["18.8.36.2"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-35391-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -2223,6 +2457,8 @@ checks: compliance: - cis: ["18.9.6.1"] - cis_csc: ["16.9"] + references: + - 'CCE-35803-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2237,6 +2473,8 @@ checks: compliance: - cis: ["18.9.8.1"] - cis_csc: ["8.3", "8.4", "8.5"] + references: + - 'CCE-35289-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2251,6 +2489,8 @@ checks: compliance: - cis: ["18.9.8.2"] - cis_csc: ["8.3", "8.4", "8.5"] + references: + - 'CCE-34771-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2265,6 +2505,8 @@ checks: compliance: - cis: ["18.9.8.3"] - cis_csc: ["8.3", "8.4", "8.5"] + references: + - 'CCE-33791-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' @@ -2320,6 +2562,8 @@ checks: compliance: - cis: ["18.9.15.1"] - cis_csc: ["16"] + references: + - 'CCE-32965-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -2334,6 +2578,8 @@ checks: compliance: - cis: ["18.9.15.2"] - cis_csc: ["16"] + references: + - 'CCE-35194-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -2348,6 +2594,8 @@ checks: compliance: - cis: ["18.9.16.1"] - cis_csc: ["13"] + references: + - 'CCE-41400-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' @@ -2376,6 +2624,8 @@ checks: compliance: - cis: ["18.9.16.4"] - cis_csc: ["3"] + references: + - 'CCE-41380-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' @@ -2404,6 +2654,8 @@ checks: compliance: - cis: ["18.9.26.1.1"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-34169-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2418,6 +2670,8 @@ checks: compliance: - cis: ["18.9.26.1.2"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-33975-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -2432,6 +2686,8 @@ checks: compliance: - cis: ["18.9.26.2.1"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-35090-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2446,6 +2702,8 @@ checks: compliance: - cis: ["18.9.26.2.2"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-33428-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -2460,6 +2718,8 @@ checks: compliance: - cis: ["18.9.26.3.1"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-34170-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2474,6 +2734,8 @@ checks: compliance: - cis: ["18.9.26.3.2"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-35091-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -2488,6 +2750,8 @@ checks: compliance: - cis: ["18.9.26.4.1"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-33729-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2502,6 +2766,8 @@ checks: compliance: - cis: ["18.9.26.4.2"] - cis_csc: ["6.3", "6.4"] + references: + - 'CCE-35288-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -2516,6 +2782,8 @@ checks: compliance: - cis: ["18.9.30.2"] - cis_csc: ["8.4", "8.3"] + references: + - 'CCE-33608-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2530,6 +2798,8 @@ checks: compliance: - cis: ["18.9.30.3"] - cis_csc: ["8.4", "8.3"] + references: + - 'CCE-33745-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -2544,6 +2814,8 @@ checks: compliance: - cis: ["18.9.30.4"] - cis_csc: ["8.4", "8.3"] + references: + - 'CCE-33764-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -2558,6 +2830,8 @@ checks: compliance: - cis: ["18.9.35.1"] - cis_csc: ["14.1", "14.2"] + references: + - 'CCE-34776-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' @@ -2628,6 +2902,8 @@ checks: compliance: - cis: ["18.9.52.1"] - cis_csc: ["13"] + references: + - 'CCE-33826-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -2642,6 +2918,8 @@ checks: compliance: - cis: ["18.9.58.2.2"] - cis_csc: ["16.4"] + references: + - 'CCE-34506-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2656,6 +2934,8 @@ checks: compliance: - cis: ["18.9.58.3.3.2"] - cis_csc: ["13"] + references: + - 'CCE-34697-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2670,6 +2950,8 @@ checks: compliance: - cis: ["18.9.58.3.9.1"] - cis_csc: ["16.14"] + references: + - 'CCE-33960-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2684,6 +2966,8 @@ checks: compliance: - cis: ["18.9.58.3.9.2"] - cis_csc: ["3.4"] + references: + - 'CCE-35723-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2698,6 +2982,8 @@ checks: compliance: - cis: ["18.9.58.3.9.5"] - cis_csc: ["3.4"] + references: + - 'CCE-35578-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2712,6 +2998,8 @@ checks: compliance: - cis: ["18.9.58.3.11.1"] - cis_csc: ["14.4", "14.6"] + references: + - 'CCE-34136-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2726,6 +3014,8 @@ checks: compliance: - cis: ["18.9.58.3.11.2"] - cis_csc: ["14.4", "14.6"] + references: + - 'CCE-34531-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -2740,6 +3030,8 @@ checks: compliance: - cis: ["18.9.59.1"] - cis_csc: ["7.2"] + references: + - 'CCE-34822-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2754,6 +3046,8 @@ checks: compliance: - cis: ["18.9.60.3"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-41421-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2782,6 +3076,8 @@ checks: compliance: - cis: ["18.9.60.5"] - cis_csc: ["13.1"] + references: + - 'CCE-35314-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2796,6 +3092,8 @@ checks: compliance: - cis: ["18.9.60.6"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-41372-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2810,6 +3108,8 @@ checks: compliance: - cis: ["18.9.68.3"] - cis_csc: ["3.1", "3.4", "3.5", "4.5", "5.1"] + references: + - 'CCE-35807-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2824,6 +3124,8 @@ checks: compliance: - cis: ["18.9.68.4"] - cis_csc: ["3.1", "3.4", "3.5", "4.5", "5.1"] + references: + - 'CCE-35809-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -2838,6 +3140,8 @@ checks: compliance: - cis: ["18.9.76.3.1"] - cis_csc: ["8"] + references: + - 'CCE-33833-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -2852,6 +3156,8 @@ checks: compliance: - cis: ["18.9.76.7.1"] - cis_csc: ["8.1", "8.6"] + references: + - 'CCE-33865-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' @@ -2866,6 +3172,8 @@ checks: compliance: - cis: ["18.9.76.10.1"] - cis_csc: ["13"] + references: + - 'CCE-33888-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2880,6 +3188,8 @@ checks: compliance: - cis: ["18.9.76.10.2"] - cis_csc: ["13"] + references: + - 'CCE-33906-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' @@ -2904,7 +3214,7 @@ checks: title: "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'" description: "This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes)" rationale: "Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines." - remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule" + remediation: "To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d and d4f940ab-401b-4efc-aadc-ad5f3c50688a are each set to a value of 1: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules: Set the state for each ASR rule." compliance: - cis: ["18.9.76.13.1.2"] - cis_csc: ["8.4"] @@ -2956,6 +3266,8 @@ checks: compliance: - cis: ["18.9.76.14"] - cis_csc: ["8.1", "8.6"] + references: + - 'CCE-33478-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' @@ -2984,6 +3296,8 @@ checks: compliance: - cis: ["18.9.80.1.1"] - cis_csc: ["2"] + references: + - 'CCE-34026-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -3070,6 +3384,8 @@ checks: compliance: - cis: ["18.9.85.1"] - cis_csc: ["5.1"] + references: + - 'CCE-35431-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3084,6 +3400,8 @@ checks: compliance: - cis: ["18.9.85.2"] - cis_csc: ["5.1"] + references: + - 'CCE-35400-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -3098,6 +3416,8 @@ checks: compliance: - cis: ["18.9.86.1"] - cis_csc: ["16.5"] + references: + - 'CCE-33891-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -3140,6 +3460,8 @@ checks: compliance: - cis: ["18.9.97.1.1"] - cis_csc: ["16.13", "16.5"] + references: + - 'CCE-35258-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3154,6 +3476,8 @@ checks: compliance: - cis: ["18.9.97.1.2"] - cis_csc: ["16.5", "16.13"] + references: + - 'CCE-34458-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3168,6 +3492,8 @@ checks: compliance: - cis: ["18.9.97.1.3"] - cis_csc: ["16.5", "16.13"] + references: + - 'CCE-34778-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -3182,6 +3508,8 @@ checks: compliance: - cis: ["18.9.97.2.1"] - cis_csc: ["16.5", "16.13"] + references: + - 'CCE-34779-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3196,6 +3524,8 @@ checks: compliance: - cis: ["18.9.97.2.3"] - cis_csc: ["3.4"] + references: + - 'CCE-35054-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3210,6 +3540,8 @@ checks: compliance: - cis: ["18.9.97.2.4"] - cis_csc: ["16.5", "16.13"] + references: + - 'CCE-35416-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -3274,6 +3606,8 @@ checks: compliance: - cis: ["18.9.101.2"] - cis_csc: ["3.4", "3.5", "4.5"] + references: + - 'CCE-35111-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3284,10 +3618,12 @@ checks: title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day" + remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day." compliance: - cis: ["18.9.101.3"] - cis_csc: ["3.4", "3.5", "4.5"] + references: + - 'CCE-35111-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -3302,6 +3638,8 @@ checks: compliance: - cis: ["18.9.101.4"] - cis_csc: ["3.4", "3.5", "4.5"] + references: + - 'CCE-33813-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' From c6e507f150466c569d7d2f5d4abf74bdf35f717f Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Thu, 8 Aug 2019 01:11:06 -0700 Subject: [PATCH 227/247] Fix references and other fields for CIS Win10 L2 SCA policy --- sca/windows/cis_win10_enterprise_L2.yml | 98 +++++++++++++++++++++++-- 1 file changed, 92 insertions(+), 6 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 1e86d3eef..58a5daafe 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -35,6 +35,8 @@ checks: compliance: - cis: ["2.3.4.2"] - cis_csc: ["5.1"] + references: + - 'CCE-33958-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' @@ -49,6 +51,8 @@ checks: compliance: - cis: ["2.3.7.7"] - cis_csc: ["16"] + references: + - 'CCE-34901-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -63,6 +67,8 @@ checks: compliance: - cis: ["2.3.14.1"] - cis_csc: ["16.14"] + references: + - 'CCE-35007-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' @@ -420,6 +426,7 @@ checks: - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-35469-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -436,6 +443,7 @@ checks: - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-34614-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -452,6 +460,7 @@ checks: - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-34622-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -468,6 +477,7 @@ checks: - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-34623-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -483,6 +493,8 @@ checks: compliance: - cis: ["18.5.5.1"] - cis_csc: ["3", "13"] + references: + - '' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -497,6 +509,8 @@ checks: compliance: - cis: ["18.5.9.1"] - cis_csc: ["9"] + references: + - 'CCE-34262-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -517,6 +531,8 @@ checks: compliance: - cis: ["18.5.9.2"] - cis_csc: ["9"] + references: + - 'CCE-34073-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -537,6 +553,8 @@ checks: compliance: - cis: ["18.5.10.2"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-33208-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -565,6 +583,8 @@ checks: compliance: - cis: ["18.5.20.1"] - cis_csc: ["15.4", "15.5"] + references: + - 'CCE-34326-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -587,6 +607,8 @@ checks: compliance: - cis: ["18.5.20.2"] - cis_csc: ["15.4", "15.5"] + references: + - 'CCE-35606-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -602,6 +624,8 @@ checks: compliance: - cis: ["18.8.22.1.1"] - cis_csc: ["2"] + references: + - 'CCE-35626-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -616,6 +640,8 @@ checks: compliance: - cis: ["18.8.22.1.2"] - cis_csc: ["7"] + references: + - 'CCE-35781-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -630,6 +656,8 @@ checks: compliance: - cis: ["18.8.22.1.3"] - cis_csc: ["13"] + references: + - 'CCE-32945-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -644,6 +672,8 @@ checks: compliance: - cis: ["18.8.22.1.4"] - cis_csc: ["13"] + references: + - 'CCE-35784-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -658,6 +688,8 @@ checks: compliance: - cis: ["18.8.22.1.5"] - cis_csc: ["13"] + references: + - 'CCE-33153-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -671,6 +703,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.8"] + references: + - 'CCE-33216-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -685,6 +719,8 @@ checks: compliance: - cis: ["18.8.22.1.9"] - cis_csc: ["13"] + references: + - 'CCE-33817-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -699,6 +735,8 @@ checks: compliance: - cis: ["18.8.22.1.10"] - cis_csc: ["13"] + references: + - 'CCE-34061-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -713,6 +751,8 @@ checks: compliance: - cis: ["18.8.22.1.11"] - cis_csc: ["13"] + references: + - 'CCE-33246-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -727,6 +767,8 @@ checks: compliance: - cis: ["18.8.22.1.12"] - cis_csc: ["13"] + references: + - 'CCE-33957-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -741,6 +783,8 @@ checks: compliance: - cis: ["18.8.22.1.13"] - cis_csc: ["13"] + references: + - 'CCE-33255-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -755,6 +799,8 @@ checks: compliance: - cis: ["18.8.22.1.14"] - cis_csc: ["13"] + references: + - 'CCE-34260-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -771,7 +817,9 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic: Computer Configuration\\Policies\\Administrative Templates\\System\\Kerberos\\Support device authentication using certificate. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: ["18.8.25.1"] - - cis_csc: ["1.6"] + - cis_csc: ["1.6", "1.8"] + references: + - 'CCE-41396-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' @@ -787,7 +835,9 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.26.1"] - - cis_csc: ["16.5"] + - cis_csc: ["16.5", "16.11"] + references: + - 'CCE-35101-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -802,6 +852,8 @@ checks: compliance: - cis: ["18.8.44.5.1"] - cis_csc: ["13"] + references: + - 'CCE-34972-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -816,6 +868,8 @@ checks: compliance: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] + references: + - 'CCE-33662-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -830,6 +884,8 @@ checks: compliance: - cis: ["18.8.46.1"] - cis_csc: ["13"] + references: + - 'CCE-33823-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -844,6 +900,8 @@ checks: compliance: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] + references: + - 'CCE-33661-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -858,6 +916,8 @@ checks: compliance: - cis: ["18.8.49.1.2"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-35135-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -873,6 +933,8 @@ checks: compliance: - cis: ["18.9.4.1"] - cis_csc: ["14.4", "14.6"] + references: + - 'CCE-41397-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' @@ -915,6 +977,8 @@ checks: compliance: - cis: ["18.9.39.2"] - cis_csc: ["13"] + references: + - 'CCE-33743-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -1013,6 +1077,8 @@ checks: compliance: - cis: ["18.9.45.9"] - cis_csc: ["3"] + references: + - '' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' @@ -1054,6 +1120,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Allow users to connect remotely by using Remote Desktop Services. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Allow users to connect remotely using Terminal Services, but it was renamed to Allow users to connect remotely using Remote Desktop Services in the Windows 7 & Server 2008 R2 Administrative Templates. It was renamed again to Allow users to connect remotely by using Remote Desktop Services in the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.58.3.2.1"] + references: + - 'CCE-35255-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1068,6 +1136,8 @@ checks: compliance: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-34496-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1082,6 +1152,8 @@ checks: compliance: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-34698-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1096,6 +1168,8 @@ checks: compliance: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1", "9.2"] + references: + - 'CCE-34790-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1109,9 +1183,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.10.1"] - - cis_csc: ["16.5"] + - cis_csc: ["16.5", "16.11"] references: - https://workbench.cisecurity.org/benchmarks/766 + - 'CCE-35595-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1125,7 +1200,9 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.10.2"] - - cis_csc: ["16.5"] + - cis_csc: ["16.5", "16.11"] + references: + - 'CCE-35599-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1170,6 +1247,7 @@ checks: references: - https://docs.microsoft.com/en-us/windows/client-management/group-policies-for-enterprise-and-education-editions - https://support.microsoft.com/en-us/help/3135657/can-t-disable-windows-store-in-windows-10-pro-through-group-policy + - 'CCE-35811-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' @@ -1197,6 +1275,8 @@ checks: compliance: - cis: ["18.9.76.9.1"] - cis_csc: ["13"] + references: + - 'CCE-33880-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -1225,6 +1305,8 @@ checks: compliance: - cis: ["18.9.85.3"] - cis_csc: ["7"] + references: + - 'CCE-35086-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -1238,7 +1320,9 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.97.2.2"] - - cis_csc: ["3.4"] + - cis_csc: ["3.4", "4.5"] + references: + - 'CCE-33146-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -1252,7 +1336,9 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.98.1"] - - cis_csc: ["3.4"] + - cis_csc: ["3.4", "4.5"] + references: + - 'CCE-33740-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' From 0fe924f5eced7649681bbac0e9e0d02cd76e6fff Mon Sep 17 00:00:00 2001 From: Carlos Date: Thu, 8 Aug 2019 11:25:21 +0200 Subject: [PATCH 228/247] Add references to cis_win2012r2_memberL2 and fix typos --- sca/windows/cis_win2012r2_memberL2.yml | 179 ++++++++++++++++++------- 1 file changed, 131 insertions(+), 48 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index b3b98f97b..af5c5f697 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -30,10 +30,12 @@ checks: title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" description: "This policy setting determines whether a user can log on to a Windows domain using cached account information." rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally." - remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" + remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)." compliance: - cis: ["2.3.7.6"] - cis_csc: ["16"] + references: + - 'CCE-38240-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -45,10 +47,12 @@ checks: title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication." rationale: "Passwords that are cached can be accessed by the user when logged on to the computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication." compliance: - cis: ["2.3.10.4"] - cis_csc: ["16.14"] + references: + - 'CCE-38119-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -60,10 +64,12 @@ checks: title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds." compliance: - cis: ["18.4.5"] - cis_csc: ["9"] + references: + - 'CCE-36868-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -74,10 +80,12 @@ checks: title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)." compliance: - cis: ["18.4.7"] - cis_csc: ["9"] + references: + - 'CCE-38065-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -88,10 +96,12 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remedtiation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted." compliance: - cis: ["18.4.10"] - - cis_csc: ["5"] + - cis_csc: ["9"] + references: + - 'CCE-37846-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -102,10 +112,12 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted." compliance: - cis: ["18.4.11"] - - cis_csc: ["5"] + - cis_csc: ["9"] + references: + - 'CCE-36051-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -117,10 +129,12 @@ checks: title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver." compliance: - cis: ["18.5.9.1"] - cis_csc: ["9"] + references: + - 'CCE-38170-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -137,10 +151,12 @@ checks: title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver." compliance: - cis: ["18.5.9.2"] - cis_csc: ["9"] + references: + - 'CCE-37959-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -158,10 +174,12 @@ checks: title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services." compliance: - cis: ["18.5.10.2"] - cis_csc: ["9.1"] + references: + - 'CCE-37699-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -172,10 +190,12 @@ checks: - id: 12509 title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents" + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents." compliance: - cis: ["18.5.19.2.1"] - cis_csc: ["9"] + references: + - '' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -187,10 +207,12 @@ checks: title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN)." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now." compliance: - cis: ["18.5.20.1"] - cis_csc: ["15.4"] + references: + - 'CCE-37481-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -209,10 +231,12 @@ checks: title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards." compliance: - cis: ["18.5.20.2"] - cis_csc: ["15.4"] + references: + - 'CCE-36109-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -224,10 +248,12 @@ checks: title: "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time." rationale: "The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\Network\\Windows Connection Manager\\Prohibit connection to non-domain networks when connected to domain authenticated network." compliance: - cis: ["18.5.21.2"] - cis_csc: ["12"] + references: + - 'CCE-37627-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -239,10 +265,10 @@ checks: title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing." compliance: - cis: ["18.8.22.1.2"] - - cis_csc: ["13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -253,10 +279,12 @@ checks: title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" description: "Turns off the handwriting recognition error reporting tool." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting." compliance: - cis: ["18.8.22.1.3"] - cis_csc: ["13"] + references: + - 'CCE-37911-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -271,6 +299,8 @@ checks: compliance: - cis: ["18.8.22.1.4"] - cis_csc: ["13"] + references: + - 'CCE-37163-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -284,6 +314,8 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com" compliance: - cis: ["18.8.22.1.7"] + references: + - 'CCE-36352-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -294,10 +326,12 @@ checks: title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates." compliance: - cis: ["18.8.22.1.8"] - cis_csc: ["13"] + references: + - 'CCE-36884-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -308,10 +342,12 @@ checks: title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task." compliance: - cis: ["18.8.22.1.9"] - cis_csc: ["13"] + references: + - 'CCE-38275-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -322,10 +358,12 @@ checks: title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders." compliance: - cis: ["18.8.22.1.10"] - cis_csc: ["13"] + references: + - 'CCE-37090-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -336,10 +374,12 @@ checks: title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program." compliance: - cis: ["18.8.22.1.11"] - cis_csc: ["13"] + references: + - 'CCE-36628-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -350,10 +390,12 @@ checks: title: "Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Customer Experience Improvement Program." compliance: - cis: ["18.8.22.1.12"] - cis_csc: ["13"] + references: + - 'CCE-36174-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -364,10 +406,12 @@ checks: title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" description: "This policy setting controls whether or not errors are reported to Microsoft." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting." compliance: - cis: ["18.8.22.1.13"] - cis_csc: ["13"] + references: + - 'CCE-35964-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -382,10 +426,12 @@ checks: title: Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen." rationale: "This is a way to increase the security of the system account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in." compliance: - cis: ["18.8.26.1"] - cis_csc: ["16.5"] + references: + - 'CCE-36343-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -397,10 +443,12 @@ checks: title: "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'" description: "This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers." rationale: "Unauthenticated RPC communication can create a security vulnerability." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Procedure Call\\Restrict Unauthenticated RPC clients." compliance: - cis: ["18.8.36.2"] - cis_csc: ["9.1"] + references: + - 'CCE-36559-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -412,10 +460,12 @@ checks: title: "Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" description: "This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Microsoft Support Diagnostic Tool\\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider." compliance: - cis: ["18.8.44.5.1"] - cis_csc: ["13"] + references: + - 'CCE-38161-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -427,10 +477,12 @@ checks: title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack." compliance: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] + references: + - 'CCE-36648-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -442,10 +494,12 @@ checks: title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID." compliance: - cis: ["18.8.46.1"] - cis_csc: ["13"] + references: + - 'CCE-36931-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -457,10 +511,12 @@ checks: title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client." compliance: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] + references: + - 'CCE-37843-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -471,10 +527,12 @@ checks: title: "Ensure 'Enable Windows NTP Server' is set to 'Disabled'" description: "This policy setting allows you to specify whether the Windows NTP Server is enabled." rationale: "The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Server." compliance: - cis: ["18.8.49.1.2"] - cis_csc: ["9.1"] + references: + - 'CCE-37319-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -486,9 +544,11 @@ checks: title: "Ensure 'Turn off Windows Location Provider' is set to 'Enabled'" description: "This policy setting turns off the Windows Location Provider feature for the computer." rationale: "This setting affects the Windows Location Provider feature (e.g. GPS or other location tracking)." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Windows Location Provider\\Turn off Windows Location Provider" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Windows Location Provider\\Turn off Windows Location Provider." compliance: - cis: ["18.9.39.1.1"] + references: + - 'CCE-38225-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -499,10 +559,12 @@ checks: title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer." rationale: "This setting affects the location feature (e.g. GPS or other location tracking)." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location." compliance: - cis: ["18.9.39.2"] - cis_csc: ["13"] + references: + - 'CCE-36886-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -514,9 +576,11 @@ checks: title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session." compliance: - cis: ["18.9.58.3.2.1"] + references: + - 'CCE-37708-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -528,10 +592,12 @@ checks: title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection." compliance: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1"] + references: + - 'CCE-37696-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -542,10 +608,12 @@ checks: title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection." compliance: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1"] + references: + - 'CCE-37778-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -556,10 +624,12 @@ checks: title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection." compliance: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1"] + references: + - 'CCE-37477-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -571,10 +641,12 @@ checks: title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions." compliance: - cis: ["18.9.58.3.10.1"] - cis_csc: ["16.5"] + references: + - 'CCE-37562-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -585,10 +657,12 @@ checks: title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions." compliance: - cis: ["18.9.58.3.10.2"] - cis_csc: ["16.5"] + references: + - 'CCE-37949-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -600,10 +674,12 @@ checks: title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search." compliance: - cis: ["18.9.60.3"] - cis_csc: ["13"] + references: + - 'CCE-36937-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -615,7 +691,7 @@ checks: title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation." compliance: - cis: ["18.9.65.1"] condition: all @@ -629,10 +705,9 @@ checks: title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to \"Windows Defender Antivirus Cloud Protection Service\"." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS." compliance: - - cis: ["18.9.76.3.2"] - - cis_csc: ["8"] + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -644,10 +719,12 @@ checks: title: "Ensure 'Configure Watson events' is set to 'Disabled'" description: "This policy setting allows you to configure whether or not Watson events are sent." rationale: "Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\Reporting\\Configure Watson events." compliance: - cis: ["18.9.76.9.1"] - cis_csc: ["13"] + references: + - 'CCE-36950-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -659,10 +736,12 @@ checks: title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts." compliance: - cis: ["18.9.85.3"] - cis_csc: ["7"] + references: + - 'CCE-37524-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -674,10 +753,12 @@ checks: title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM." compliance: - cis: ["18.9.97.2.2"] - cis_csc: ["3.4"] + references: + - 'CCE-37927-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -689,10 +770,12 @@ checks: title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access." compliance: - cis: ["18.9.98.1"] - cis_csc: ["3.4"] + references: + - 'CCE-36499-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' From 559ca261e1f07a8e7e9e54130eb96956a39b1582 Mon Sep 17 00:00:00 2001 From: daescar Date: Thu, 8 Aug 2019 12:35:56 +0200 Subject: [PATCH 229/247] Updated cis_win2012r2_domainL1 --- sca/windows/cis_win2012r2_domainL1.yml | 867 +++++++++++++++++-------- 1 file changed, 583 insertions(+), 284 deletions(-) diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index bd7f2d24e..7d77dd134 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -31,12 +31,14 @@ checks: # Section 1.1 - Password Policies - id: 11000 title: "Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" - description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0 ." + description: "This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0." rationale: "The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access." remediation: "To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age." compliance: - cis: ["1.1.2"] - cis_csc: ["16.5"] + references: + - 'CCE-37167-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -46,13 +48,15 @@ checks: # Section 2.3 - Security Options - id: 11001 - title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts" + title: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" description: "This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts." rationale: "Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably in order to meet the requirements of compliance standards that apply to their information systems." - remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts" + remediation: "To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Block Microsoft accounts." compliance: - cis: ["2.3.1.2"] - cis_csc: ["16"] + references: + - 'CCE-36147-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -63,10 +67,12 @@ checks: title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." compliance: - cis: ["2.3.1.4"] - cis_csc: ["16"] + references: + - 'CCE-37615-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -77,10 +83,12 @@ checks: title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled. *Important*: Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated can make it difficult to find other types of entries in the Security log. Such a configuration could also have a significant impact on system performance." rationale: "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." compliance: - cis: ["2.3.2.1"] - cis_csc: ["6.2"] + references: + - 'CCE-37850-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -91,10 +99,12 @@ checks: title: "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. The recommended state for this setting is: Disabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits." compliance: - cis: ["2.3.2.2"] - cis_csc: ["6"] + references: + - 'CCE-35907-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -105,10 +115,12 @@ checks: title: "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" description: "This policy setting determines who is allowed to format and eject removable NTFS media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. The recommended state for this setting is: Administrators." rationale: "Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting." - remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media" + remediation: "To establish the recommended configuration via GP, set the following UI path to Administrators and Interactive Users: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Allowed to format and eject removable media." compliance: - cis: ["2.3.4.1"] - cis_csc: ["5.1"] + references: + - 'CCE-37701-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -117,12 +129,14 @@ checks: - id: 11006 title: "Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" - description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting, jobs that are created by server operators by means of the AT service will execute in the context of the account that runs that service. By default, that is the local SYSTEM account. If you enable this policy setting, server operators could perform tasks that SYSTEM is able to do but that they would typically not be able to do, such as add their account to the local Administrators group." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Allow server operators to schedule tasks." compliance: - cis: ["2.3.5.1"] - cis_csc: ["5.1"] + references: + - 'CCE-37848-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -131,14 +145,15 @@ checks: - id: 11007 title: "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" - description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." - rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements" + description: "This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections." + rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of man- in-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network." + remediation: "To establish the recommended configuration via GP, set the following UI path to Require signing: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: LDAP server signing requirements." compliance: - cis: ["2.3.5.2"] - cis_csc: ["3"] references: - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ + - CCE-35904-2 condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters' @@ -147,12 +162,14 @@ checks: - id: 11008 title: "Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only)" - description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." + description: "This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled." rationale: "If you enable this policy setting on all Domain Controllers in a domain, domain members will not be able to change their computer account passwords, and those passwords will be more susceptible to attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain controller: Refuse machine account password changes." compliance: - cis: ["2.3.5.3"] - cis_csc: ["16"] + references: + - 'CCE-36921-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -161,12 +178,14 @@ checks: - id: 11009 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" - description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" + description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)." compliance: - cis: ["2.3.6.1"] - cis_csc: ["13"] + references: + - 'CCE-36142-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -175,12 +194,14 @@ checks: - id: 11010 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" + description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)." compliance: - cis: ["2.3.6.2"] - cis_csc: ["13"] + references: + - 'CCE-37130-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -189,12 +210,14 @@ checks: - id: 11011 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" + description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)." compliance: - cis: ["2.3.6.3"] - cis_csc: ["13"] + references: + - 'CCE-37222-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -203,12 +226,14 @@ checks: - id: 11012 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes." compliance: - cis: ["2.3.6.4"] - cis_csc: ["16"] + references: + - 'CCE-37508-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -217,12 +242,14 @@ checks: - id: 11013 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" - description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." + description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key." compliance: - cis: ["2.3.6.6"] - cis_csc: ["13"] + references: + - 'CCE-37614-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' @@ -231,12 +258,14 @@ checks: - id: 11014 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name." compliance: - cis: ["2.3.7.1"] - cis_csc: ["13"] + references: + - 'CCE-36056-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -245,12 +274,14 @@ checks: - id: 11015 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." - rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." + description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." + rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - cis: ["2.3.7.2"] - cis_csc: ["8"] + references: + - 'CCE-37637-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -259,12 +290,14 @@ checks: - id: 11016 title: "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" - description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." + description: "Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit." rationale: "If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it." - remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit" + remediation: "To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Machine inactivity limit." compliance: - cis: ["2.3.7.3"] - cis_csc: ["16.5"] + references: + - 'CCE-38235-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -274,12 +307,14 @@ checks: - id: 11017 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" - description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." + description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." - remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration" + remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration." compliance: - cis: ["2.3.7.7"] - cis_csc: ["16"] + references: + - 'CCE-37622-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -288,12 +323,14 @@ checks: - id: 11018 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" - description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." + description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." - remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior" + remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior." compliance: - cis: ["2.3.7.9"] - cis_csc: ["16.5"] + references: + - 'CCE-38333-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -302,12 +339,14 @@ checks: - id: 11019 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" + description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)." compliance: - cis: ["2.3.8.1"] - cis_csc: ["13"] + references: + - 'CCE-36325-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -316,12 +355,14 @@ checks: - id: 11020 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" + description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)." compliance: - cis: ["2.3.8.2"] - cis_csc: ["13"] + references: + - 'CCE-36269-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -330,12 +371,14 @@ checks: - id: 11021 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" - description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers" + description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers." compliance: - cis: ["2.3.8.3"] - cis_csc: ["13"] + references: + - 'CCE-37863-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' @@ -344,12 +387,14 @@ checks: - id: 11022 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" - description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." + description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." - remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session" + remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session." compliance: - cis: ["2.3.9.1"] - cis_csc: ["3"] + references: + - 'CCE-38046-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -359,12 +404,14 @@ checks: - id: 11023 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" + description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)." compliance: - cis: ["2.3.9.2"] - cis_csc: ["13"] + references: + - 'CCE-37864-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -373,12 +420,14 @@ checks: - id: 11024 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" + description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)." compliance: - cis: ["2.3.9.3"] - cis_csc: ["13"] + references: + - 'CCE-35988-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -387,12 +436,14 @@ checks: - id: 11025 title: "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" - description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." + description: "This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled." rationale: "If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Disconnect clients when logon hours expire." compliance: - cis: ["2.3.9.4"] - cis_csc: ["16"] + references: + - 'CCE-37972-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -402,12 +453,14 @@ checks: # Section 2.3 - Security Options - id: 11026 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." - rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication" + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication." compliance: - cis: ["2.3.10.4"] - cis_csc: ["16.14"] + references: + - 'CCE-38119-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -416,12 +469,14 @@ checks: - id: 11027 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" - description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." + description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users." compliance: - cis: ["2.3.10.5"] - cis_csc: ["14", "16"] + references: + - 'CCE-36148-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -430,12 +485,14 @@ checks: - id: 11028 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" - description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." + description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: - Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. - Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." - remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously" + remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously." compliance: - cis: ["2.3.10.6"] - cis_csc: ["14.1", "16"] + references: + - 'CCE-38258-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -444,12 +501,14 @@ checks: - id: 11029 title: "Configure 'Network access: Remotely accessible registry paths'" - description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + description: "This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called 'Network access: Remotely accessible registry paths and sub- paths' in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths" + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\ProductOptions | System\\CurrentControlSet\\Control\\Server Applications | Software\\Microsoft\\Windows NT\\CurrentVersion. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Remotely accessible registry paths." compliance: - cis: ["2.3.10.7"] - cis_csc: ["14", "16"] + references: + - 'CCE-37194-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' @@ -458,12 +517,14 @@ checks: - id: 11030 title: "Configure 'Network access: Remotely accessible registry paths and sub-paths'" - description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." + description: "This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called 'Network access: Remotely accessible registry paths,' the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value." rationale: "The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" + remediation: "To establish the recommended configuration via GP, set the following UI path to: System\\CurrentControlSet\\Control\\Print\\Printers | System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server | Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows | NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex | System\\CurrentControlSet\\Control\\Terminal Server | System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig | System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration | Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib | System\\CurrentControlSet\\Services\\SysmonLog | Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local | Policies\\Security Options\\Network access: Remotely accessible registry paths | and sub-paths. When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\\CurrentControlSet\\Services\\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\\CurrentControlSet\\Services\\WINS" compliance: - cis: ["2.3.10.8"] - cis_csc: ["14", "16"] + references: + - 'CCE-36347-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' @@ -472,12 +533,14 @@ checks: - id: 11031 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares." compliance: - cis: ["2.3.10.9"] - cis_csc: ["14", "16"] + references: + - 'CCE-36021-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -486,12 +549,14 @@ checks: - id: 11032 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." + description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously" + remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously." compliance: - cis: ["2.3.10.10"] - cis_csc: ["14", "16"] + references: + - 'CCE-38095-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' @@ -499,12 +564,14 @@ checks: - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - id: 11033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." - rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." - remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts" + description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." + rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." + remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts." compliance: - cis: ["2.3.10.11"] - cis_csc: ["14", "16"] + references: + - 'CCE-37623-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -513,12 +580,14 @@ checks: - id: 11034 title: "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" - description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. This policy is supported on at least Windows 7 or Windows Server 2008 R2. The recommended state for this setting is: Enabled." rationale: "When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow Local System to use computer identity for NTLM." compliance: - cis: ["2.3.11.1"] - cis_csc: ["14", "16"] + references: + - 'CCE-38341-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -527,12 +596,14 @@ checks: - id: 11035 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" - description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." rationale: "NULL sessions are less secure because by definition they are unauthenticated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback." compliance: - cis: ["2.3.11.2"] - cis_csc: ["14"] + references: + - 'CCE-37035-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -541,12 +612,14 @@ checks: - id: 11036 title: "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" - description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." + description: "This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled." rationale: "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network Security: Allow PKU2U authentication requests to this computer to use online identities." compliance: - cis: ["2.3.11.3"] - cis_csc: ["16.9"] + references: + - 'CCE-38047-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' @@ -555,12 +628,14 @@ checks: - id: 11037 title: "Ensure 'Network Security: Configure encryption types allowed for Kerberos' is set to 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" - description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." + description: "This policy setting allows you to set the encryption types that Kerberos is allowed to use. The recommended state for this setting is: AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types. Note: Some legacy applications and OSes may require RC4_HMAC_MD5 - we recommend you test in your environment and verify whether you can safely remove it. For the purposes of scoring we have allowed the use of RC4_HMAC_MD5 as an optional setting." rationale: "he strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them." - remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos" + remediation: "To establish the recommended configuration via GP, set the following UI path to AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos." compliance: - cis: ["2.3.11.4"] - cis_csc: ["16.14"] + references: + - 'CCE-37755-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' @@ -569,12 +644,14 @@ checks: - id: 11038 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change." compliance: - cis: ["2.3.11.5"] - cis_csc: ["16.14"] + references: + - 'CCE-36326-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -583,12 +660,14 @@ checks: - id: 11039 title: "Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" - description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." + description: "This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Microsoft network server: Disconnect clients when logon hours expire (Rule 2.3.9.4). The recommended state for this setting is: Enabled. Note: This recommendation is unscored because there is not a documented registry value that corresponds to it. We still strongly encourage that it be configured as Enabled, to ensure that logon hours (when configured) are properly enforced." rationale: "If this setting is disabled, a user could remain connected to the computer outside of their allotted logon hours." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Force logoff when logon hours expire." compliance: - cis: ["2.3.11.6"] - cis_csc: ["16"] + references: + - 'CCE-36270-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' @@ -597,12 +676,14 @@ checks: - id: 11040 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" - description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." - rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level" + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." + rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." + remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level." compliance: - cis: ["2.3.11.7"] - cis_csc: ["13"] + references: + - 'CCE-36173-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' @@ -611,12 +692,14 @@ checks: - id: 11041 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" - description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." + description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements" + remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements." compliance: - cis: ["2.3.11.8"] - cis_csc: ["13"] + references: + - 'CCE-36858-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' @@ -625,12 +708,14 @@ checks: - id: 11042 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients." compliance: - cis: ["2.3.11.9"] - cis_csc: ["13"] + references: + - 'CCE-37553-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -639,14 +724,15 @@ checks: - id: 11043 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level (Rule 2.3.11.7) security setting value." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." - remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers." compliance: - cis: ["2.3.11.10"] - - cis_csc: ["13"] + - cis_csc: ["13"] '' references: - https://workbench.cisecurity.org/benchmarks/288 + - CCE-37835-6 condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -655,12 +741,14 @@ checks: - id: 11044 title: "Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" - description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." + description: "This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server." rationale: "Users who can access the console locally could shut down the computer. Attackers could also walk to the local console and restart the server, which would cause a temporary DoS condition. Attackers could also shut down the server and leave all of its applications and services unavailable. As noted in the Description above, the Denial of Service (DoS) risk of enabling this setting dramatically increases in Windows Server 2012 (non-R2) and above, as even remote users could then shut down or restart the server from the logon screen of an RDP session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Shutdown: Allow system to be shut down without having to log on." compliance: - cis: ["2.3.13.1"] - cis_csc: ["5.1"] + references: + - 'CCE-36788-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -669,11 +757,13 @@ checks: - id: 11045 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" - description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems." compliance: - cis: ["2.3.15.1"] + references: + - 'CCE-37885-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' @@ -682,12 +772,14 @@ checks: - id: 11046 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" - description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." + description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)." compliance: - cis: ["2.3.15.2"] - cis_csc: ["14.4"] + references: + - 'CCE-37644-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' @@ -696,12 +788,14 @@ checks: - id: 11047 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" - description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account" + description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account." compliance: - cis: ["2.3.17.1"] - cis_csc: ["5.1"] + references: + - 'CCE-36494-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -710,12 +804,14 @@ checks: - id: 11048 title: "Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'" - description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting allows the administrator to perform operations that require elevated privileges while connected via Remote Assistance. This increases security in that organizations can use UAC even when end user support is provided remotely. However, it also reduces security by adding the risk that an administrator might allow an unprivileged user to share elevated privileges for an application that the administrator needs to use during the Remote Desktop session." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop." compliance: - cis: ["2.3.17.2"] - cis_csc: ["16"] + references: + - 'CCE-36863-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -724,12 +820,14 @@ checks: - id: 11049 title: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" - description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." + description: "This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop." rationale: "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so." - remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + remediation: "To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the secure desktop: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode." compliance: - cis: ["2.3.17.3"] - cis_csc: ["5.1"] + references: + - 'CCE-37029-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -738,12 +836,14 @@ checks: - id: 11050 title: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" - description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." + description: "This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests." rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run." - remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users" + remediation: "To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation requests: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Behavior of the elevation prompt for standard users." compliance: - cis: ["2.3.17.4"] - cis_csc: ["5.1"] + references: + - 'CCE-36864-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -752,12 +852,14 @@ checks: - id: 11051 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" - description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." - rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation" + description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." + rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation." compliance: - cis: ["2.3.17.5"] - cis_csc: ["5.1"] + references: + - 'CCE-36533-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -766,12 +868,14 @@ checks: - id: 11052 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." - rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations" + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window. -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations." compliance: - cis: ["2.3.17.6"] - cis_csc: ["5.1"] + references: + - 'CCE-37057-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -780,12 +884,14 @@ checks: - id: 11053 title: "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" - description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." + description: "This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced." rationale: "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Run all administrators in Admin Approval Mode." compliance: - cis: ["2.3.17.7"] - cis_csc: ["5.1"] + references: + - 'CCE-36869-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -794,12 +900,14 @@ checks: - id: 11054 title: "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" - description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled." rationale: "Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Switch to the secure desktop when prompting for elevation." compliance: - cis: ["2.3.17.8"] - cis_csc: ["5.1"] + references: + - 'CCE-36866-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -808,11 +916,13 @@ checks: - id: 11055 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations." compliance: - cis: ["2.3.17.9"] + references: + - 'CCE-37064-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' @@ -821,13 +931,15 @@ checks: # Section 9.1 - Domain Profile - id: 11056 - title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + title: "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state." compliance: - cis: ["9.1.1"] - cis_csc: ["9.2"] + references: + - 'CCE-36062-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -836,12 +948,14 @@ checks: - id: 11057 title: "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections." compliance: - cis: ["9.1.2"] - cis_csc: ["9.2"] + references: + - 'CCE-38117-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -850,12 +964,14 @@ checks: - id: 11058 title: "Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default)." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections." compliance: - cis: ["9.1.3"] - cis_csc: ["9.2"] + references: + - 'CCE-36146-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -864,11 +980,13 @@ checks: - id: 11059 title: "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." - rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert" - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification." compliance: - cis: ["9.1.4"] + references: + - 'CCE-38041-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' @@ -877,12 +995,14 @@ checks: - id: 11060 title: "Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name" compliance: - cis: ["9.1.5"] - cis_csc: ["6.2"] + references: + - 'CCE-37482-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -891,12 +1011,14 @@ checks: - id: 11061 title: "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)" + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)." compliance: - cis: ["9.1.6"] - cis_csc: ["6.3"] + references: + - 'CCE-36088-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -905,12 +1027,14 @@ checks: - id: 11062 title: "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets." compliance: - cis: ["9.1.7"] - cis_csc: ["6.2"] + references: + - 'CCE-37523-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -919,12 +1043,14 @@ checks: - id: 11063 title: "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections." compliance: - cis: ["9.1.8"] - cis_csc: ["6.2"] + references: + - 'CCE-36393-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' @@ -933,13 +1059,15 @@ checks: # Section 9.2 - Private Profile - id: 11064 - title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state." compliance: - cis: ["9.2.1"] - cis_csc: ["9.2"] + references: + - 'CCE-38239-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -948,12 +1076,14 @@ checks: - id: 11065 title: "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections." compliance: - cis: ["9.2.2"] - cis_csc: ["9.2"] + references: + - 'CCE-38042-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -962,12 +1092,14 @@ checks: - id: 11066 title: "Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections." compliance: - cis: ["9.2.3"] - cis_csc: ["9.2"] + references: + - 'CCE-38332-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -976,11 +1108,13 @@ checks: - id: 11067 title: "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Settings Customize\\Display a notification." compliance: - cis: ["9.2.4"] + references: + - 'CCE-37621-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' @@ -989,12 +1123,14 @@ checks: - id: 11068 title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name" compliance: - cis: ["9.2.5"] - cis_csc: ["6.2"] + references: + - 'CCE-37569-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1003,12 +1139,14 @@ checks: - id: 11069 title: "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)" + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)." compliance: - cis: ["9.2.6"] - cis_csc: ["6.3"] + references: + - 'CCE-38178-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1017,12 +1155,14 @@ checks: - id: 11070 title: "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets." compliance: - cis: ["9.2.7"] - cis_csc: ["6.2"] + references: + - 'CCE-35972-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1031,12 +1171,14 @@ checks: - id: 11071 title: "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections." compliance: - cis: ["9.2.8"] - cis_csc: ["6.2"] + references: + - 'CCE-37387-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' @@ -1045,13 +1187,15 @@ checks: # Sectin 9.3 - Public Profile - id: 11072 - title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state" + remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state." compliance: - cis: ["9.3.1"] - cis_csc: ["9.2"] + references: + - 'CCE-37862-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1060,12 +1204,14 @@ checks: - id: 11073 title: "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" - description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)" + description: "This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default)." rationale: "If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Block (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections." compliance: - cis: ["9.3.2"] - cis_csc: ["9.2"] + references: + - 'CCE-36057-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1074,12 +1220,14 @@ checks: - id: 11074 title: "Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" - description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." + description: "This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default). Note: If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying." rationale: "Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway." - remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Allow (default): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections." compliance: - cis: ["9.3.3"] - cis_csc: ["9.2"] + references: + - 'CCE-37434-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1087,12 +1235,14 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - id: 11075 - title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'Yes'" - description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." + title: "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + description: "Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. The recommended state for this setting is: No." rationale: "Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall." - remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification" + remediation: "To establish the recommended configuration via GP, set the following UI path to 'No': Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification." compliance: - cis: ["9.3.4"] + references: + - 'CCE-38043-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1102,12 +1252,14 @@ checks: - id: 11076 title: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." + description: "This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored." rationale: "iWhen in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local firewall rules." compliance: - cis: ["9.3.5"] - cis_csc: ["5.1"] + references: + - 'CCE-37861-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1116,12 +1268,14 @@ checks: - id: 11077 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" - description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." + description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." - remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" + remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules." compliance: - cis: ["9.3.6"] - cis_csc: ["5.1"] + references: + - 'CCE-36268-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' @@ -1129,13 +1283,15 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - id: 11078 - title: "Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" - description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." + title: "Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" + description: "Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name" compliance: - cis: ["9.3.7"] - cis_csc: ["6.2"] + references: + - 'CCE-37266-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1144,12 +1300,14 @@ checks: - id: 11079 title: "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16384 KB or greater'" - description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." + description: "Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)" + remediation: "To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Size limit (KB)." compliance: - cis: ["9.3.8"] - cis_csc: ["6.3"] + references: + - 'CCE-36395-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1158,12 +1316,14 @@ checks: - id: 11080 title: "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log dropped packets." compliance: - cis: ["9.3.9"] - cis_csc: ["6.2"] + references: + - 'CCE-37265-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1172,12 +1332,14 @@ checks: - id: 11081 title: "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" - description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." + description: "Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections" + remediation: "To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections." compliance: - cis: ["9.3.10"] - cis_csc: ["6.2"] + references: + - 'CCE-36394-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' @@ -1187,11 +1349,13 @@ checks: # Section 18.1 - Control Panel - id: 11082 title: "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" - description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." + description: "Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen camera extends the protection afforded by the lock screen to camera features." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). " + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.1.1.1"] + references: + - 'CCE-38347-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1200,11 +1364,13 @@ checks: - id: 11083 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" - description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." + description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.1.1.2"] + references: + - 'CCE-38348-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' @@ -1214,7 +1380,7 @@ checks: # Section 18.3 - MS Security Guide - id: 11084 title: "Ensure 'WDigest Authentication' is set to 'Disabled'" - description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." + description: "When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. The recommended state for this setting is: Disabled." rationale: "Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\WDigest Authentication (disabling may require KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft." compliance: @@ -1224,6 +1390,7 @@ checks: - https://www.microsoft.com/en-us/download/details.aspx?id=36036 - https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a - https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/ + - 'CCE-38444-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' @@ -1233,15 +1400,16 @@ checks: # Section 18.4 - MSS (Legacy) - id: 11085 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." + description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.1"] - cis_csc: ["16"] references: - https://support.microsoft.com/en-us/help/324737/how-to-turn-on-automatic-logon-in-windows - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-37067-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1250,14 +1418,15 @@ checks: - id: 11086 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.2"] - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36871-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' @@ -1266,14 +1435,15 @@ checks: - id: 11087 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.3"] - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36535-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1282,14 +1452,15 @@ checks: - id: 11088 title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" - description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." + description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.4"] - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-37988-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -1298,14 +1469,15 @@ checks: - id: 11089 title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" - description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." - rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." + rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.6"] - cis_csc: ["9"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36879-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' @@ -1314,14 +1486,15 @@ checks: - id: 11090 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.8"] - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36351-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' @@ -1330,14 +1503,15 @@ checks: - id: 11091 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.9"] - cis_csc: ["16.5"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-37993-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' @@ -1346,14 +1520,15 @@ checks: - id: 11092 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." - rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog" + description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." + rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: - cis: ["18.4.12"] - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ + - 'CCE-36880-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' @@ -1363,12 +1538,14 @@ checks: # Section 18.5 - Network - id: 11093 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" - rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." + description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" + rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.11.2"] - cis_csc: ["5.1"] + references: + - 'CCE-38002-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1377,12 +1554,14 @@ checks: - id: 11094 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled" rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.5.11.3"] - cis_csc: ["5.1"] + references: + - 'CCE-38188-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' @@ -1391,12 +1570,14 @@ checks: - id: 11095 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." + description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled" rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.5.21.1"] - cis_csc: ["12"] + references: + - 'CCE-38338-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -1406,12 +1587,14 @@ checks: # Section 18.8 - System - id: 11096 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" - description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled. " + description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled" rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.3.1"] - cis_csc: ["16.14"] + references: + - 'CCE-36925-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' @@ -1420,12 +1603,14 @@ checks: - id: 11097 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -Good: The driver has been signed and has not been tampered with. -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.14.1"] - cis_csc: ["8"] + references: + - 'CCE-37912-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' @@ -1434,12 +1619,14 @@ checks: - id: 11098 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" - description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." + description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.21.2"] - cis_csc: ["3.7"] + references: + - 'CCE-36169-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1448,12 +1635,14 @@ checks: - id: 11099 title: "Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'" - description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." + description: "The 'Process even if the Group Policy objects have not changed' option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked)." rationale: "Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.21.3"] - cis_csc: ["3.7"] + references: + - 'CCE-36169-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' @@ -1462,12 +1651,14 @@ checks: - id: 11100 title: "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" - description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." + description: "This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled." rationale: "This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Turn off background refresh of Group Policy Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.21.4"] - cis_csc: ["3.7"] + references: + - 'CCE-37712-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1477,12 +1668,14 @@ checks: # Section 18.8 - System - id: 11101 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.1"] - cis_csc: ["2"] + references: + - 'CCE-36625-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1491,12 +1684,14 @@ checks: - id: 11102 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.5"] - cis_csc: ["7"] + references: + - 'CCE-36096-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1505,12 +1700,14 @@ checks: - id: 11103 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.6"] - cis_csc: ["13.1"] + references: + - 'CCE-36920-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' @@ -1519,12 +1716,14 @@ checks: - id: 11104 title: "Ensure 'Do not display network selection UI' is set to 'Enabled'" - description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. The recommended state for this setting is: Enabled." rationale: "An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not display network selection UI Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.27.1"] - cis_csc: ["5"] + references: + - 'CCE-38353-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1533,12 +1732,14 @@ checks: - id: 11105 title: "Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" - description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." + description: "This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not enumerate connected users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.27.2"] - cis_csc: ["16.9"] + references: + - 'CCE-37838-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1547,12 +1748,14 @@ checks: - id: 11106 title: "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" - description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." + description: "This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled." rationale: "A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Enumerate local users on domain-joined computers Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.27.3"] - cis_csc: ["16.9"] + references: + - 'CCE-35894-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1561,12 +1764,14 @@ checks: - id: 11107 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" - description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled." rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.27.4"] - cis_csc: ["16.5"] + references: + - 'CCE-35893-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1575,12 +1780,14 @@ checks: - id: 11108 title: "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" - description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled." rationale: "A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on convenience PIN sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates." compliance: - cis: ["18.8.27.6"] - cis_csc: ["16.5"] + references: + - 'CCE-37528-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1589,12 +1796,14 @@ checks: - id: 11109 title: "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (on battery) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.33.6.1"] - cis_csc: ["16.5"] + references: + - 'CCE-36881-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1603,12 +1812,14 @@ checks: - id: 11110 title: "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" - description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." - rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system. " + description: "Specifies whether or not the user is prompted for a password when the system resumes from sleep. The recommended state for this setting is: Enabled." + rationale: "Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Require a password when a computer wakes (plugged in) Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.33.6.2"] - cis_csc: ["16.5"] + references: + - 'CCE-37066-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' @@ -1617,12 +1828,14 @@ checks: - id: 11111 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.35.1"] - cis_csc: ["9.1"] + references: + - 'CCE-36388-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1631,12 +1844,14 @@ checks: - id: 11112 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.35.2"] - cis_csc: ["5.1"] + references: + - 'CCE-37281-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1646,12 +1861,14 @@ checks: # Section 18.9 - Windows Components - id: 11113 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" - description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." + description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. The recommended state for this setting is: Enabled." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.6.1"] - cis_csc: ["16.9"] + references: + - 'CCE-38354-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -1660,12 +1877,14 @@ checks: - id: 11114 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" - description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." + description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.8.1"] - cis_csc: ["8.3"] + references: + - 'CCE-37636-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1674,12 +1893,14 @@ checks: - id: 11115 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" - description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." + description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.8.2"] - cis_csc: ["8.3"] + references: + - 'CCE-38217-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1688,12 +1909,14 @@ checks: - id: 11116 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" - description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." + description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.8.3"] - cis_csc: ["8.3"] + references: + - 'CCE-36875-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1702,12 +1925,14 @@ checks: - id: 11117 title: "Ensure 'Do not display the password reveal button' is set to 'Enabled'" - description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled." rationale: "This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Do not display the password reveal button Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.15.1"] - cis_csc: ["16"] + references: + - 'CCE-37534-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' @@ -1716,12 +1941,14 @@ checks: - id: 11118 title: "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" - description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled." rationale: "Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Credential User Interface\\Enumerate administrator accounts on elevation Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.15.2"] - cis_csc: ["16"] + references: + - 'CCE-36512-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' @@ -1730,12 +1957,14 @@ checks: - id: 11119 title: "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.1.1"] - cis_csc: ["6.3"] + references: + - 'CCE-37775-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1744,12 +1973,14 @@ checks: - id: 11120 title: "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Application\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.1.2"] - cis_csc: ["6.3"] + references: + - 'CCE-37948-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' @@ -1758,12 +1989,14 @@ checks: - id: 11121 title: "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.2.1"] - cis_csc: ["6.3"] + references: + - 'CCE-37145-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1772,12 +2005,14 @@ checks: - id: 11122 title: "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater." rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Security\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.2.2"] - cis_csc: ["6.3"] + references: + - 'CCE-37695-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' @@ -1786,12 +2021,14 @@ checks: - id: 11123 title: "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.3.1"] - cis_csc: ["6.3"] + references: + - 'CCE-38276-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1800,12 +2037,14 @@ checks: - id: 11124 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.3.2"] - cis_csc: ["6.3"] + references: + - 'CCE-37526-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' @@ -1814,12 +2053,14 @@ checks: - id: 11125 title: "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" - description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." + description: "This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting." rationale: "If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Control Event Log behavior when the log file reaches its maximum size Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.4.1"] - cis_csc: ["6.3"] + references: + - 'CCE-36160-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1828,12 +2069,14 @@ checks: - id: 11126 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" - description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater." + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB) Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.26.4.2"] - cis_csc: ["6.3"] + references: + - 'CCE-36092-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' @@ -1842,12 +2085,14 @@ checks: - id: 11127 title: "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" - description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." + description: "Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled." rationale: "Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off Data Execution Prevention for Explorer Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.30.2"] - cis_csc: ["8.4"] + references: + - 'CCE-37809-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1856,12 +2101,14 @@ checks: - id: 11128 title: "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.30.3"] - cis_csc: ["8.4"] + references: + - 'CCE-36660-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' @@ -1870,12 +2117,14 @@ checks: - id: 11129 title: "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" - description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled." rationale: "Limiting the opening of files and folders to a limited set reduces the attack surface of the system." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Turn off shell protocol protected mode Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.30.4"] - cis_csc: ["8.4"] + references: + - 'CCE-36809-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -1886,10 +2135,12 @@ checks: title: "Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" description: "This policy setting lets you prevent apps and features from working with files on OneDrive using the Next Generation Sync Client. The recommended state for this setting is: Enabled." rationale: "Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\OneDrive\\Prevent the usage of OneDrive for file storage Note: This Group Policy path may not exist by default. It is provided by the Group Policy template SkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). However, we strongly recommend you only use the version included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Older versions of the templates had conflicting settings in different template files for both OneDrive & SkyDrive, until it was cleaned up properly in the above version. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Prevent the usage of SkyDrive for file storage, but it was renamed starting with the Windows 10 RTM (Release 1507) Administrative Templates." compliance: - cis: ["18.9.52.1"] - cis_csc: ["13"] + references: + - 'CCE-36939-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' @@ -1898,12 +2149,14 @@ checks: - id: 11131 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" - description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." + description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.2.2"] - cis_csc: ["16.4"] + references: + - 'CCE-36223-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1912,12 +2165,14 @@ checks: - id: 11132 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" - description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." + description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.2"] - cis_csc: ["13"] + references: + - 'CCE-36509-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1926,12 +2181,14 @@ checks: - id: 11133 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" - description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - cis: ["18.9.58.3.9.1"] - cis_csc: ["16.14"] + references: + - 'CCE-37929-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1940,12 +2197,14 @@ checks: - id: 11134 title: "Ensure 'Require secure RPC communication' is set to 'Enabled'" - description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to specify whether Remote Desktop Services requires secure Remote Procedure Call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. The recommended state for this setting is: Enabled." rationale: "Allowing unsecure RPC communication can exposes the server to man in the middle attacks and data disclosure attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Require secure RPC communication Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.9.2"] - cis_csc: ["3.4"] + references: + - 'CCE-37567-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1954,12 +2213,14 @@ checks: - id: 11135 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" - description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." + description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.9.3"] - cis_csc: ["3.4"] + references: + - 'CCE-36627-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1968,12 +2229,14 @@ checks: - id: 11136 title: "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" - description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." + description: "This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled." rationale: "Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not delete temp folders upon exit Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Do not delete temp folder upon exit, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.58.3.11.1"] - cis_csc: ["14.4"] + references: + - 'CCE-37946-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1982,12 +2245,14 @@ checks: - id: 11137 title: "Ensure 'Do not use temporary folders per session' is set to 'Disabled'" - description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." + description: "By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the sessionid. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled." rationale: "Disabling this setting keeps the cached data independent for each session, both reducing the chance of problems from shared cached data between sessions, and keeping possibly sensitive data separate to each user session." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary Folders\\Do not use temporary folders per session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.11.2"] - cis_csc: ["14.4"] + references: + - 'CCE-38180-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -1996,12 +2261,14 @@ checks: - id: 11138 title: "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" - description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." + description: "This policy setting prevents the user from having enclosures (file attachments) downloaded from an RSS feed to the user's computer. The recommended state for this setting is: Enabled." rationale: "Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\RSS Feeds\\Prevent downloading of enclosures Note: This Group Policy path is provided by the Group Policy template InetRes.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Turn off downloading of enclosures, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.59.1"] - cis_csc: ["7.2"] + references: + - 'CCE-37126-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' @@ -2010,12 +2277,14 @@ checks: - id: 11139 title: "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" - description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled." rationale: "Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow indexing of encrypted files Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.60.2"] - cis_csc: ["13.1"] + references: + - 'CCE-38277-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -2024,12 +2293,14 @@ checks: - id: 11140 title: "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" - description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." + description: "This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass." rationale: "Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Warn and prevent bypass: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender SmartScreen Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Configure Windows SmartScreen, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates." compliance: - cis: ["18.9.80.1.1"] - cis_csc: ["2"] + references: + - 'CCE-35859-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -2038,12 +2309,14 @@ checks: - id: 11141 title: "Ensure 'Configure Default consent' is set to 'Enabled: Always ask before sending data'" - description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" + description: "This setting allows you to set the default consent handling for error reports. The recommended state for this setting is: Enabled: Always ask before sending data" rationale: "Error reports may contain sensitive information and should not be sent to anyone automatically." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Always ask before sending data: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Consent\\Configure Default consent Note: This Group Policy path is provided by the Group Policy template ErrorReporting.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.81.2.1"] - cis_csc: ["13"] + references: + - 'CCE-37112-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' @@ -2052,12 +2325,14 @@ checks: - id: 11142 title: "Ensure 'Automatically send memory dumps for OS-generated error reports' is set to 'Disabled'" - description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. The recommended state for this setting is: Disabled." rationale: "Memory dumps may contain sensitive information and should not be automatically sent to anyone." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Error Reporting\\Automatically send memory dumps for OS- generated error reports Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ErrorReporting.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.81.3"] - cis_csc: ["13"] + references: + - 'CCE-36978-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -2066,12 +2341,14 @@ checks: - id: 11143 title: "Ensure 'Allow user control over installs' is set to 'Disabled'" - description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." + description: "This setting controls whether users are permitted to change installation options that typically are available only to system administrators. The security features of Windows Installer normally prevent users from changing installation options that are typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled." rationale: "In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Allow user control over installs Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Enable user control over installs, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.85.1"] - cis_csc: ["5.1"] + references: + - 'CCE-36400-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2080,12 +2357,14 @@ checks: - id: 11144 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" - description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." + description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.85.2"] - cis_csc: ["5.1"] + references: + - 'CCE-36919-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -2094,12 +2373,14 @@ checks: - id: 11145 title: "Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" - description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." + description: "This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled." rationale: "Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Logon Options\\Sign-in last interactive user automatically after a system-initiated restart Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.86.1"] - cis_csc: ["16.5"] + references: + - 'CCE-36977-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' @@ -2108,7 +2389,7 @@ checks: - id: 11146 title: "Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" - description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." + description: "This policy setting enables logging of all PowerShell script input to the Microsoft-Windows- PowerShell/Operational event log. The recommended state for this setting is: Disabled. Note: In Microsoft's own hardening guidance, they recommend the opposite value, Enabled, because having this data logged improves investigations of PowerShell attack incidents. However, the default ACL on the PowerShell Operational log allows Interactive User (i.e. any logged on user) to read it, and therefore possibly expose passwords or other sensitive information to unauthorized users. If Microsoft locks down the default ACL on that log in the future (e.g. to restrict it only to Administrators), then we will revisit this recommendation in a future release." rationale: "There are potential risks of capturing passwords in the PowerShell logs. This setting should only be needed for debugging purposes, and not in normal operation, it is important to ensure this is set to Disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Script Block Logging Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: @@ -2122,7 +2403,7 @@ checks: - id: 11147 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" - description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." + description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled." rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: @@ -2136,12 +2417,14 @@ checks: - id: 11148 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.1.1"] - cis_csc: ["16.13"] + references: + - 'CCE-36310-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2150,12 +2433,14 @@ checks: - id: 11149 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.1.2"] - cis_csc: ["16.13"] + references: + - 'CCE-37726-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2164,12 +2449,14 @@ checks: - id: 11150 title: "Ensure 'Disallow Digest authentication' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled." rationale: "Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.1.3"] - cis_csc: ["16.13"] + references: + - 'CCE-38318-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' @@ -2178,12 +2465,14 @@ checks: - id: 11151 title: "Ensure 'Allow Basic authentication' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled." rationale: "Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic authentication Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.2.1"] - cis_csc: ["16.13"] + references: + - 'CCE-36254-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2192,12 +2481,14 @@ checks: - id: 11152 title: "Ensure 'Allow unencrypted traffic' is set to 'Disabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled." rationale: "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted traffic Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.97.2.3"] - cis_csc: ["16.13"] + references: + - 'CCE-38223-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2206,12 +2497,14 @@ checks: - id: 11153 title: "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" - description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." + description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. The recommended state for this setting is: Enabled. Note: If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset." rationale: "Although the ability to store RunAs credentials is a convenient feature it increases the risk of account compromise slightly. For example, if you forget to lock your desktop before leaving it unattended for a few minutes another person could access not only the desktop of your computer but also any hosts you manage via WinRM with cached RunAs credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM from storing RunAs credentials Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.9.97.2.4"] - cis_csc: ["16.4"] + references: + - 'CCE-36000-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -2220,12 +2513,14 @@ checks: - id: 11154 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.101.2"] - cis_csc: ["4.5"] + references: + - 'CCE-36172-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2234,12 +2529,14 @@ checks: - id: 11155 title: "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" - description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." + description: "This policy setting specifies when computers in your environment will receive security updates from Windows Update or WSUS. The recommended state for this setting is: 0 - Every day. Note: This setting is only applicable if 4 - Auto download and schedule the install is selected in Rule 18.9.101.2. It will have no impact if any other option is selected." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates: Scheduled install day Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.101.3"] - cis_csc: ["4.5"] + references: + - 'CCE-36172-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' @@ -2248,12 +2545,14 @@ checks: - id: 11156 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." + description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.101.4"] - cis_csc: ["4.5"] + references: + - 'CCE-37027-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' From 3ad6fc4c977cbd36fa739808b7281bfdce264261 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Thu, 8 Aug 2019 04:01:00 -0700 Subject: [PATCH 230/247] Remove multiple spaces in SCA Windows policies --- sca/windows/cis_win10_enterprise_L1.yml | 2 +- sca/windows/cis_win10_enterprise_L2.yml | 84 ++++++------- sca/windows/cis_win2012r2_domainL2.yml | 32 ++--- sca/windows/sca_win_audit.yml | 152 ++++++++++++------------ 4 files changed, 135 insertions(+), 135 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 7b3557b47..7ce7523a3 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -986,7 +986,7 @@ checks: title: "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'" description: "Offers routing services to businesses in local area and wide area network environments. The recommended state for this setting is: Disabled." rationale: "This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Routing and Remote Access" compliance: - cis: ["5.26"] - cis_csc: ["9.1", "9.2"] diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index 58a5daafe..fec3b5edd 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -29,7 +29,7 @@ checks: # 2.3 Security Options - id: 13500 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers." compliance: @@ -45,8 +45,8 @@ checks: - id: 13501 title: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'" - description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)." - rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." + description: "This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s)." + rationale: "The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location." remediation: "To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Number of previous logons to cache (in case domain controller is not available)" compliance: - cis: ["2.3.7.7"] @@ -61,7 +61,7 @@ checks: - id: 13502 title: "Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher" - description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark." + description: "This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark." rationale: "If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password." remediation: "To establish the recommended configuration via GP, set the following UI path to User is prompted when the key is first used (configuring to User must enter a password each time they use a key also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System cryptography: Force strong key protection for user keys stored on the computer." compliance: @@ -78,8 +78,8 @@ checks: # 5 System Services - id: 13503 title: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'" - description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." - rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." + description: "The Bluetooth service supports discovery and association of remote Bluetooth devices. The recommended state for this setting is: Disabled." + rationale: "Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Bluetooth Support Service" compliance: - cis: ["5.2"] @@ -106,9 +106,9 @@ checks: - id: 13505 title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" - description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." + description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" compliance: - cis: ["5.5"] - cis_csc: ["9.1", "9.2"] @@ -120,7 +120,7 @@ checks: - id: 13506 title: "Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'" - description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." + description: "Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The recommended state for this setting is: Disabled." rationale: "The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Link-Layer Topology Discovery Mapper" compliance: @@ -134,7 +134,7 @@ checks: - id: 13507 title: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'" - description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." + description: "Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. The recommended state for this setting is: Disabled." rationale: "This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communication are easily exposed, unless all of the traffic is isolated and/or encrypted using another technology like IPsec. This service is generally more appropriate for servers in a controlled environment then on workstations requiring high security." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Microsoft iSCSI Initiator Service" compliance: @@ -148,7 +148,7 @@ checks: - id: 13508 title: "Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'" - description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." + description: "Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP). The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Name Resolution Protocol" compliance: @@ -162,7 +162,7 @@ checks: - id: 13509 title: "Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'" - description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." + description: "Enables multi-party communication using Peer-to-Peer Grouping. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Grouping" compliance: @@ -176,7 +176,7 @@ checks: - id: 13510 title: "Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'" - description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." + description: "Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Peer Networking Identity Manager" compliance: @@ -190,7 +190,7 @@ checks: - id: 13511 title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" - description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." + description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" compliance: @@ -204,7 +204,7 @@ checks: - id: 13512 title: "Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'" - description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." + description: "This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. The recommended state for this setting is: Disabled." rationale: "This service is involved in the process of displaying/reporting issues & solutions to/from Microsoft. In a high security environment, preventing this information from being sent can help reduce privacy concerns for sensitive corporate information." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Problem Reports and Solutions Control Panel Support" compliance: @@ -232,7 +232,7 @@ checks: - id: 13514 title: "Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'" - description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." + description: "Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Configuration" compliance: @@ -246,7 +246,7 @@ checks: - id: 13515 title: "Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'" - description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." + description: "Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. The recommended state for this setting is: Disabled." rationale: "In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services" compliance: @@ -260,7 +260,7 @@ checks: - id: 13516 title: "Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'" - description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." + description: "Allows the redirection of Printers/Drives/Ports for RDP connections. The recommended state for this setting is: Disabled." rationale: "In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer within an RDP session." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Desktop Services UserMode Port Redirector" compliance: @@ -274,7 +274,7 @@ checks: - id: 13517 title: "Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'" - description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." + description: "Enables remote users to modify registry settings on this computer. The recommended state for this setting is: Disabled." rationale: "In a high security environment, exposing the registry to remote access is an increased security risk." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Remote Registry" compliance: @@ -288,7 +288,7 @@ checks: - id: 13518 title: "Ensure 'Server (LanmanServer)' is set to 'Disabled'" - description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." + description: "Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. The recommended state for this setting is: Disabled." rationale: "In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Server" compliance: @@ -302,9 +302,9 @@ checks: - id: 13519 title: "Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'" - description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))." + description: "Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. The recommended state for this setting is: Disabled or Not Installed. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP))." rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." - remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" + remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled or ensure the service is not installed. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service" compliance: - cis: ["5.29"] - cis_csc: ["9.1", "9.2"] @@ -316,7 +316,7 @@ checks: - id: 13520 title: "Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'" - description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." + description: "Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. The recommended state for this setting is: Disabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Error Reporting Service" compliance: @@ -330,7 +330,7 @@ checks: - id: 13521 title: "Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'" - description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." + description: "This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log. The recommended state for this setting is: Disabled." rationale: "In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Event Collector" compliance: @@ -344,7 +344,7 @@ checks: - id: 13522 title: "Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'" - description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." + description: "This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. The recommended state for this setting is: Disabled. Note: In the first two releases of Windows 10 (R1507 & R1511), the display name of this service was initially named Windows Push Notifications Service - but it was renamed to Windows Push Notifications System Service starting with Windows 10 R1607." rationale: "Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Push Notifications System Service" compliance: @@ -358,7 +358,7 @@ checks: - id: 13523 title: "Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'" - description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." + description: "This service manages Apps that are pushed to the device from the Windows Store App running on other devices or the web. The recommended state for this setting is: Disabled." rationale: "In a high security managed environment, application installations should be managed centrally by IT staff, not by end users." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows PushToInstall Service (PushToInstall)" compliance: @@ -372,7 +372,7 @@ checks: - id: 13524 title: "Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'" - description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." + description: "Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The recommended state for this setting is: Disabled." rationale: "Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Windows Remote Management (WS-Management)" compliance: @@ -387,7 +387,7 @@ checks: # 18.1 Control Panel - id: 13525 title: "Ensure 'Allow Online Tips' is set to 'Disabled'" - description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." + description: "This policy setting configures the retrieval of online tips and help for the Settings app. The recommended state for this setting is: Disabled." rationale: "Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer)." compliance: @@ -402,7 +402,7 @@ checks: # 18.4 MSS (Legacy) - id: 13526 title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" - description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." + description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: @@ -418,7 +418,7 @@ checks: - id: 13527 title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" - description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." + description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: @@ -435,7 +435,7 @@ checks: - id: 13528 title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" - description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." + description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: @@ -452,7 +452,7 @@ checks: - id: 13529 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: @@ -469,7 +469,7 @@ checks: - id: 13530 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" compliance: @@ -565,7 +565,7 @@ checks: title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:Disabl edComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - cis: ["18.5.19.2.1"] - cis_csc: ["9"] @@ -650,7 +650,7 @@ checks: - id: 13540 title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" - description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." + description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: @@ -666,7 +666,7 @@ checks: - id: 13541 title: "Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" - description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." + description: "Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting recognition error reporting. Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -729,7 +729,7 @@ checks: - id: 13545 title: "Ensure 'Turn off the \"Order Prints\" picture task' is set to 'Enabled'" - description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the \"Order Prints Online\" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Order Prints\" picture task. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -761,7 +761,7 @@ checks: - id: 13547 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -830,9 +830,9 @@ checks: - id: 13551 title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" - description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." + description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.26.1"] - cis_csc: ["16.5", "16.11"] @@ -880,7 +880,7 @@ checks: title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.46.1"] - cis_csc: ["13"] @@ -945,7 +945,7 @@ checks: title: "Ensure 'Allow Use of Camera' is set to 'Disabled'" description: "This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled." rationale: "Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Camera\\Allow Use of Camera Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer)." compliance: - cis: ["18.9.12.1"] - cis_csc: ["13"] diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index dca8b97eb..e9a21eab6 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -49,7 +49,7 @@ checks: title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.5"] - cis_csc: ["9"] @@ -100,7 +100,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.11"] - cis_csc: ["9"] @@ -118,7 +118,7 @@ checks: title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.9.1"] - cis_csc: ["9"] @@ -178,7 +178,7 @@ checks: title: "Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" description: "Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. The recommended state for this setting is: DisabledComponents - 0xff (255)" rationale: "Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed." - remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." + remediation: "To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TCPIP6\\Parameters:DisabledComponents. Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not \"undo\" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state." compliance: - cis: ["18.5.19.2.1"] - cis_csc: ["9"] @@ -423,7 +423,7 @@ checks: title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] @@ -439,7 +439,7 @@ checks: title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.46.1"] - cis_csc: ["13"] @@ -455,7 +455,7 @@ checks: title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] @@ -472,7 +472,7 @@ checks: title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.39.2"] - cis_csc: ["13"] @@ -503,7 +503,7 @@ checks: title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1"] @@ -519,7 +519,7 @@ checks: title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1"] @@ -535,7 +535,7 @@ checks: title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1"] @@ -551,7 +551,7 @@ checks: title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.10.1"] - cis_csc: ["16.5"] @@ -568,7 +568,7 @@ checks: title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.10.2"] - cis_csc: ["16.5"] @@ -611,7 +611,7 @@ checks: - id: 11535 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: @@ -626,7 +626,7 @@ checks: title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.85.3"] - cis_csc: ["7"] @@ -642,7 +642,7 @@ checks: title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.97.2.2"] - cis_csc: ["3.4"] diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index 47dfcb38b..5594ead19 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -63,7 +63,7 @@ checks: - id: 14003 title: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" - description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." + description: "For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators." rationale: "It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Devices: Prevent users from installing printer drivers." compliance: @@ -76,8 +76,8 @@ checks: - id: 14004 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" - description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - cis_csc: ["13"] @@ -89,8 +89,8 @@ checks: - id: 14005 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - cis_csc: ["13"] @@ -101,8 +101,8 @@ checks: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - id: 14006 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" - description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - cis_csc: ["13"] @@ -114,7 +114,7 @@ checks: - id: 14007 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes." compliance: @@ -127,7 +127,7 @@ checks: - id: 14008 title: "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" - description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." + description: "When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled." rationale: "Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Require strong (Windows 2000 or later) session key." compliance: @@ -140,7 +140,7 @@ checks: - id: 14009 title: "Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" - description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled." rationale: "An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not display last user name." compliance: @@ -153,8 +153,8 @@ checks: - id: 14010 title: "Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" - description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." - rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." + description: "This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled." + rationale: "Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL" compliance: - cis_csc: ["8"] @@ -166,7 +166,7 @@ checks: - id: 14011 title: "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" - description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." + description: "This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days." rationale: "It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections." remediation: "To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Prompt user to change password before expiration." compliance: @@ -179,7 +179,7 @@ checks: - id: 14012 title: "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" - description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." + description: "This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The recommended state for this setting is: Lock Workstation. Configuring this setting to Force Logoff or Disconnect if a Remote Desktop Services session also conforms to the benchmark." rationale: "Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials." remediation: "To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Interactive logon: Smart card removal behavior." compliance: @@ -192,8 +192,8 @@ checks: - id: 14013 title: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + description: "This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the 'Microsoft network client and server: Digitally sign communications (four related settings)' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (always)" compliance: - cis_csc: ["13"] @@ -205,8 +205,8 @@ checks: - id: 14014 title: "Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + description: "This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Digitally sign communications (if server agrees)" compliance: - cis_csc: ["13"] @@ -218,8 +218,8 @@ checks: - id: 14015 title: "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" - description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." - rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." + description: "This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: Disabled." + rationale: "If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network client: Send unencrypted password to third-party SMB servers." compliance: - cis_csc: ["13"] @@ -231,7 +231,7 @@ checks: - id: 14016 title: "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'" - description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." + description: "This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0." rationale: "Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive." remediation: "To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Amount of idle time required before suspending session." compliance: @@ -244,8 +244,8 @@ checks: - id: 14017 title: "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" - description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + description: "This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (always)" compliance: - cis_csc: ["13"] @@ -257,8 +257,8 @@ checks: - id: 14018 title: "Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" - description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." - rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." + description: "This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled." + rationale: "Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Microsoft network server: Digitally sign communications (if client agrees)" compliance: - cis_csc: ["13"] @@ -283,8 +283,8 @@ checks: - id: 14020 title: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" - description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." - rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." + description: "This policy setting determines whether Credential Manager (formerly called Stored User Names and Passwords) saves passwords or credentials for later use when it gains domain authentication. The recommended state for this setting is: Enabled. Note: Changes to this setting will not take effect until Windows is restarted." + rationale: "Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow storage of passwords and credentials for network authentication." compliance: - cis_csc: ["16.14"] @@ -296,7 +296,7 @@ checks: - id: 14021 title: "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" - description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." + description: "This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled." rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Let Everyone permissions apply to anonymous users." compliance: @@ -309,7 +309,7 @@ checks: - id: 14022 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares." compliance: @@ -322,7 +322,7 @@ checks: - id: 14023 title: "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" - description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." + description: "This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. The recommended state for this setting is: (i.e. None)." rationale: "It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data." remediation: "To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Shares that can be accessed anonymously." compliance: @@ -335,8 +335,8 @@ checks: - id: 14024 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" - description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." - rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." + description: "This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services)." + rationale: "With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources." remediation: "To establish the recommended configuration via GP, set the following UI path to Classic - local users authenticate as themselves: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Sharing and security model for local accounts." compliance: - cis_csc: ["14, 16"] @@ -348,7 +348,7 @@ checks: - id: 14025 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change." compliance: @@ -361,8 +361,8 @@ checks: - id: 14026 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" - description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." - rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM." + rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level." compliance: - cis_csc: ["13"] @@ -374,7 +374,7 @@ checks: - id: 14027 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" - description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." + description: "This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a Domain Controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms to the benchmark." rationale: "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers." remediation: "To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring to Require signing also conforms to the benchmark): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LDAP client signing requirements." compliance: @@ -387,7 +387,7 @@ checks: - id: 14028 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security." + description: "This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security." rationale: "You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients." compliance: @@ -400,7 +400,7 @@ checks: - id: 14029 title: "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" - description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security." + description: "This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security." rationale: "You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks." remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers." compliance: @@ -415,7 +415,7 @@ checks: - id: 14030 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" - description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." + description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems." condition: all @@ -426,7 +426,7 @@ checks: - id: 14031 title: "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" - description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." + description: "This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled." rationale: "This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)." compliance: @@ -439,7 +439,7 @@ checks: - id: 14032 title: "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state." compliance: @@ -452,7 +452,7 @@ checks: - id: 14033 title: "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On'" - description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." + description: "Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state for this setting is: On (recommended)." rationale: "If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service." remediation: "To establish the recommended configuration via GP, set the following UI path to On (recommended): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state." compliance: @@ -588,7 +588,7 @@ checks: - id: 14043 title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" - description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." + description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: @@ -604,7 +604,7 @@ checks: - id: 14044 title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: @@ -619,7 +619,7 @@ checks: - id: 14045 title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" - description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." + description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: @@ -634,7 +634,7 @@ checks: - id: 14046 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: @@ -649,7 +649,7 @@ checks: - id: 14047 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: @@ -664,9 +664,9 @@ checks: - id: 14048 title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" - description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." - rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog. ) compliance: + description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." + rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog. ) compliance: - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ @@ -678,7 +678,7 @@ checks: - id: 14049 title: "Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" - description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." + description: "The 'Do not apply during periodic background processing' option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked)." rationale: "Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked): Computer Configuration\\Policies\\Administrative Templates\\System\\Group Policy\\Configure registry policy processing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -691,7 +691,7 @@ checks: - id: 14050 title: "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" - description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled." rationale: "Users might download drivers that include malicious code." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off downloading of print drivers over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -704,7 +704,7 @@ checks: - id: 14051 title: "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" - description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. The recommended state for this setting is: Enabled." rationale: "Although the risk is minimal, enabling this setting will reduce the possibility of a user unknowingly downloading malicious content through this feature." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet download for Web publishing and online ordering wizards Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -717,7 +717,7 @@ checks: - id: 14052 title: "Ensure 'Turn off printing over HTTP' is set to 'Enabled'" - description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." + description: "This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. The recommended state for this setting is: Enabled." rationale: "Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off printing over HTTP Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -730,7 +730,7 @@ checks: - id: 14053 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -743,7 +743,7 @@ checks: - id: 14054 title: "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled." rationale: "There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Solicited Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -756,7 +756,7 @@ checks: - id: 14055 title: "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" - description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." + description: "Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. The recommended state for this setting is: Enabled: All drives." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Turn off Autoplay Note: This Group Policy path is provided by the Group Policy template AutoPlay.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -769,7 +769,7 @@ checks: - id: 14056 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" - description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." + description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer. The recommended state for this setting is: Enabled. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Remote Desktop client disconnects from any server." rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -782,7 +782,7 @@ checks: - id: 14057 title: "Ensure 'Do not allow drive redirection' is set to 'Enabled'" - description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." + description: "This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\\\TSClient\\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled." rationale: "Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow drive redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -795,9 +795,9 @@ checks: - id: 14058 title: "Ensure 'Always prompt for password upon connection' is set to 'Enabled'" - description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled." rationale: "Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Always prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates." compliance: - cis_csc: ["16.14"] condition: all @@ -808,7 +808,7 @@ checks: - id: 14059 title: "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" - description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." + description: "This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. The recommended state for this setting is: Enabled: High Level." rationale: "If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set client connection encryption level Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -821,7 +821,7 @@ checks: - id: 14060 title: "Ensure 'Always install with elevated privileges' is set to 'Disabled'" - description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." + description: "This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled." rationale: "Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Always install with elevated privileges Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -833,7 +833,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 14061 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2) - Notify for download and auto install (Notify before downloading any updates) 3) - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4) - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5) - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2) - Notify for download and auto install (Notify before downloading any updates) 3) - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4) - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5) - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -846,9 +846,9 @@ checks: - id: 14062 title: "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" - description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." + description: "This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. The recommended state for this setting is: Disabled. Note: This setting applies only when you configure Automatic Updates to perform scheduled update installations. If you configure the Configure Automatic Updates setting to Disabled, this setting has no effect." rationale: "Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\No auto-restart with logged on users for scheduled automatic updates installations Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named No auto-restart for scheduled Automatic Updates installations, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis_csc: ["4.5"] condition: all @@ -859,7 +859,7 @@ checks: - id: 14063 title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: @@ -874,9 +874,9 @@ checks: - id: 14064 title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" - description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." + description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["9"] references: @@ -889,9 +889,9 @@ checks: - id: 14065 title: "Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" - description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. The recommended state for this setting is: Enabled." rationale: "There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Search Companion content file updates Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis_csc: ["13"] condition: all @@ -902,7 +902,7 @@ checks: - id: 14066 title: "Ensure 'Turn off the \"Publish to Web\" task for files and folders' is set to 'Enabled'" - description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled." rationale: "Users may publish confidential or sensitive information to a public service outside of the control of the organization." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the \"Publish to Web\" task for files and folders Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -915,9 +915,9 @@ checks: - id: 14067 title: "Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" - description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." + description: "This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled." rationale: "Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off the Windows Messenger Customer Experience Improvement Program Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis_csc: ["13"] condition: all @@ -928,9 +928,9 @@ checks: - id: 14068 title: "Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" - description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. The recommended state for this setting is: Enabled." rationale: "If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Windows Error Reporting Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis_csc: ["13"] condition: all From 9840092934739092a3e056db0edb2348800e4ca2 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Fri, 9 Aug 2019 03:46:30 -0700 Subject: [PATCH 231/247] Fix typos in Windows policies --- sca/windows/cis_win10_enterprise_L1.yml | 92 ++++++++++++------------- sca/windows/cis_win10_enterprise_L2.yml | 14 ++-- sca/windows/cis_win2012r2_domainL1.yml | 16 ++--- sca/windows/cis_win2012r2_domainL2.yml | 60 ++++++++-------- sca/windows/cis_win2012r2_memberL1.yml | 18 ++--- sca/windows/cis_win2012r2_memberL2.yml | 84 +++++++++++----------- 6 files changed, 139 insertions(+), 145 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 7ce7523a3..9546f8ab5 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -61,7 +61,7 @@ checks: - id: 13002 title: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" - description: "This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled." + description: "This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled. The recommended state for this setting is: Enabled." rationale: "If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Audit: Shut down system immediately if unable to log security audits." compliance: @@ -156,7 +156,7 @@ checks: - id: 13008 title: "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" - description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled" + description: "This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: Disabled." rationale: "The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account." remediation: "Remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Disable machine account password changes." compliance: @@ -382,7 +382,7 @@ checks: - id: 13022 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" description: "This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." - rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + rationale: "An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts." compliance: - cis: ["2.3.10.2"] @@ -397,8 +397,8 @@ checks: - id: 13023 title: "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" - description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers" - rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)" + description: "This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on Domain Controllers." + rationale: "An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information)" remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Do not allow anonymous enumeration of SAM accounts and shares." compliance: - cis: ["2.3.10.3"] @@ -493,7 +493,7 @@ checks: - id: 13029 title: "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" - description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled" + description: "When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled." rationale: "Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Restrict anonymous access to Named Pipes and Shares." compliance: @@ -571,7 +571,7 @@ checks: - id: 13034 title: "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" - description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled" + description: "This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled." rationale: "NULL sessions are less secure because by definition they are unauthenticated." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Allow LocalSystem NULL session fallback." compliance: @@ -619,7 +619,7 @@ checks: - id: 13037 title: "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" - description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled" + description: "This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled." rationale: "The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change." compliance: @@ -651,7 +651,7 @@ checks: - id: 13039 title: "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" - description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations:  Join a domain  Authenticate between Active Directory forests  Authenticate to down-level domains  Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP  Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" + description: "LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: - Join a domain - Authenticate between Active Directory forests - Authenticate to down-level domains - Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP - Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM" rationale: "Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only. Refuse LM & NTLM: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level." compliance: @@ -716,7 +716,7 @@ checks: - id: 13043 title: "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" description: "This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled." - rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available" + rationale: "Because Windows is case-insensitive but the POSIX subsystem will support case sensitivity, failure to enable this policy setting would make it possible for a user of that subsystem to create a file with the same name as another file but with a different mix of upper and lower case letters. Such a situation could potentially confuse users when they try to access such files from normal Win32 tools because only one of the files will be available." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for nonWindows subsystems." compliance: - cis: ["2.3.15.1"] @@ -747,7 +747,7 @@ checks: - id: 13045 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways:  If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator.  If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named Administrator because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account." compliance: - cis: ["2.3.17.1"] @@ -811,7 +811,7 @@ checks: - id: 13049 title: "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" description: "This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled." - rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage" + rationale: "Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Detect application installations and prompt for elevation." compliance: - cis: ["2.3.17.5"] @@ -826,8 +826,8 @@ checks: - id: 13050 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:  …\\Program Files\\, including subfolders  …\\Windows\\system32\\  …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." - rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities:  To set the foreground window.  To drive any application window using SendInput function.  To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput.  To set journal hooks.  To uses AttachThreadInput to attach a thread to a higher integrity input queue." + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\\Program Files\\, including subfolders - …\\Windows\\system32\\ - …\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations." compliance: - cis: ["2.3.17.6"] @@ -874,7 +874,7 @@ checks: - id: 13053 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:  %ProgramFiles%  %Windir%  %Windir%\\system32  HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations." compliance: @@ -916,7 +916,7 @@ checks: - id: 13056 title: "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'" - description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled" + description: "Detects other Infrared devices that are in range and launches the file transfer application. The recommended state for this setting is: Disabled." rationale: "Infrared connections can potentially be a source of data compromise - especially via the automatic \"file transfer application\" functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Infrared monitor service" compliance: @@ -1148,7 +1148,7 @@ checks: - id: 13073 title: "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'" - description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled" + description: "This service supports the Windows.Networking.XboxLive application programming interface. The recommended state for this setting is: Disabled." rationale: "Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company)." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Xbox Live Networking Service" compliance: @@ -1497,7 +1497,7 @@ checks: - id: 13095 title: "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" description: "This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. The recommended state for this setting is: No." - rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack" + rationale: "Users with administrative privileges might create firewall rules that expose the system to remote attack." remediation: "To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules" compliance: - cis: ["9.3.6"] @@ -1592,7 +1592,7 @@ checks: - id: 13101 title: "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" - description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled" + description: "Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. The recommended state for this setting is: Enabled." rationale: "Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Personalization\\Prevent enabling lock screen slide show" compliance: @@ -1639,7 +1639,7 @@ checks: title: "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'" description: "In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations." rationale: "Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\LAPS\\Do not allow password expiration time longer than required by policy." compliance: - cis: ["18.2.2"] - cis_csc: ["16.2", "16.10"] @@ -1709,7 +1709,7 @@ checks: title: "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" description: "This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1." rationale: "Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Apply UAC restrictions to local accounts on network logons." compliance: - cis: ["18.3.1"] - cis_csc: ["5.8", "4.3"] @@ -1723,9 +1723,9 @@ checks: - id: 13110 title: "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'" - description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems" + description: "This setting configures the start type for the Server Message Block version 1 (SMBv1) client driver service (MRxSmb10), which is recommended to be disabled. The recommended state for this setting is: Enabled: Disable driver. Note: Do not, under any circumstances, configure this overall setting as Disabled, as doing so will delete the underlying registry entry altogether, which will cause serious problems." rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 client driver." compliance: - cis: ["18.3.2"] - cis_csc: ["9.1", "9.2"] @@ -1739,7 +1739,7 @@ checks: title: "Ensure 'Configure SMB v1 server' is set to 'Disabled'" description: "This setting configures the server-side processing of the Server Message Block version 1 (SMBv1) protocol. The recommended state for this setting is: Disabled." rationale: "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Configure SMB v1 server." compliance: - cis: ["18.3.3"] - cis_csc: ["9.1", "9.2"] @@ -1767,7 +1767,7 @@ checks: title: "Ensure 'Turn on Windows Defender protection against Potentially Unwanted Applications' is set to 'Enabled'" description: "Enabling this Windows Defender feature will protect against Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications to deliver adware or malware." rationale: "This opt-in feature is free and could prevent malicious software from being installed." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MS Security Guide\\Turn on Windows Defender protection against Potentially Unwanted Applications." compliance: - cis: ["18.3.5"] - cis_csc: ["8.4", "8.3"] @@ -1875,7 +1875,7 @@ checks: - id: 13120 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:  Search folders specified in the system path first, and then search the current working folder.  Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" compliance: @@ -1891,7 +1891,7 @@ checks: - id: 13121 title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" - description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds" + description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" compliance: @@ -1909,7 +1909,7 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" compliance: - cis: ["18.4.13"] - cis_csc: ["6.3", "6.4"] @@ -1923,7 +1923,7 @@ checks: - id: 13123 title: "Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" - description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names.  A B-node (broadcast) system only uses broadcasts.  A P-node (point-to-point) system uses only name queries to a name server (WINS).  An M-node (mixed) system broadcasts first, then queries the name server (WINS).  An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." + description: "This parameter determines which method NetBIOS over TCP/IP (NetBT) will use to register and resolve names. - A B-node (broadcast) system only uses broadcasts. - A P-node (point-to-point) system uses only name queries to a name server (WINS). - An M-node (mixed) system broadcasts first, then queries the name server (WINS). - An H-node (hybrid) system queries the name server (WINS) first, then broadcasts. The recommended state for this setting is: NodeType - 0x2 (2) (P-node / point-to-point)." rationale: "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will prevent the system from sending out NetBIOS broadcasts." remediation: "To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD): HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\NetBT\\Parameters:NodeType" compliance: @@ -2013,7 +2013,7 @@ checks: - id: 13129 title: "Ensure 'Hardened UNC Paths' is set to 'Enabled, with \"Require Mutual Authentication\" and \"Require Integrity\" set for all NETLOGON and SYSVOL shares'" - description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing" + description: "This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the \"Privacy\" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing." rationale: "In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Provider\\Hardened UNC Paths" compliance: @@ -2061,7 +2061,7 @@ checks: - id: 13132 title: "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'" - description: "This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services.  Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to.  Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts.  Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled." + description: "This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services. - Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that other people using Windows have connected to. - Connect to networks shared by my contacts enables Windows to automatically connect to networks that the user's contacts have shared with them, and enables users on this device to share networks with their contacts. - Enable paid services enables Windows to temporarily connect to open hotspots to determine if paid services are available. The recommended state for this setting is: Disabled." rationale: "Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\WLAN Service\\WLAN Settings\\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" compliance: @@ -2107,7 +2107,7 @@ checks: - id: 13135 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  Good: The driver has been signed and has not been tampered with.  Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy" compliance: @@ -2280,7 +2280,7 @@ checks: - id: 13146 title: "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" description: "This policy setting allows you to prevent app notifications from appearing on the lock screen." - rationale: "App notifications might display sensitive business or personal data" + rationale: "App notifications might display sensitive business or personal data." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen" compliance: - cis: ["18.8.27.5"] @@ -2451,7 +2451,7 @@ checks: - id: 13157 title: "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" - description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it" + description: "This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it." rationale: "Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\App runtime\\Allow Microsoft accounts to be optional" compliance: @@ -2467,7 +2467,7 @@ checks: - id: 13158 title: "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" - description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones" + description: "This policy setting disallows AutoPlay for MTP devices like cameras or phones." rationale: "An attacker could use this feature to launch a program to damage a client computer or data on the computer." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Disallow Autoplay for non-volume devices" compliance: @@ -2484,7 +2484,7 @@ checks: - id: 13159 title: "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" description: "This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands." - rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog" + rationale: "Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\AutoPlay Policies\\Set the default behavior for AutoRun" compliance: - cis: ["18.9.8.2"] @@ -2588,7 +2588,7 @@ checks: - id: 13166 title: "Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" - description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft:  A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1.  A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device.  A value of 2 - Enhanced sends enhanced diagnostic and usage data.  A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." + description: "This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - A value of 0 - Security [Enterprise Only] will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1. - A value of 1 - Basic sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device. - A value of 2 - Enhanced sends enhanced diagnostic and usage data. - A value of 3 - Full sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic." rationale: "Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 0 - Security [Enterprise Only] or Enabled: 1 - Basic: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry" compliance: @@ -2634,7 +2634,7 @@ checks: - id: 13169 title: "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'" - description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported:  0 = HTTP only, no peering.  1 = HTTP blended with peering behind the same NAT.  2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.  3 = HTTP blended with Internet Peering.  99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.  100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." + description: "This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported: - 0 = HTTP only, no peering. - 1 = HTTP blended with peering behind the same NAT. - 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 = HTTP blended with Internet Peering. - 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. - 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead." rationale: "Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator." remediation: "To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Delivery Optimization\\Download Mode" compliance: @@ -2729,7 +2729,7 @@ checks: - id: 13175 title: "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\Setup\\Specify the maximum log file size (KB)" compliance: - cis: ["18.9.26.3.2"] @@ -2761,7 +2761,7 @@ checks: - id: 13177 title: "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" description: "This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments." - rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users" + rationale: "If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Event Log Service\\System\\Specify the maximum log file size (KB)" compliance: - cis: ["18.9.26.4.2"] @@ -2855,7 +2855,7 @@ checks: - id: 13183 title: "Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher" description: "This setting lets you configure how your company deals with cookies. The recommended state for this setting is: Enabled: Block only 3rd-party cookies. Configuring this setting to Enabled: Block all cookies also conforms to the benchmark." - rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking" + rationale: "Cookies can pose a serious privacy concern, although many websites depend on them for operation. It is recommended when possible to block 3rd party cookies in order to reduce tracking." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Block only 3rd-party cookies (or, if applicable for your environment, Enabled: Block all cookies): Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure cookies" compliance: - cis: ["18.9.45.4"] @@ -2913,7 +2913,7 @@ checks: - id: 13187 title: "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" description: "This policy setting helps prevent Remote Desktop clients from saving passwords on a computer." - rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts" + rationale: "An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not allow passwords to be saved" compliance: - cis: ["18.9.58.2.2"] @@ -3040,7 +3040,7 @@ checks: - id: 13195 title: "Ensure 'Allow Cortana' is set to 'Disabled'" - description: "This policy setting specifies whether Cortana is allowed on the device" + description: "This policy setting specifies whether Cortana is allowed on the device." rationale: "If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Allow Cortana" compliance: @@ -3441,7 +3441,7 @@ checks: - id: 13220 title: "Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" description: "This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts." - rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file" + rationale: "If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows PowerShell\\Turn on PowerShell Transcription" compliance: - cis: ["18.9.95.2"] @@ -3566,7 +3566,7 @@ checks: - id: 13228 title: "Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" - description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them:  Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality.  Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds.  Release Preview: Receive builds of Windows just before Microsoft releases them to the general public.  Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public.  Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." + description: "This policy setting determines the level of Preview Build or Feature Updates to receive, and when. The Windows readiness level for each new Windows 10 Feature Update is classified in one of 5 categories, depending on your organizations level of comfort with receiving them: - Preview Build - Fast: Devices set to this level will be the first to receive new builds of Windows with features not yet available to the general public. Select Fast to participate in identifying and reporting issues to Microsoft, and provide suggestions on new functionality. - Preview Build - Slow: Devices set to this level receive new builds of Windows before they are available to the general public, but at a slower cadence than those set to Fast, and with changes and fixes identified in earlier builds. - Release Preview: Receive builds of Windows just before Microsoft releases them to the general public. - Semi-Annual Channel (Targeted): Receive feature updates when they are released to the general public. - Semi-Annual Channel: Feature updates will arrive when they are declared SemiAnnual Channel. This usually occurs about 4 months after Semi-Annual Channel (Targeted), indicating that Microsoft, Independent Software Vendors (ISVs), partners and customer believe that the release is ready for broad deployment." rationale: "Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing new bugs into the operating system. In an enterprise managed environment, it is generally preferred to delay Feature Updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of new features as long as possible." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Semi-Annual Channel, 180 or more days: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Windows Update for Business\\Select when Preview Builds and Feature Updates are received" compliance: @@ -3600,7 +3600,7 @@ checks: - id: 13230 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - 2 - Notify for download and auto install (Notify before downloading any updates) - 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) - 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) - 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended))" rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates" compliance: diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index fec3b5edd..fe6e97ab0 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -404,7 +404,7 @@ checks: title: "Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'" description: "When you dial a phonebook or VPN entry in Dial-Up Networking, you can use the \"Save Password\" option so that your Dial-Up Networking password is cached and you will not need to enter it on successive dial attempts. For security, administrators may want to prevent users from caching passwords. The recommended state for this setting is: Enabled." rationale: "An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(DisableSavePassword) Prevent the dial-up password from being saved. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.4"] - cis_csc: ["9"] @@ -420,7 +420,7 @@ checks: title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.6"] - cis_csc: ["9"] @@ -437,7 +437,7 @@ checks: title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.8"] - cis_csc: ["9"] @@ -454,7 +454,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.11"] - cis_csc: ["9"] @@ -471,7 +471,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.12"] - cis_csc: ["9"] @@ -493,8 +493,6 @@ checks: compliance: - cis: ["18.5.5.1"] - cis_csc: ["3", "13"] - references: - - '' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' @@ -1077,8 +1075,6 @@ checks: compliance: - cis: ["18.9.45.9"] - cis_csc: ["3"] - references: - - '' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 7d77dd134..0b11c31a5 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -153,7 +153,7 @@ checks: - cis_csc: ["3"] references: - https://blogs.technet.microsoft.com/russellt/2016/01/13/identifying-clear-text-ldap-binds-to-your-dcs/ - - CCE-35904-2 + - 'CCE-35904-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters' @@ -729,10 +729,10 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Require NTLMv2 session security, Require 128-bit encryption: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers." compliance: - cis: ["2.3.11.10"] - - cis_csc: ["13"] '' + - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 - - CCE-37835-6 + - 'CCE-37835-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' @@ -1538,7 +1538,7 @@ checks: # Section 18.5 - Network - id: 11093 title: "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" - description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled" + description: "You can use this procedure to controls user's ability to install and configure a Network Bridge. The recommended state for this setting is: Enabled." rationale: "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Prohibit installation and configuration of Network Bridge on your DNS domain network Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: @@ -1554,7 +1554,7 @@ checks: - id: 11094 title: "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" - description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled" + description: "This policy setting determines whether to require domain users to elevate when setting a network's location. The recommended state for this setting is: Enabled." rationale: "Allowing regular users to set a network location increases the risk and attack surface." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network Connections\\Require domain users to elevate when setting a network's location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: @@ -1570,7 +1570,7 @@ checks: - id: 11095 title: "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" - description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled" + description: "This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled." rationale: "Blocking simultaneous connections can help prevent a user unknowingly allowing network traffic to flow between the Internet and the enterprise managed network." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connection Manager\\Minimize the number of simultaneous connections to the Internet or a Windows Domain Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -1587,7 +1587,7 @@ checks: # Section 18.8 - System - id: 11096 title: "Ensure 'Include command line in process creation events' is set to 'Disabled'" - description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled" + description: "This policy setting determines what information is logged in security audit events when a new process has been created. The recommended state for this setting is: Disabled." rationale: "When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: @@ -1828,7 +1828,7 @@ checks: - id: 11111 title: "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" - description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled" + description: "This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled." rationale: "A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Remote Assistance\\Configure Offer Remote Assistance Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index e9a21eab6..96ccf72b6 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -49,7 +49,7 @@ checks: title: "Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'" description: "This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended)." rationale: "An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.5"] - cis_csc: ["9"] @@ -66,7 +66,7 @@ checks: title: "Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" description: "This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. The recommended state for this setting is: Disabled." rationale: "An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.7"] - cis_csc: ["9"] @@ -83,7 +83,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.10"] - cis_csc: ["9"] @@ -100,7 +100,7 @@ checks: title: "Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" description: "This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. The recommended state for this setting is: Enabled: 3." rationale: "A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.11"] - cis_csc: ["9"] @@ -118,7 +118,7 @@ checks: title: "Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Mapper I/O (LLTDIO) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.9.1"] - cis_csc: ["9"] @@ -140,7 +140,7 @@ checks: title: "Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" description: "This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled." rationale: "To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Link-Layer Topology Discovery\\Turn on Responder (RSPNDR) driver. Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.9.2"] - cis_csc: ["9"] @@ -162,7 +162,7 @@ checks: title: "Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" description: "The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. The recommended state for this setting is: Enabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Microsoft Peer-to-Peer Networking Services\\Turn off Microsoft Peer-to-Peer Networking Services. Note: This Group Policy path is provided by the Group Policy template P2P- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.10.2"] - cis_csc: ["9.1"] @@ -192,7 +192,7 @@ checks: title: "Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" description: "This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over in-band 802.11 Wi-Fi through the Windows Portable Device API (WPD) and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. The recommended state for this setting is: Disabled." rationale: "This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Windows Connect Now\\Configuration of wireless settings using Windows Connect Now. Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.5.20.1"] - cis_csc: ["15.4"] @@ -216,7 +216,7 @@ checks: title: "Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" description: "This policy setting prohibits access to Windows Connect Now (WCN) wizards. The recommended state for this setting is: Enabled." rationale: "Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Network\\Network\\Windows Connect Now\\Prohibit access of the Windows Connect Now wizards. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.5.20.2"] - cis_csc: ["15.4"] @@ -232,7 +232,7 @@ checks: title: "Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" description: "This setting turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection. The recommended state for this setting is: Enabled." rationale: "A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.22.1.2"] - cis_csc: ["13"] @@ -264,7 +264,7 @@ checks: title: "Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled." rationale: "In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.4"] - cis_csc: ["13"] @@ -280,7 +280,7 @@ checks: title: "Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" description: "This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. The recommended state for this setting is: Enabled." rationale: "Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off Registration if URL connection is referring to Microsoft.com. Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.22.1.7"] references: @@ -391,7 +391,7 @@ checks: title: "Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" description: "This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. The recommended state for this setting is: Enabled." rationale: "This is a way to increase the security of the system account." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Locale Services\\Disallow copying of user input methods to the system account for sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: - cis: ["18.8.26.1"] - cis_csc: ["16.5"] @@ -423,7 +423,7 @@ checks: title: "Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" description: "This policy setting specifies whether to enable or disable tracking of responsiveness events. The recommended state for this setting is: Disabled." rationale: "When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Troubleshooting and Diagnostics\\Windows Performance PerfTrack\\Enable/Disable PerfTrack. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] @@ -439,7 +439,7 @@ checks: title: "Ensure 'Turn off the advertising ID' is set to 'Enabled'" description: "This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. The recommended state for this setting is: Enabled." rationale: "Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\User Profiles\\Turn off the advertising ID. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.8.46.1"] - cis_csc: ["13"] @@ -455,7 +455,7 @@ checks: title: "Ensure 'Enable Windows NTP Client' is set to 'Enabled'" description: "This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled." rationale: "A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] @@ -472,7 +472,7 @@ checks: title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.39.2"] - cis_csc: ["13"] @@ -488,7 +488,7 @@ checks: title: "Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" description: "This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session - if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Connections\\Restrict Remote Desktop Services users to a single Remote Desktop Services session. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.2.1"] references: @@ -503,7 +503,7 @@ checks: title: "Ensure 'Do not allow COM port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow COM port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1"] @@ -519,7 +519,7 @@ checks: title: "Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" description: "This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow LPT port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1"] @@ -535,7 +535,7 @@ checks: title: "Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" description: "This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled." rationale: "In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Do not allow supported Plug and Play device redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1"] @@ -551,7 +551,7 @@ checks: title: "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" description: "This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. The recommended state for this setting is: Enabled: 15 minutes or less." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of inactive sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 15 minutes or less: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for active but idle Remote Desktop Services sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Set time limit for active but idle Terminal Services sessions, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates." compliance: - cis: ["18.9.58.3.10.1"] - cis_csc: ["16.5"] @@ -568,7 +568,7 @@ checks: title: "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" description: "This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. The recommended state for this setting is: Enabled: 1 minute." rationale: "This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 1 minute: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Session Time Limits\\Set time limit for disconnected sessions. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.58.3.10.2"] - cis_csc: ["16.5"] @@ -584,7 +584,7 @@ checks: title: "Ensure 'Set what information is shared in Search' is set to 'Enabled: Anonymous info'" description: "Various levels of information can be shared with Bing in Search, to include user information and location. Configuring this setting prevents users from selecting the level of information shared and enables the most restrictive selection. The recommended state for this setting is: Enabled: Anonymous info." rationale: "Limiting the search information shared with Microsoft Bing enhances privacy and security." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Anonymous info: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Search\\Set what information is shared in Search. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Search.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.60.3"] - cis_csc: ["13"] @@ -600,7 +600,7 @@ checks: title: "Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" description: "The Key Management Service (KMS) is a Microsoft license activation method that entails setting up a local server to store the software licenses. The KMS server itself needs to connect to Microsoft to activate the KMS service, but subsequent on-network clients can activate Microsoft Windows OS and/or their Microsoft Office via the KMS server instead of connecting directly to Microsoft. This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. The recommended state for this setting is: Enabled." rationale: "Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Software Protection Platform\\Turn off KMS Client Online AVS Validation. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AVSValidationGP.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer)." compliance: - cis: ["18.9.65.1"] condition: all @@ -611,9 +611,9 @@ checks: - id: 11535 title: "Ensure 'Join Microsoft MAPS' is set to 'Disabled'" - description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are:  - (0x0) Disabled (default)  - (0x1) Basic membership  - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." + description: "This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled." rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.76.3.2"] condition: all @@ -626,7 +626,7 @@ checks: title: "Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" description: "This policy setting controls whether Web-based programs are allowed to install software on the computer without notifying the user. The recommended state for this setting is: Disabled." rationale: "Suppressing the system warning can pose a security risk and increase the attack surface on the system." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Installer\\Prevent Internet Explorer security prompt for Windows Installer scripts. Note: This Group Policy path is provided by the Group Policy template MSI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Disable IE security prompt for Windows Installer scripts, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.85.3"] - cis_csc: ["7"] @@ -642,7 +642,7 @@ checks: title: "Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" description: "This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. The recommended state for this setting is: Disabled." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Management (WinRM)\\WinRM Service\\Allow remote server management through WinRM. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteManagement.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow automatic configuration of listeners, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates." compliance: - cis: ["18.9.97.2.2"] - cis_csc: ["3.4"] @@ -658,7 +658,7 @@ checks: title: "Ensure 'Allow Remote Shell Access' is set to 'Disabled'" description: "This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. The recommended state for this setting is: Disabled. Note: The GPME help text for this setting is incorrectly worded, implying that configuring it to Enabled will reject new Remote Shell connections, and setting it to Disabled will allow Remote Shell connections. The opposite is true (and is consistent with the title of the setting). This is a wording mistake by Microsoft in the Administrative Template." rationale: "Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Administrative Templates\\Windows Components\\Windows Remote Shell\\Allow Remote Shell Access. Note: This Group Policy path is provided by the Group Policy template WindowsRemoteShell.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: - cis: ["18.9.98.1"] - cis_csc: ["3.4"] diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index 72320e1f9..9d4b5e545 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -65,7 +65,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - id: 12002 - title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled" + title: "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" description: "This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled." rationale: "Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Limit local account use of blank passwords to console logon only." @@ -500,7 +500,7 @@ checks: - id: 12029 title: "Configure 'Network access: Named Pipes that can be accessed anonymously'" - description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is:  Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." + description: "This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: - Level 1 - Domain Controller. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. - Level 1 - Member Server. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously." rationale: "Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system." remediation: "To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network access: Named Pipes that can be accessed anonymously." compliance: @@ -805,7 +805,7 @@ checks: - id: 12048 title: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" description: "This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled." - rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: -If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. -If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." + rationale: "One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account." compliance: - cis: ["2.3.17.1"] @@ -884,8 +884,8 @@ checks: - id: 12053 title: "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" - description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." - rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: -To set the foreground window.  -To drive any application window using SendInput function. -To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. -To set journal hooks. -To uses AttachThreadInput to attach a thread to a higher integrity input queue." + description: "This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\\Program Files\\, including subfolders; ...\\Windows\\system32\\; ...\\Program Files (x86)\\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled." + rationale: "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Only elevate UIAccess applications that are installed in secure locations." compliance: - cis: ["2.3.17.6"] @@ -932,7 +932,7 @@ checks: - id: 12056 title: "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" - description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." + description: "This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\\system32 - HKEY_LOCAL_MACHINE\\Software. The recommended state for this setting is: Enabled." rationale: "This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Virtualize file and registry write failures to per-user locations." compliance: @@ -1604,7 +1604,7 @@ checks: - id: 12098 title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" - description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." + description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." compliance: @@ -1722,7 +1722,7 @@ checks: - id: 12105 title: "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" - description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:  -Good: The driver has been signed and has not been tampered with.  -Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.  -Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.  -Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." + description: "This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical." rationale: "This policy setting helps reduce the impact of malware that has already infected your system." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and bad but critical: Computer Configuration\\Policies\\Administrative Templates\\System\\Early Launch Antimalware\\Boot-Start Driver Initialization Policy Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer)." compliance: @@ -2585,7 +2585,7 @@ checks: - id: 12159 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:  2 - Notify for download and auto install (Notify before downloading any updates)  3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)  4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.))  5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - 2 - Notify for download and auto install (Notify before downloading any updates) - 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) - 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) - 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index af5c5f697..6f6504061 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -69,7 +69,7 @@ checks: - cis: ["18.4.5"] - cis_csc: ["9"] references: - - 'CCE-36868-8' + - 'CCE-36868-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -85,7 +85,7 @@ checks: - cis: ["18.4.7"] - cis_csc: ["9"] references: - - 'CCE-38065-9' + - 'CCE-38065-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -101,7 +101,7 @@ checks: - cis: ["18.4.10"] - cis_csc: ["9"] references: - - 'CCE-37846-3' + - 'CCE-37846-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -117,7 +117,7 @@ checks: - cis: ["18.4.11"] - cis_csc: ["9"] references: - - 'CCE-36051-1' + - 'CCE-36051-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' @@ -134,7 +134,7 @@ checks: - cis: ["18.5.9.1"] - cis_csc: ["9"] references: - - 'CCE-38170-7' + - 'CCE-38170-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -156,7 +156,7 @@ checks: - cis: ["18.5.9.2"] - cis_csc: ["9"] references: - - 'CCE-37959-4' + - 'CCE-37959-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' @@ -179,7 +179,7 @@ checks: - cis: ["18.5.10.2"] - cis_csc: ["9.1"] references: - - 'CCE-37699-6' + - 'CCE-37699-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' @@ -194,8 +194,6 @@ checks: compliance: - cis: ["18.5.19.2.1"] - cis_csc: ["9"] - references: - - '' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' @@ -212,7 +210,7 @@ checks: - cis: ["18.5.20.1"] - cis_csc: ["15.4"] references: - - 'CCE-37481-9' + - 'CCE-37481-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' @@ -236,7 +234,7 @@ checks: - cis: ["18.5.20.2"] - cis_csc: ["15.4"] references: - - 'CCE-36109-7' + - 'CCE-36109-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' @@ -253,7 +251,7 @@ checks: - cis: ["18.5.21.2"] - cis_csc: ["12"] references: - - 'CCE-37627-7' + - 'CCE-37627-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' @@ -268,7 +266,7 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Internet Communication Management\\Internet Communication settings\\Turn off handwriting personalization data sharing." compliance: - cis: ["18.8.22.1.2"] - - cis_csc: ["13"] + - cis_csc: ["13"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' @@ -284,7 +282,7 @@ checks: - cis: ["18.8.22.1.3"] - cis_csc: ["13"] references: - - 'CCE-37911-5' + - 'CCE-37911-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' @@ -300,7 +298,7 @@ checks: - cis: ["18.8.22.1.4"] - cis_csc: ["13"] references: - - 'CCE-37163-3' + - 'CCE-37163-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' @@ -315,7 +313,7 @@ checks: compliance: - cis: ["18.8.22.1.7"] references: - - 'CCE-36352-3' + - 'CCE-36352-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' @@ -331,7 +329,7 @@ checks: - cis: ["18.8.22.1.8"] - cis_csc: ["13"] references: - - 'CCE-36884-5' + - 'CCE-36884-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' @@ -347,7 +345,7 @@ checks: - cis: ["18.8.22.1.9"] - cis_csc: ["13"] references: - - 'CCE-38275-4' + - 'CCE-38275-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -363,7 +361,7 @@ checks: - cis: ["18.8.22.1.10"] - cis_csc: ["13"] references: - - 'CCE-37090-8' + - 'CCE-37090-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' @@ -379,7 +377,7 @@ checks: - cis: ["18.8.22.1.11"] - cis_csc: ["13"] references: - - 'CCE-36628-6' + - 'CCE-36628-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' @@ -395,7 +393,7 @@ checks: - cis: ["18.8.22.1.12"] - cis_csc: ["13"] references: - - 'CCE-36174-1' + - 'CCE-36174-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' @@ -411,7 +409,7 @@ checks: - cis: ["18.8.22.1.13"] - cis_csc: ["13"] references: - - 'CCE-35964-6' + - 'CCE-35964-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' @@ -431,7 +429,7 @@ checks: - cis: ["18.8.26.1"] - cis_csc: ["16.5"] references: - - 'CCE-36343-2' + - 'CCE-36343-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' @@ -448,7 +446,7 @@ checks: - cis: ["18.8.36.2"] - cis_csc: ["9.1"] references: - - 'CCE-36559-3' + - 'CCE-36559-3' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' @@ -465,7 +463,7 @@ checks: - cis: ["18.8.44.5.1"] - cis_csc: ["13"] references: - - 'CCE-38161-6' + - 'CCE-38161-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' @@ -482,7 +480,7 @@ checks: - cis: ["18.8.44.11.1"] - cis_csc: ["13"] references: - - 'CCE-36648-4' + - 'CCE-36648-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' @@ -499,7 +497,7 @@ checks: - cis: ["18.8.46.1"] - cis_csc: ["13"] references: - - 'CCE-36931-4' + - 'CCE-36931-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' @@ -516,7 +514,7 @@ checks: - cis: ["18.8.49.1.1"] - cis_csc: ["6.1"] references: - - 'CCE-37843-0' + - 'CCE-37843-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' @@ -532,7 +530,7 @@ checks: - cis: ["18.8.49.1.2"] - cis_csc: ["9.1"] references: - - 'CCE-37319-1' + - 'CCE-37319-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' @@ -548,7 +546,7 @@ checks: compliance: - cis: ["18.9.39.1.1"] references: - - 'CCE-38225-9' + - 'CCE-38225-9' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -564,7 +562,7 @@ checks: - cis: ["18.9.39.2"] - cis_csc: ["13"] references: - - 'CCE-36886-0' + - 'CCE-36886-0' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' @@ -580,7 +578,7 @@ checks: compliance: - cis: ["18.9.58.3.2.1"] references: - - 'CCE-37708-5' + - 'CCE-37708-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -597,7 +595,7 @@ checks: - cis: ["18.9.58.3.3.1"] - cis_csc: ["9.1"] references: - - 'CCE-37696-2' + - 'CCE-37696-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -613,7 +611,7 @@ checks: - cis: ["18.9.58.3.3.3"] - cis_csc: ["9.1"] references: - - 'CCE-37778-8' + - 'CCE-37778-8' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -629,7 +627,7 @@ checks: - cis: ["18.9.58.3.3.4"] - cis_csc: ["9.1"] references: - - 'CCE-37477-7' + - 'CCE-37477-7' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -646,7 +644,7 @@ checks: - cis: ["18.9.58.3.10.1"] - cis_csc: ["16.5"] references: - - 'CCE-37562-6' + - 'CCE-37562-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -662,7 +660,7 @@ checks: - cis: ["18.9.58.3.10.2"] - cis_csc: ["16.5"] references: - - 'CCE-37949-5' + - 'CCE-37949-5' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' @@ -679,7 +677,7 @@ checks: - cis: ["18.9.60.3"] - cis_csc: ["13"] references: - - 'CCE-36937-1' + - 'CCE-36937-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' @@ -707,7 +705,7 @@ checks: rationale: "The information that would be sent can include things like location of detected items on your computer if harmful software was removed." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Defender Antivirus\\MAPS\\Join Microsoft MAPS." compliance: - - cis: ["18.9.76.3.2"] + - cis: ["18.9.76.3.2"] condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' @@ -724,7 +722,7 @@ checks: - cis: ["18.9.76.9.1"] - cis_csc: ["13"] references: - - 'CCE-36950-4' + - 'CCE-36950-4' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' @@ -741,7 +739,7 @@ checks: - cis: ["18.9.85.3"] - cis_csc: ["7"] references: - - 'CCE-37524-6' + - 'CCE-37524-6' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' @@ -758,7 +756,7 @@ checks: - cis: ["18.9.97.2.2"] - cis_csc: ["3.4"] references: - - 'CCE-37927-1' + - 'CCE-37927-1' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' @@ -775,7 +773,7 @@ checks: - cis: ["18.9.98.1"] - cis_csc: ["3.4"] references: - - 'CCE-36499-2' + - 'CCE-36499-2' condition: all rules: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' From 5852a14e91676ecc8639bcd54dc345b5e7435a7f Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Fri, 9 Aug 2019 06:46:46 -0700 Subject: [PATCH 232/247] Fix unnused negations in rules --- sca/debian/cis_debian7_L1.yml | 2 +- sca/debian/cis_debian9_L1.yml | 2 +- sca/sles/11/cis_sles11_linux.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sca/debian/cis_debian7_L1.yml b/sca/debian/cis_debian7_L1.yml index 2af3b9c2c..2df51be96 100644 --- a/sca/debian/cis_debian7_L1.yml +++ b/sca/debian/cis_debian7_L1.yml @@ -1193,7 +1193,7 @@ checks: - cis: ["13.5"] condition: none rules: - - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - id: 1098 title: "Ensure shadow group is empty" diff --git a/sca/debian/cis_debian9_L1.yml b/sca/debian/cis_debian9_L1.yml index 4229865a1..a592cc66c 100644 --- a/sca/debian/cis_debian9_L1.yml +++ b/sca/debian/cis_debian9_L1.yml @@ -1040,7 +1040,7 @@ checks: - cis_csc: ["16.13"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && n:^MaxAuthTries\s*\t*(\d+) compare <= 4' + - 'f:/etc/ssh/sshd_config -> !r:^# && n:MaxAuthTries\s*\t*(\d+) compare <= 4' - id: 3076 title: "Ensure SSH IgnoreRhosts is enabled" diff --git a/sca/sles/11/cis_sles11_linux.yml b/sca/sles/11/cis_sles11_linux.yml index 7258a4ce8..42f988477 100644 --- a/sca/sles/11/cis_sles11_linux.yml +++ b/sca/sles/11/cis_sles11_linux.yml @@ -906,7 +906,7 @@ checks: - nist_800_53: ["AU.14", "AC.7"] condition: none rules: - - 'f:/etc/passwd -> !r:^# && not r:^\s*\t*root: && r:^\w+:\w+:0:' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - id: 6057 title: "Ensure password fields are not empty" From 07fced232c39ab12d9da7367730040c423cd6418 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Fri, 9 Aug 2019 06:47:07 -0700 Subject: [PATCH 233/247] Fix SCA Solaris 11 policy --- sca/sunos/cis_solaris11.yml | 146 ++++++++++++++---------------------- 1 file changed, 55 insertions(+), 91 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index cd7149a74..745a722e4 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -14,7 +14,7 @@ policy: id: "cis_solaris11" file: "cis_solaris11.yml" name: "CIS benchmark for Oracle Solaris 11" - description: "This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates." + description: "This document, CIS Oracle Solaris 11 Benchmark v1.1.0, provides prescriptive guidance for establishing a secure configuration posture for Oracle Solaris 11 on both x86 and SPARC platforms. This guide was tested against Solaris 11 11/11 release, updated to the Software Repository Update 5 (SRU5). As of the publication of this document, Solaris 11 11/11 SRU5 is the latest available support update for the Solaris 11 OS. The recommendations included in this document may need to be adjusted for future Solaris 11 updates." references: - https://www.cisecurity.org/cis-benchmarks/ @@ -40,7 +40,7 @@ checks: - id: 7001 title: "Configure sendmail Service for Local-Only Mode" - description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it." + description: "In Solaris 11, the sendmail service is set to local only mode by default. This means that users on remote systems cannot connect to the sendmail service, eliminating the possibility of a remote exploit attack against some future sendmail vulnerability. Leaving sendmail in local-only mode permits mail to be sent out from the local system. If the local system will not be processing or sending any mail, this service can be disabled. However, if sendmail is disabled completely, email messages sent to the root account (such as cron job output or audit service warnings) will fail to be delivered. An alternative approach is to disable the sendmail service and create a cron job to process all mail that is queued on the local system, sending it to a relay host defined in the sendmail.cf file. It is recommended that sendmail be left in local-only mode unless there is a specific requirement to completely disable it." rationale: "The software for all Mail Transfer Agents is complex and most have a long history of security issues. While it is important to ensure that the system can process local mail messages, it is not necessary to have the MTA's daemon listening on a port unless the server is intended to be a mail server that receives and processes mail from other systems." remediation: "Run the following to set sendmail to listen only local interfaces: # svccfg -v -s svc:/network/smtp:sendmail setprop config/local_only=false # svcadm refresh sendmail # svcadm restart sendmail" compliance: @@ -51,7 +51,7 @@ checks: - id: 7002 title: "Disable RPC Encryption Key" - description: "The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is \"secure NFS\", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. (\"Secure NFS\" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. \"Kerberized\" NFS does not require the keyserv service to be running.)" + description: "The keyserv service is only required for sites that are using the Secure RPC mechanism. The most common use for Secure RPC on Solaris machines is \"secure NFS\", which uses the Secure RPC mechanism to provide higher levels of security than the standard NFS protocols. (\"Secure NFS\" is unrelated to Kerberos authentication as a mechanism for providing higher levels of NFS security. \"Kerberized\" NFS does not require the keyserv service to be running.)" rationale: "This service should be disabled if it is not required." remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/keyserv" compliance: @@ -137,16 +137,16 @@ checks: compliance: - cis: ["2.10"] references: - - http://httpd.apache.org/docs/2.0/misc/security_tips.html + - https://httpd.apache.org/docs/2.0/misc/security_tips.html condition: all rules: - 'c:svcs -xv svc:/network/http:apache22 -> r:State:\sdisabled|State:\s-$|match\sany\sinstances' - id: 7010 title: "Disable Local-only RPC Port Mapping Service" - description: "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS). By default, the Solaris 11 OS configures this service to be local only." + description: "Remote Procedure Call (RPC) is used by many services within the Solaris 11 operating system. Some of these services allow external connections to use the service (e.g. NFS, NIS). By default, the Solaris 11 OS configures this service to be local only." rationale: "RPC-based services typically have weak or non-existent authentication and yet may share very sensitive information, which is vulnerable to network traffic sniffers. Unless one of these services is required on this host, RPC-based tools should be fully disabled." - remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." + remediation: "To disable this service, run the following command: # svcadm disable svc:/network/rpc/bind. If the goal is to restrict access to this service, but not disable it completely, consider using a host-based firewall such as ipfilter(5) to control what hosts are allowed to access this service. Alternatively, TCP Wrappers support, which controls host access and connection auditing, can be enabled. TCP Wrappers is discussed in the next section." compliance: - cis: ["2.11"] condition: all @@ -157,7 +157,7 @@ checks: title: "Configure TCP Wrappers" description: "TCP Wrappers is a host-based access control system that allows administrators to control who has access to various network services based on the IP address of the remote end of the connection. TCP Wrappers also provide logging information via syslog about both successful and unsuccessful connections." rationale: "TCP Wrappers provides granular control over what services can be accessed over the network. Its logs show attempted access to services from non-authorized systems, which can help identify unauthorized access attempts." - remediation: "To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo \"ALL: /, , ...\" > /etc/hosts.allow where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system. 2. Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny 3. Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true # svcadm refresh rpc/bind The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information." + remediation: "To enable TCP Wrappers, run the following commands: 1. Create and customize your policy in /etc/hosts.allow: # echo \"ALL: /, , ...\" > /etc/hosts.allow. Where each / combination (for example, the Class C address block \"192.168.1.0/255.255.255.0\") can represent one network block in use by your organization that requires access to this system. 2) Create a default deny policy in /etc/hosts.deny: # echo \"ALL: ALL\" >/etc/hosts.deny. 3) Enable TCP Wrappers for all services started by inetd: # inetadm -M tcp_wrappers=TRUE - To protect only specific inetd services, use the command: # inetadm -m [FMRI] tcp_wrappers=TRUE. To enable TCP Wrappers for the RPC port mapping service, use the commands: # svccfg -s rpc/bind setprop config/enable_tcpwrappers=true # svcadm refresh rpc/bind. The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information." compliance: - cis: ["2.12"] references: @@ -171,7 +171,7 @@ checks: - id: 7012 title: "Disable Telnet Service" description: "The telnet daemon, which accepts connections from users from other systems via the telnet protocol and can be used for remote shell access." - rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." + rationale: "The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow a user with access to sniff network traffic the ability to steal credentials. The ssh protocol provides an encrypted session and stronger security." remediation: "Disable telnet server if enabled: # svcadm disable svc:/network/telnet" compliance: - cis: ["2.13"] @@ -190,15 +190,8 @@ checks: condition: all rules: - 'c:coreadm' - - 'c:coreadm -> r:global core file pattern: /var/cores/core_%n_%f_%u_%g_%t_%p' - - 'c:coreadm -> r:global core file content: default' - - 'c:coreadm -> r:init core file pattern: core' - - 'c:coreadm -> r:init core file content: default' - - 'c:coreadm -> r:global core dumps: enabled' - 'c:coreadm -> r:per-process core dumps: disabled' - - 'c:coreadm -> r:global setid core dumps: enabled' - 'c:coreadm -> r:per-process setid core dumps: disabled' - - 'c:coreadm -> r:global core dump logging: enabled' - id: 7014 title: "Enable Stack Protection" @@ -295,7 +288,7 @@ checks: - id: 7020 title: "Configure Solaris Auditing" - description: "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis)." + description: "Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation. The \"cis\" class is a \"custom class\" that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events. This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis)." rationale: "The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls." remediation: "To enforce this setting, use the command: # auditconfig -conf # auditconfig -setflags lo,ad,ft,ex,cis # auditconfig -setnaflags lo # auditconfig -setpolicy cnt,argv,zonename # auditconfig -setplugin audit_binfile active p_minfree=1 # audit -s # rolemod -K audit_flags=lo,ad,ft,ex,cis:no root # EDITOR=ed crontab -e root << END_CRON $ a 0 * * * * /usr/sbin/audit -n . w q END_CRON # chown root:root /var/audit # chmod 750 /var/audit" compliance: @@ -333,7 +326,7 @@ checks: condition: all rules: - 'f:/etc/default/keyserv' - - 'f:/etc/default/keyserv -> r:^ENABLE_NOBODY_KEYS\s*\t*=\s*\t*NO' + - 'f:/etc/default/keyserv -> !r:^# && r:ENABLE_NOBODY_KEYS\s*\t*=\s*\t*NO' - id: 7023 title: "Disable X11 Forwarding for SSH" @@ -344,7 +337,7 @@ checks: - cis: ["6.3"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^X11Forwarding\s*no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:X11Forwarding\s+no' - id: 7024 title: "Limit Consecutive Login Attempts for SSH" @@ -355,7 +348,7 @@ checks: - cis: ["6.4"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> n:^MaxAuthTries\s+(\d+) compare <= 3' + - 'f:/etc/ssh/sshd_config -> !r:^# && n:MaxAuthTries\s*\t*(\d+) compare <= 3' - id: 7025 title: "Disable Rhost-based Authentication for SSH" @@ -366,7 +359,7 @@ checks: - cis: ["6.5"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\.+yes' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:IgnoreRhosts\s+yes' - id: 7026 title: "Disable root login for SSH" @@ -377,7 +370,7 @@ checks: - cis: ["6.6"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^PermitRootLogin\s*no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitRootLogin\s+no' - id: 7027 title: "Blocking Authentication Using Empty/Null Passwords for SSH" @@ -388,7 +381,7 @@ checks: - cis: ["6.7"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^\s*\t*PermitEmptyPasswords\.+no' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:PermitEmptyPasswords\s+no' - id: 7028 title: "Disable Host-based Authentication for Login-based Services" @@ -399,38 +392,8 @@ checks: - cis: ["6.8"] condition: all rules: - - 'f:/etc/pam.conf -> r:^#rlogin && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - - 'f:/etc/pam.conf -> r:^#rsh && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - - - id: 7029 - title: "Restrict FTP Use" - description: "If FTP is permitted to be used on the system, the file /etc/ftpd/ftpusers is used to specify a list of users who are not allowed to access the system via FTP." - rationale: "FTP is an old and insecure protocol that transfers files and credentials in clear text and can be replaced by using sftp. However, if FTP is permitted for use in your environment, it is important to ensure that the default \"system\" accounts are not permitted to transfer files via FTP, especially the root role. Consider also adding the names of other privileged or shared accounts that may exist on your system such as user oracle and the account which your Web server process runs under. It should be reminded that the Solaris FTP service is disabled by default." - remediation: "Perform the following to implement the recommended state: # cd /etc/ftpd # for user in `logins -s | awk '{ print $1 }'` aiuser noaccess nobody nobody4; do $(echo $user >> ftpusers) done # sort -u ftpusers > ftpusers.CIS # mv ftpusers.CIS ftpusers If your site policy states that users have to be authorized to use FTP, consider placing all users in the /etc/ftpd/ftpusers file and then explicitly removing those who are permitted to use the service. To accomplish this, use the command: # getent passwd | cut -f1 -d\":\" > /etc/ftpd/ftpusers This prohibits any user on the system from using ftp unless they are explicitly removed from the file. Note that this file will need to be updated as users are added to or removed from the system." - compliance: - - cis: ["6.9"] - condition: all - rules: - - 'f:/etc/ftpd/ftpusers -> r:^adm' - - 'f:/etc/ftpd/ftpusers -> r:^aiuser' - - 'f:/etc/ftpd/ftpusers -> r:^bin' - - 'f:/etc/ftpd/ftpusers -> r:^daemon' - - 'f:/etc/ftpd/ftpusers -> r:^gdm' - - 'f:/etc/ftpd/ftpusers -> r:^listen' - - 'f:/etc/ftpd/ftpusers -> r:^lp' - - 'f:/etc/ftpd/ftpusers -> r:^noaccess' - - 'f:/etc/ftpd/ftpusers -> r:^nobody' - - 'f:/etc/ftpd/ftpusers -> r:^nobody4' - - 'f:/etc/ftpd/ftpusers -> r:^nuucp' - - 'f:/etc/ftpd/ftpusers -> r:^openldap' - - 'f:/etc/ftpd/ftpusers -> r:^postgres' - - 'f:/etc/ftpd/ftpusers -> r:^root' - - 'f:/etc/ftpd/ftpusers -> r:^smmsp' - - 'f:/etc/ftpd/ftpusers -> r:^svctag' - - 'f:/etc/ftpd/ftpusers -> r:^sys' - - 'f:/etc/ftpd/ftpusers -> r:^unknown' - - 'f:/etc/ftpd/ftpusers -> r:^uucp' - - 'f:/etc/ftpd/ftpusers -> r:^webservd' + - 'f:/etc/pam.conf -> r:^#\s*\t*rlogin && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' + - 'f:/etc/pam.conf -> r:^#\s*\t*rsh && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - id: 7030 title: "Set Delay between Failed Login Attempts to 4" @@ -441,7 +404,7 @@ checks: - cis: ["6.10"] condition: all rules: - - 'f:/etc/default/login -> n:^SLEEPTIME\s*\t*=\s*\t*(\d+) compare >= 4' + - 'f:/etc/default/login -> !r:^# && n:^SLEEPTIME\s*\t*=\s*\t*(\d+) compare >= 4' - id: 7031 title: "Remove Autologin Capabilities from the GNOME desktop" @@ -452,9 +415,9 @@ checks: - cis: ["6.11"] condition: all rules: - - 'f:/etc/pam.conf -> r:^#gdm-autologin && r:auth && r:required && r:pam_unix_cred.so.1' - - 'f:/etc/pam.conf -> r:^#gdm-autologin && r:auth && r:sufficient && r:pam_allow.so.1' - - 'f:/etc/pam.conf -> r:^#gdm-autologin && r:account && r:sufficient && r:pam_allow.so.1' + - 'f:/etc/pam.conf -> r:^#\s*\t*gdm-autologin && r:auth && r:required && r:pam_unix_cred.so.1' + - 'f:/etc/pam.conf -> r:^#\s*\t*gdm-autologin && r:auth && r:sufficient && r:pam_allow.so.1' + - 'f:/etc/pam.conf -> r:^#\s*\t*gdm-autologin && r:account && r:sufficient && r:pam_allow.so.1' - id: 7032 title: "Set Default Screen Lock for GNOME Users" @@ -466,14 +429,14 @@ checks: condition: all rules: - 'f:/usr/share/X11/app-defaults/XScreensaver' - - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*timeout:\s*\t*0:10:00' - - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*0:00:00' + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*timeout:\s*\t*\d+:\d+:\d+' + - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*\d+:\d+:\d+' - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true' - id: 7033 title: "Restrict at/cron to Authorized Users" description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals." - rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." + rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." remediation: "Perform the following to implement the recommended state: # cd /etc/cron.d # mv cron.deny cron.deny.cis # mv at.deny at.deny.cis # echo root > cron.allow # cp /dev/null at.allow # chown root:root cron.allow at.allow # chmod 400 cron.allow at.allow" compliance: - cis: ["6.13"] @@ -484,7 +447,7 @@ checks: - 'f:/etc/cron.d/cron.allow' - 'f:/etc/cron.d/cron.allow -> r:^root$' - 'f:/etc/cron.d/at.allow' - - 'c:wc -l /etc/cron.d/at.allow -> r:\s0\s' + - 'c:wc -l /etc/cron.d/at.allow -> r:\s*0\s' - id: 7034 title: "Restrict root Login to System Console" @@ -495,19 +458,19 @@ checks: - cis: ["6.14"] condition: all rules: - - 'f:/etc/default/login -> r:^CONSOLE\s*\t*=\s*\t*/dev/console' + - 'f:/etc/default/login -> !r:^# && r:CONSOLE|console && r:=\s*\t*/dev/console' - id: 7035 title: "Set Retry Limit for Account Lockout" - description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name." + description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name." rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/RETRIES=/ { $1 = \"RETRIES=3\" } { print }' login >login.CIS # mv login.CIS login # cd /etc/security # awk '/LOCK_AFTER_RETRIES=/ { $1 = \"LOCK_AFTER_RETRIES=YES\" } { print }' policy.conf > policy.conf.CIS # mv policy.conf.CIS policy.conf # svcadm restart svc:/system/name-service/cache Be careful when enabling these settings as they can create a denial-of-service situation for legitimate users and applications. Account lockout can be disabled for specific users via the usermod command. For example, the following command disables account lock specifically for the oracle account: # usermod -K lock_after_retries=no oracle" compliance: - cis: ["6.15"] condition: all rules: - - 'f:/etc/default/login -> n:^RETRIES\s*\t*=\s*\t*(\d+) compare <=3' - - 'f:/etc/security/policy.conf -> r:^LOCK_AFTER_RETRIES\s*\t*=\s*\t*yes' + - 'f:/etc/default/login -> !r:^# && r:retries|RETRIES && n:=\s*\t*(\d+) compare <=3' + - 'f:/etc/security/policy.conf -> !r:^# && r:LOCK_AFTER_RETRIES|lock_after_retries && r:=\s*\t*yes' - id: 7036 title: "Secure the GRUB Menu (Intel)" @@ -538,24 +501,24 @@ checks: - id: 7038 title: "Set Strong Password Creation Policies" description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user." - rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." + rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/PASSLENGTH=/ { $1 = \"PASSLENGTH=8\" }; /NAMECHECK=/ { $1 = \"NAMECHECK=YES\" }; /HISTORY=/ { $1 = \"HISTORY=10\" }; /MINDIFF=/ { $1 = \"MINDIFF=3\" }; /MINALPHA=/ { $1 = \"MINALPHA=2\" }; /MINUPPER=/ { $1 = \"MINUPPER=1\" }; /MINLOWER=/ { $1 = \"MINLOWER=1\" }; /MINNONALPHA=/ { $1 = \"MINNONALPHA=1\" }; /MAXREPEATS=/ { $1 = \"MAXREPEATS=0\" }; /WHITESPACE=/ { $1 = \"WHITESPACE=YES\" }; /DICTIONDBDIR=/ { $1 = \"DICTIONDBDIR=/var/passwd\" }; /DICTIONLIST=/ { $1 = \"DICTIONLIST=/usr/share/lib/dict/words\" }; { print }' passwd > passwd.CIS # mv passwd.CIS passwd" compliance: - cis: ["7.2"] condition: all rules: - - 'f:/etc/default/passwd -> n:^passlength\s*\t*=\s*\t*(\d) compare <= 8' - - 'f:/etc/default/passwd -> r:^namecheck\s*\t*=\s*\t*yes' - - 'f:/etc/default/passwd -> n:^history\s*\t*=\s*\t*(\d+) compare >= 10' - - 'f:/etc/default/passwd -> n:^mindiff\s*\t*=\s*\t*(\d+) compare >= 3' - - 'f:/etc/default/passwd -> n:^minalpha\s*\t*=\s*\t*(\d+) compare >= 2' - - 'f:/etc/default/passwd -> n:^minupper\s*\t*=\s*\t*(\d+) compare >= 1' - - 'f:/etc/default/passwd -> n:^minlower\s*\t*=\s*\t*(\d+) compare >= 1' - - 'f:/etc/default/passwd -> n:^minnonalpha\s*\t*=\s*\t*(\d+) compare >= 1' - - 'f:/etc/default/passwd -> r:^maxrepeats\s*\t*=\s*\t*0' - - 'f:/etc/default/passwd -> r:^whitespace\s*\t*=\s*\t*yes' - - 'f:/etc/default/passwd -> r:^dictiondbdir\s*\t*=\s*\t*/var/passwd' - - 'f:/etc/default/passwd -> r:^dictionlist\s*\t*=\s*\t*/usr/share/lib/dict/words' + - 'f:/etc/default/passwd -> !r:^# && r:passlength|PASSLENGTH && n:=\s*\t*(\d) compare <= 8' + - 'f:/etc/default/passwd -> !r:^# && r:namecheck|NAMECHECK && r:=\s*\t*yes' + - 'f:/etc/default/passwd -> !r:^# && r:history|HISTORY && n:=\s*\t*(\d+) compare >= 10' + - 'f:/etc/default/passwd -> !r:^# && r:mindiff|MINDIFF && n:=\s*\t*(\d+) compare >= 3' + - 'f:/etc/default/passwd -> !r:^# && r:minalpha|MINALPHA && n:=\s*\t*(\d+) compare >= 2' + - 'f:/etc/default/passwd -> !r:^# && r:minupper|MINUPPER && n:=\s*\t*(\d+) compare >= 1' + - 'f:/etc/default/passwd -> !r:^# && r:minlower|MINLOWER && n:=\s*\t*(\d+) compare >= 1' + - 'f:/etc/default/passwd -> !r:^# && r:minnonalpha|MINNONALPHA && n:=\s*\t*(\d+) compare >= 1' + - 'f:/etc/default/passwd -> !r:^# && r:maxrepeats|MAXREPEATS && r:=\s*\t*0' + - 'f:/etc/default/passwd -> !r:^# && r:whitespace|WHITESPACE && r:=\s*\t*yes' + - 'f:/etc/default/passwd -> !r:^# && r:dictiondbdir|DICTIONDBDIR && r:=\s*\t*/var/passwd' + - 'f:/etc/default/passwd -> !r:^# && r:dictionlist|DICTIONLIST && r:=\s*\t*/usr/share/lib/dict/words' - id: 7039 title: "Set Default umask for users" @@ -566,7 +529,7 @@ checks: - cis: ["7.3"] condition: all rules: - - 'f:/etc/default/login -> r:^UMASK\s*\t*=\s*\t*027' + - 'f:/etc/default/login -> !r:^# && r:UMASK|umask && r:=\s*\t*027' - id: 7040 title: "Set Default File Creation Mask for FTP Users" @@ -577,7 +540,7 @@ checks: - cis: ["7.4"] condition: all rules: - - 'f:/etc/proftpd.conf -> !r:^# && !r:^Umask\s*\t*027' + - 'f:/etc/proftpd.conf -> !r:^# && r:Umask && r:\s*\t*027' - id: 7041 title: "Set \"mesg n\" as Default for All Users" @@ -588,8 +551,8 @@ checks: - cis: ["7.5"] condition: all rules: - - 'f:/etc/.login -> r:^mesg\s*n' - - 'f:/etc/profile -> r:^mesg\s*n' + - 'f:/etc/.login -> r:^mesg\s*\t*n' + - 'f:/etc/profile -> r:^mesg\s*\t*n' # 8 Warning Banners - id: 7042 @@ -603,6 +566,7 @@ checks: rules: - 'f:/etc/issue -> r:Authorized users only. All activity may be monitored and reported' - 'f:/etc/motd -> r:Authorized users only. All activity may be monitored and reported' + - 'c:stat -c%u-%g-%a /etc/issue -> r:^0-0-644' - id: 7043 title: "Enable a Warning Banner for the SSH Service" @@ -612,12 +576,12 @@ checks: - cis: ["8.2"] condition: all rules: - - 'f:/etc/ssh/sshd_config -> r:^Banner\s*/etc/issue' + - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*/etc/issue' - id: 7044 title: "Enable a Warning Banner for the GNOME Service" description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user- or group specific." - rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." + rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." remediation: "Perform the following to implement the recommended state: Edit the /etc/gdm/Init/Default file to add the following content before the last line of the file. /usr/bin/zenity --text-info --width=800 --height=300 --title=\"Security Message\" --filename=/etc/issue" compliance: - cis: ["8.3"] @@ -635,18 +599,18 @@ checks: - cis: ["8.4"] condition: all rules: - - 'f:/etc/proftpd.conf -> r:^DisplayConnect\s*\t*/etc/issue' + - 'f:/etc/proftpd.conf -> !r:^# && r:DisplayConnect\s*\t*/etc/issue' - id: 7046 title: "Check that the Banner Setting for telnet is Null" description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system." - rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." + rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." remediation: "Perform the following to implement the recommended state: # cd /etc/default # awk '/^BANNER=/ { $1 = \"BANNER=\" }; { print }' telnetd > telnetd.CIS # mv telnetd.CIS telnetd" compliance: - cis: ["8.5"] - condition: all + condition: none rules: - - 'f:/etc/default/telnetd -> r:BANNER=""$' + - 'f:/etc/default/telnetd -> !r:^# && r:BANNER\s*\t*=\s*\t*\.' # 9 System Maintenance - id: 7047 @@ -696,7 +660,7 @@ checks: - cis: ["9.4"] condition: none rules: - - 'f:/etc/shadow -> r:\.+::\.+\w+\.*$' + - 'f:/etc/shadow -> r:^\w+::' - id: 7049 title: "Verify No UID 0 Accounts Exist Other than root" @@ -707,7 +671,7 @@ checks: - cis: ["9.5"] condition: none rules: - - 'f:/etc/passwd -> !r:^root && r::\.:0:\.*' + - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - id: 7050 title: "Ensure root PATH Integrity" From 667cc5f7b27e7d15107f7a9f606f73bc03aced63 Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 12 Aug 2019 08:30:26 +0200 Subject: [PATCH 234/247] Fix typo --- sca/windows/sca_win_audit.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index 5594ead19..002f70b94 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -666,7 +666,8 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog. ) compliance: + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog.)" + compliance: - cis_csc: ["6.3"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ From f7476e1c77c58fc791c542e7d35b1f50fdfcbf92 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 12 Aug 2019 08:52:59 +0200 Subject: [PATCH 235/247] Fix check 13004 --- sca/windows/cis_win10_enterprise_L1.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 9546f8ab5..8f72a18a1 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -104,6 +104,7 @@ checks: condition: all rules: - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 13005 From 4a263581c0a518d85531c9df374645b09b77428e Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Mon, 12 Aug 2019 09:13:39 +0200 Subject: [PATCH 236/247] =?UTF-8?q?Fix=20Windows=20policies,=20replace=20?= =?UTF-8?q?=E2=80=94=20and=20=E2=80=93=20by=20-?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sca/windows/cis_win10_enterprise_L1.yml | 6 +++--- sca/windows/cis_win2012r2_domainL1.yml | 24 ++++++++++++------------ sca/windows/cis_win2012r2_memberL1.yml | 24 ++++++++++++------------ sca/windows/sca_win_audit.yml | 20 ++++++++++---------- 4 files changed, 37 insertions(+), 37 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 8f72a18a1..15e858e35 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -110,7 +110,7 @@ checks: - id: 13005 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - cis: ["2.3.6.1"] @@ -126,7 +126,7 @@ checks: - id: 13006 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - cis: ["2.3.6.2"] @@ -142,7 +142,7 @@ checks: - id: 13007 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - cis: ["2.3.6.3"] diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 0b11c31a5..61063b598 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -179,7 +179,7 @@ checks: - id: 11009 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)." compliance: - cis: ["2.3.6.1"] @@ -195,7 +195,7 @@ checks: - id: 11010 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)." compliance: - cis: ["2.3.6.2"] @@ -211,7 +211,7 @@ checks: - id: 11011 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)." compliance: - cis: ["2.3.6.3"] @@ -1402,7 +1402,7 @@ checks: title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.1"] - cis_csc: ["16"] @@ -1420,7 +1420,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.2"] - cis_csc: ["9"] @@ -1437,7 +1437,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.3"] - cis_csc: ["9"] @@ -1454,7 +1454,7 @@ checks: title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.4"] - cis_csc: ["9"] @@ -1471,7 +1471,7 @@ checks: title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.6"] - cis_csc: ["9"] @@ -1488,7 +1488,7 @@ checks: title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.8"] - cis_csc: ["8"] @@ -1505,7 +1505,7 @@ checks: title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.9"] - cis_csc: ["16.5"] @@ -1522,7 +1522,7 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.12"] - cis_csc: ["6.3"] @@ -2513,7 +2513,7 @@ checks: - id: 11154 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index 9d4b5e545..86aaad64f 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -147,7 +147,7 @@ checks: - id: 12007 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)." compliance: - cis: ["2.3.6.1"] @@ -163,7 +163,7 @@ checks: - id: 12008 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)." compliance: - cis: ["2.3.6.2"] @@ -179,7 +179,7 @@ checks: - id: 12009 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)." compliance: - cis: ["2.3.6.3"] @@ -1520,7 +1520,7 @@ checks: title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.1"] - cis_csc: ["16"] @@ -1538,7 +1538,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.2"] - cis_csc: ["9"] @@ -1555,7 +1555,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.3"] - cis_csc: ["9"] @@ -1572,7 +1572,7 @@ checks: title: "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" description: "Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled." rationale: "This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.4"] - cis_csc: ["9"] @@ -1589,7 +1589,7 @@ checks: title: "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" description: "NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled." rationale: "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.6"] - cis_csc: ["9"] @@ -1606,7 +1606,7 @@ checks: title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.8"] - cis_csc: ["8"] @@ -1624,7 +1624,7 @@ checks: title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.9"] - cis_csc: ["16.5"] @@ -1641,7 +1641,7 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis: ["18.4.12"] - cis_csc: ["6.3"] @@ -2585,7 +2585,7 @@ checks: - id: 12159 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - 2 - Notify for download and auto install (Notify before downloading any updates) - 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) - 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) - 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - 2 - Notify for download and auto install (Notify before downloading any updates) - 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) - 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) - 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index 002f70b94..d2c989ae8 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -77,7 +77,7 @@ checks: - id: 14004 title: "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" description: "This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt or sign secure channel data (always)" compliance: - cis_csc: ["13"] @@ -90,7 +90,7 @@ checks: - id: 14005 title: "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally encrypt secure channel data (when possible)" compliance: - cis_csc: ["13"] @@ -102,7 +102,7 @@ checks: - id: 14006 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" description: "This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: Enabled." - rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." + rationale: "When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Domain member: Digitally sign secure channel data (when possible)" compliance: - cis_csc: ["13"] @@ -590,7 +590,7 @@ checks: title: "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" description: "This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. The recommended state for this setting is: Disabled." rationale: "If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry." - remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["16"] references: @@ -606,7 +606,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["9"] references: @@ -621,7 +621,7 @@ checks: title: "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" description: "IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled." rationale: "An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["9"] references: @@ -636,7 +636,7 @@ checks: title: "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" description: "The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: -Search folders specified in the system path first, and then search the current working folder. -Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled." rationale: "If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["8"] references: @@ -651,7 +651,7 @@ checks: title: "Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" description: "Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. The recommended state for this setting is: Enabled: 5 or fewer seconds." rationale: "The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog." + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog." compliance: - cis_csc: ["16.5"] references: @@ -666,7 +666,7 @@ checks: title: "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" description: "This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated." rationale: "If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services." - remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog.)" + remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog.)" compliance: - cis_csc: ["6.3"] references: @@ -834,7 +834,7 @@ checks: - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 14061 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" - description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2) - Notify for download and auto install (Notify before downloading any updates) 3) - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4) - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5) - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." + description: "This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: 2) - Notify for download and auto install (Notify before downloading any updates) 3) - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4) - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5) - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting 'Configure automatic updating:' has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this setting, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process." rationale: "Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates Note: This Group Policy path is provided by the Group Policy template WindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates." compliance: From 603718df81f5dae1fad1454ea6ab319f0b5b7013 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 12 Aug 2019 09:22:58 +0200 Subject: [PATCH 237/247] Improve check 7031 --- sca/sunos/cis_solaris11.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 745a722e4..125e21a45 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -413,11 +413,9 @@ checks: remediation: "Perform the following to implement the recommended state: # cd /etc # awk '/^gdm-autologin/ { $1=\" #gdm-autologin\" } { print }' /etc/pam.conf > /etc/pam.conf.CIS # mv pam.conf.CIS pam.conf" compliance: - cis: ["6.11"] - condition: all + condition: none rules: - - 'f:/etc/pam.conf -> r:^#\s*\t*gdm-autologin && r:auth && r:required && r:pam_unix_cred.so.1' - - 'f:/etc/pam.conf -> r:^#\s*\t*gdm-autologin && r:auth && r:sufficient && r:pam_allow.so.1' - - 'f:/etc/pam.conf -> r:^#\s*\t*gdm-autologin && r:account && r:sufficient && r:pam_allow.so.1' + - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' - id: 7032 title: "Set Default Screen Lock for GNOME Users" From ebd34423de135566270c68358546992256ada019 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 12 Aug 2019 11:12:50 +0200 Subject: [PATCH 238/247] Fix Win Invalid Rules --- sca/windows/cis_win10_enterprise_L1.yml | 1 + sca/windows/cis_win2012r2_memberL1.yml | 4 +--- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 15e858e35..34b796d78 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -2510,6 +2510,7 @@ checks: - 'CCE-33791-5' condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> ff' diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index 86aaad64f..a8b465d11 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -125,6 +125,7 @@ checks: - 'CCE-37701-0' condition: all rules: + - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' @@ -747,7 +748,6 @@ checks: - cis_csc: ["13"] references: - https://workbench.cisecurity.org/benchmarks/288 - references: - 'CCE-37835-6' condition: all rules: @@ -1612,7 +1612,6 @@ checks: - cis_csc: ["8"] references: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ - references: - 'CCE-36351-5' condition: all rules: @@ -1906,7 +1905,6 @@ checks: - cis_csc: ["9.1"] references: - https://support.microsoft.com/en-us/help/3073942/rpc-endpoint-mapper-client-authentication-prevents-users-and-groups-fr - references: - 'CCE-37346-4' condition: all rules: From e0613a4eb13c52a1a5186fdd1a55789094edff12 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Mon, 12 Aug 2019 03:02:50 -0700 Subject: [PATCH 239/247] Add missing rule in Solaris SCA policy --- sca/sunos/cis_solaris11.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 125e21a45..06c9370a5 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -192,6 +192,7 @@ checks: - 'c:coreadm' - 'c:coreadm -> r:per-process core dumps: disabled' - 'c:coreadm -> r:per-process setid core dumps: disabled' + - 'c:stat -c%u-%g-%a /var/cores -> r:^\d-\d-700' - id: 7014 title: "Enable Stack Protection" From 2ba62a261d989970cd24e647ed533a262852c9ff Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Mon, 12 Aug 2019 23:23:59 -0700 Subject: [PATCH 240/247] Update SCA Solaris IDs --- sca/sunos/cis_solaris11.yml | 44 ++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/sca/sunos/cis_solaris11.yml b/sca/sunos/cis_solaris11.yml index 06c9370a5..d9825aa5f 100644 --- a/sca/sunos/cis_solaris11.yml +++ b/sca/sunos/cis_solaris11.yml @@ -396,7 +396,7 @@ checks: - 'f:/etc/pam.conf -> r:^#\s*\t*rlogin && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - 'f:/etc/pam.conf -> r:^#\s*\t*rsh && r:auth && r:sufficient && r:pam_rhosts_auth.so.1' - - id: 7030 + - id: 7029 title: "Set Delay between Failed Login Attempts to 4" description: "The SLEEPTIME variable in the /etc/default/login file controls the number of seconds to wait before printing the \"login incorrect\" message when a bad password is provided." rationale: "As an immediate return of an error message, coupled with the capability to try again may facilitate automatic and rapid-fire brute-force password attacks by a malicious user, this delay time should be set as appropriate to the needs of the user." @@ -407,7 +407,7 @@ checks: rules: - 'f:/etc/default/login -> !r:^# && n:^SLEEPTIME\s*\t*=\s*\t*(\d+) compare >= 4' - - id: 7031 + - id: 7030 title: "Remove Autologin Capabilities from the GNOME desktop" description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. By default, GNOME automatic login is defined in pam.conf(4) to allow users to access the system without a password." rationale: "As automatic logins are a known security risk for other than \"kiosk\" types of systems, GNOME automatic login should be disabled in pam.conf(4)." @@ -418,7 +418,7 @@ checks: rules: - 'f:/etc/pam.conf -> !r:^# && r:gdm-autologin' - - id: 7032 + - id: 7031 title: "Set Default Screen Lock for GNOME Users" description: "The timeout parameter dictates the invocation of a password-protected screen saver after a specified time of keyboard and mouse inactivity, specific to the xscreensaver application used in the GNOME windowing environment." rationale: "As a screensaver timeout provides protection for a desktop that has not been locked by the user upon his/her departure, to help prevent session hijacking, this value should be set as appropriate to the needs of the user." @@ -432,7 +432,7 @@ checks: - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*locktimeout:\s*\t*\d+:\d+:\d+' - 'f:/usr/share/X11/app-defaults/XScreensaver -> r:^*lock:\s*\t*true' - - id: 7033 + - id: 7032 title: "Restrict at/cron to Authorized Users" description: "The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals." rationale: "On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC)." @@ -448,7 +448,7 @@ checks: - 'f:/etc/cron.d/at.allow' - 'c:wc -l /etc/cron.d/at.allow -> r:\s*0\s' - - id: 7034 + - id: 7033 title: "Restrict root Login to System Console" description: "Privileged access to the system via root must be accountable to a particular user." rationale: "Use an authorized mechanism such as RBAC and the su command to provide administrative access to unprivileged accounts. These mechanisms provide an audit trail in the event of problems." @@ -459,7 +459,7 @@ checks: rules: - 'f:/etc/default/login -> !r:^# && r:CONSOLE|console && r:=\s*\t*/dev/console' - - id: 7035 + - id: 7034 title: "Set Retry Limit for Account Lockout" description: "The RETRIES parameter is the number of failed login attempts a user is allowed before being disconnected from the system and forced to reconnect. When LOCK_AFTER_RETRIES is set in /etc/security/policy.conf, then the user's account is locked after this many failed retries (the account can only be unlocked by the administrator using the command: passwd -u ). The account lockout threshold (RETRIES parameter) restricts the number of failed login attempts allowed before requiring the offending account be locked. The lockout requirement will help block malicious users from gaining access to the host via automated, repetitive brute-force login exploits--trying different passwords until one fits a user name." rationale: "Setting the failed login limit to an appropriate value locks the user account, which will severely limit the speed of such attacks, making it much more likely that the attacker's pattern will be noticed and the offending source address and/or port blocked, so this should be set according to the needs of the user." @@ -471,7 +471,7 @@ checks: - 'f:/etc/default/login -> !r:^# && r:retries|RETRIES && n:=\s*\t*(\d+) compare <=3' - 'f:/etc/security/policy.conf -> !r:^# && r:LOCK_AFTER_RETRIES|lock_after_retries && r:=\s*\t*yes' - - id: 7036 + - id: 7035 title: "Secure the GRUB Menu (Intel)" description: "GRUB is a boot loader for x64 based systems that permits loading an OS image from any location. Oracle x64 systems support the use of a GRUB Menu password for the console." rationale: "The flexibility that GRUB provides creates a security risk if its configuration is modified by an unauthorized user. The failsafe menu entry needs to be secured in the same environments that require securing the systems firmware to avoid unauthorized removable media boots. Setting the GRUB Menu password helps prevent attackers with physical access to the system console from booting off some external device (such as a CD- ROM or floppy) and subverting the security of the system. The actions described in this section will ensure you cannot get to failsafe or any of the GRUB command line options without first entering the password." @@ -484,7 +484,7 @@ checks: - 'f:/rpool/boot/grub/menu.lst -> r:^password\s*--md5' # 7 User Accounts and Environment - - id: 7037 + - id: 7036 title: "Set Password Expiration Parameters on Active Accounts" description: "The characteristics of an operating system that make 'user identification' via password a secure and workable solution is the combination of settings chosen. By requiring that a series of password-choices be security-centric, it reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based upon 'social engineering.' A basic password security strategy is requiring a new password to be chosen every 45-90 days, so that repeated attempts to gain entry by brute-force tactics will fail when a new password is chosen, which requires starting over again to break the new password." rationale: "The commands for this item set all active accounts (except the root account) to force password changes every 91 days (13 weeks), and then prevent password changes for seven days (one week), thereafter. Users will begin receiving warnings 28 days (4 weeks) before their password expires. Sites also have the option of expiring idle accounts after a certain number of days (see the on-line manual page for the usermod command, particularly the -f option)." @@ -497,7 +497,7 @@ checks: - 'f:/etc/default/passwd -> !r:^# && r:minweeks|MINWEEKS && n:=\s*\t*(\d+) compare == 1' - 'f:/etc/default/passwd -> !r:^# && r:warnweeks|WARNWEEKS && n:=\s*\t*(\d+) compare == 4' - - id: 7038 + - id: 7037 title: "Set Strong Password Creation Policies" description: "The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user." rationale: "Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter. Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance." @@ -519,7 +519,7 @@ checks: - 'f:/etc/default/passwd -> !r:^# && r:dictiondbdir|DICTIONDBDIR && r:=\s*\t*/var/passwd' - 'f:/etc/default/passwd -> !r:^# && r:dictionlist|DICTIONLIST && r:=\s*\t*/usr/share/lib/dict/words' - - id: 7039 + - id: 7038 title: "Set Default umask for users" description: "The default umask(1) determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod(1) command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories." rationale: "Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would allow files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system." @@ -530,7 +530,7 @@ checks: rules: - 'f:/etc/default/login -> !r:^# && r:UMASK|umask && r:=\s*\t*027' - - id: 7040 + - id: 7039 title: "Set Default File Creation Mask for FTP Users" description: "If FTP is permitted, set a strong, default file creation mask to apply to files created by the FTP server." rationale: "Many users assume that the FTP server will use their system file creation mask; generally it does not. This setting ensures that files transmitted over FTP use a strong file creation mask." @@ -541,7 +541,7 @@ checks: rules: - 'f:/etc/proftpd.conf -> !r:^# && r:Umask && r:\s*\t*027' - - id: 7041 + - id: 7040 title: "Set \"mesg n\" as Default for All Users" description: "The \"mesg n\" command blocks attempts to use the write or talk commands to contact users at their terminals, but has the side effect of slightly strengthening permissions on the user's tty device." rationale: "Since write and talk are no longer widely used at most sites, the incremental security increase is worth the loss of functionality." @@ -554,7 +554,7 @@ checks: - 'f:/etc/profile -> r:^mesg\s*\t*n' # 8 Warning Banners - - id: 7042 + - id: 7041 title: "Create Warnings for Standard Login Services" description: "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices and also prior to logins via telnet and Secure Shell. The contents of the /etc/motd file are generally displayed after all successful logins, regardless from where the user is logging in." rationale: "Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. As implementing a logon banner to deter inappropriate use and can provide a foundation for legal action against abuse, this warning content should be set as appropriate. Consult with your organization's legal counsel for the appropriate wording as the examples below are for demonstration purposes only." @@ -567,7 +567,7 @@ checks: - 'f:/etc/motd -> r:Authorized users only. All activity may be monitored and reported' - 'c:stat -c%u-%g-%a /etc/issue -> r:^0-0-644' - - id: 7043 + - id: 7042 title: "Enable a Warning Banner for the SSH Service" description: "The contents of the Banner string in the /etc/ssh/sshd_config file are sent to the remote user before authentication is allowed, requiring that the user read the legal caution." remediation: "Perform the following to implement the recommended state: # awk '/^#Banner/ { $1 = \"Banner\" } { print }' /etc/ssh/sshd_config > /etc/ssh/sshd_config.CIS # mv /etc/ssh/sshd_config.CIS /etc/ssh/sshd_config # svcadm restart svc:/network/ssh" @@ -577,7 +577,7 @@ checks: rules: - 'f:/etc/ssh/sshd_config -> !r:^# && r:Banner\s*/etc/issue' - - id: 7044 + - id: 7043 title: "Enable a Warning Banner for the GNOME Service" description: "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information on configuration of the settings, which can be user- or group specific." rationale: "The remediation action for this item sets a pre-login warning message for GDM users. Additional methods can be employed to display a similar message to a user post- authentication. For more information, see the Oracle Solaris 11 Security Guidelines document." @@ -589,7 +589,7 @@ checks: - 'f:/etc/gdm/Init/Default' - 'f:/etc/gdm/Init/Default -> r:^/usr/bin/zenity\s\.' - - id: 7045 + - id: 7044 title: "Enable a Warning Banner for the FTP service" description: "The action for this item sets a warning message for FTP users before they log in." rationale: "Warning Banners inform users who are attempting to access the system of their legal status regarding using the system. The text below is a generic sample only, so consult with your organization's legal counsel for the appropriate wording." @@ -600,7 +600,7 @@ checks: rules: - 'f:/etc/proftpd.conf -> !r:^# && r:DisplayConnect\s*\t*/etc/issue' - - id: 7046 + - id: 7045 title: "Check that the Banner Setting for telnet is Null" description: "The BANNER variable in the file /etc/default/telnetd can be used to display text before the telnet login prompt. Traditionally, it has been used to display the OS level of the target system." rationale: "The warning banner provides information that can be used in reconnaissance for an attack. By default, this file is distributed with the BANNER variable set to null. It is not necessary to create a separate warning banner for telnet if a warning is set in the /etc/issue file. As telnet is an insecure protocol, it is strongly recommend that it be disabled and all remote administrative/user connections take place by Secure Shell." @@ -612,7 +612,7 @@ checks: - 'f:/etc/default/telnetd -> !r:^# && r:BANNER\s*\t*=\s*\t*\.' # 9 System Maintenance - - id: 7047 + - id: 7046 title: "Verify System Account Default Passwords" description: "There are a number of accounts provided with the Solaris OS that are used to manage applications and are not intended to provide an interactive shell. These accounts are delivered either in a locked or non-login state. Oracle does not support nor recommend changing the passwords associated with these accounts." rationale: "System accounts, such as bin, lpd, and sys have special purposes and privileges. By default, these accounts are configured as either locked or non-login. This status should be verified to ensure that these accounts have not accidentially or intentionally been enabled." @@ -650,7 +650,7 @@ checks: - 'f:/etc/shadow -> r:^upnp: && !r::NL:|:NP:' - 'f:/etc/shadow -> r:^zfssnap: && !r::NL:|:NP:' - - id: 7048 + - id: 7047 title: "Ensure Password Fields are Not Empty" description: "An account with an empty password field means that anybody may log in as that user without providing a password at all (assuming that the value PASSREQ=NO is set in /etc/default/login)." rationale: "All accounts must have passwords, be configured as \"Non-login,\" or be locked." @@ -661,7 +661,7 @@ checks: rules: - 'f:/etc/shadow -> r:^\w+::' - - id: 7049 + - id: 7048 title: "Verify No UID 0 Accounts Exist Other than root" description: "Any account with UID 0 has superuser rights on the system." rationale: "This access must be limited to only the default root role and be made accessible from the system console only. Administrative access granted to an unprivileged account should use an approved mechanism such as RBAC." @@ -672,7 +672,7 @@ checks: rules: - 'f:/etc/passwd -> !r:^# && !r:^\s*\t*root: && r:^\w+:\w+:0:' - - id: 7050 + - id: 7049 title: "Ensure root PATH Integrity" description: "The root user can execute any command on the system and could be tricked into executing programs if the PATH is not set correctly." rationale: "Including the current working directory (.) or any other writable directory in root's executable path makes it likely that an attacker can gain superuser access by forcing an administrator operating as root to execute a malcode, such as a Trojan horse program." @@ -691,7 +691,7 @@ checks: - 'f:/root/.profile -> r::$' - 'f:/root/.bashrc -> r::$' - - id: 7051 + - id: 7050 title: "Check That Users Are Assigned Home Directories" description: "passwd(4) defines a home directory that each user is placed in upon login. If there is no defined home directory, a user will be placed in / and will not be able to write any files or have local environment variables set." rationale: "All users must be assigned a home directory in passwd(4)." From b52c0017e41414ebe4f3c4d0d705a886631286c6 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 14 Aug 2019 09:32:37 +0200 Subject: [PATCH 241/247] Remove two wildcards at the end of the rules --- sca/applications/cis_mysql5-6_community.yml | 2 +- sca/applications/cis_mysql5-6_enterprise.yml | 2 +- sca/generic/sca_unix_audit.yml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/sca/applications/cis_mysql5-6_community.yml b/sca/applications/cis_mysql5-6_community.yml index b88f32bc1..3399905e2 100644 --- a/sca/applications/cis_mysql5-6_community.yml +++ b/sca/applications/cis_mysql5-6_community.yml @@ -172,7 +172,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html condition: none rules: - - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+$|log_bin\s*\t*/+var/*$|log_bin\s*\t*/+usr/*$' - id: 9511 title: "Ensure 'log_warning' is set to 2" diff --git a/sca/applications/cis_mysql5-6_enterprise.yml b/sca/applications/cis_mysql5-6_enterprise.yml index df3fdcd6a..2bc54874f 100644 --- a/sca/applications/cis_mysql5-6_enterprise.yml +++ b/sca/applications/cis_mysql5-6_enterprise.yml @@ -172,7 +172,7 @@ checks: - https://dev.mysql.com/doc/refman/5.6/en/replication-options-binary-log.html condition: none rules: - - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+\s*\t*$|log_bin\s*\t*/+var/*\s*\t*$|log_bin\s*\t*/+usr/*\s*\t*$' + - 'c:grep -Rh log_bin /etc/mysql/my.cnf /etc/mysql/mariadb.cnf /etc/mysql/conf.d /etc/mysql/mariadb.conf.d -> r:log_bin\s*\t*/+$|log_bin\s*\t*/+var/*$|log_bin\s*\t*/+usr/*$' - id: 10011 title: "Ensure 'log_warning' is set to 2" diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index f0966794a..bf241d306 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -25,7 +25,7 @@ requirements: - 'f:/etc/shadow' variables: - $sshd_file: /etc/ssh/sshd_config,/opt/ssh/etc/sshd_config + $sshd_file: /etc/ssh/sshd_config $pam_d_files: /etc/pam.d/common-password,/etc/pam.d/password-auth,/etc/pam.d/system-auth,/etc/pam.d/system-auth-ac,/etc/pam.d/passwd checks: @@ -39,7 +39,7 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22\s\t*$' + - 'f:$sshd_file -> !r:^# && r:Port && !r:\s*\t*22$' - id: 4001 title: "SSH Hardening: Protocol should be set to 2" @@ -51,7 +51,7 @@ checks: - nist_800_53: ["CM.1"] condition: all rules: - - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2\s*\t*$' + - 'f:$sshd_file -> r:^\s*\t*Protocol\s*\t*2' - id: 4002 title: "SSH Hardening: Root account should not be able to log in" From 5a482e5023bc050336dc9354f50f0b7a14b9b210 Mon Sep 17 00:00:00 2001 From: Skeptor Date: Wed, 14 Aug 2019 11:45:20 +0200 Subject: [PATCH 242/247] Fix Web_vuln policy --- sca/applications/web_vulnerabilities.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index 6433c87a4..dc898144d 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -21,9 +21,10 @@ requirements: - 'f:$php.ini' - 'd:$web_dirs' +# Set variables to match your installation variables: - $php.ini: /etc/php.ini,/var/www/conf/php.ini,/etc/php5/apache2/php.ini - $web_dirs: /var/www,/var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www + $php.ini: /etc/php.ini + $web_dirs: /var/www # PHP checks checks: From ff96651a7977aa7ae9eecac162d7b56a47fb1cdc Mon Sep 17 00:00:00 2001 From: Skeptor Date: Fri, 16 Aug 2019 08:26:12 +0200 Subject: [PATCH 243/247] Remove registry existence comprobation from SCA Windows policies --- sca/windows/cis_win10_enterprise_L1.yml | 466 ------------------------ sca/windows/cis_win10_enterprise_L2.yml | 183 ---------- sca/windows/cis_win2012r2_domainL1.yml | 314 ---------------- sca/windows/cis_win2012r2_domainL2.yml | 88 ----- sca/windows/cis_win2012r2_memberL1.yml | 320 ---------------- 5 files changed, 1371 deletions(-) diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 34b796d78..118754f71 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -39,8 +39,6 @@ checks: - 'CCE-35487-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> r:^3$' - id: 13001 @@ -55,8 +53,6 @@ checks: - 'CCE-32929-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - id: 13002 @@ -71,8 +67,6 @@ checks: - 'CCE-35533-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - id: 13003 @@ -87,8 +81,6 @@ checks: - 'CCE-33046-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - id: 13004 @@ -103,8 +95,6 @@ checks: - 'CCE-34355-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 13005 @@ -119,8 +109,6 @@ checks: - 'CCE-34892-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - id: 13006 @@ -135,8 +123,6 @@ checks: - 'CCE-35273-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - id: 13007 @@ -151,8 +137,6 @@ checks: - 'CCE-34893-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - id: 13008 @@ -167,8 +151,6 @@ checks: - 'CCE-34986-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - id: 13009 @@ -183,8 +165,6 @@ checks: - 'CCE-35177-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - id: 13010 @@ -199,8 +179,6 @@ checks: - 'CCE-35099-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - id: 13011 @@ -215,8 +193,6 @@ checks: - 'CCE-34900-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' @@ -232,8 +208,6 @@ checks: - 'CCE-35274-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare => 5 && n:^(\d+) compare <= 14' - id: 13013 @@ -248,8 +222,6 @@ checks: - 'CCE-34988-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$' - id: 13014 @@ -264,8 +236,6 @@ checks: - 'CCE-35222-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - id: 13015 @@ -280,8 +250,6 @@ checks: - 'CCE-34908-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - id: 13016 @@ -296,8 +264,6 @@ checks: - 'CCE-33717-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - id: 13017 @@ -312,8 +278,6 @@ checks: - 'CCE-34909-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - id: 13018 @@ -328,8 +292,6 @@ checks: - 'CCE-35065-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - id: 13019 @@ -344,8 +306,6 @@ checks: - 'CCE-35182-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - id: 13020 @@ -360,8 +320,6 @@ checks: - 'CCE-34911-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 13021 @@ -376,8 +334,6 @@ checks: - 'CCE-35299-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - id: 13022 @@ -392,8 +348,6 @@ checks: - 'CCE-34631-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - id: 13023 @@ -408,8 +362,6 @@ checks: - 'CCE-34723-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - id: 13024 @@ -424,8 +376,6 @@ checks: - 'CCE-33718-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - id: 13025 @@ -440,8 +390,6 @@ checks: - 'CCE-35367-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - id: 13026 @@ -456,8 +404,6 @@ checks: - 'CCE-34965-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> None' - id: 13027 @@ -472,8 +418,6 @@ checks: - 'CCE-33976-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions System\\CurrentControlSet\\Control\\Server Applications Software\\Microsoft\\Windows NT\\CurrentVersion' - id: 13028 @@ -488,8 +432,6 @@ checks: - 'CCE-35300-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:System\\CurrentControlSet\\Control\\Print\\Printers System\\CurrentControlSet\\Services\\Eventlog Software\\Microsoft\\OLAP Server|Software\\Microsoft\\Windows NT\\CurrentVersion\\Print Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows System\\CurrentControlSet\\Control\\ContentIndex System\\CurrentControlSet\\Control\\Terminal Server System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib System\\CurrentControlSet\\Services\\SysmonLog' - id: 13029 @@ -504,8 +446,6 @@ checks: - 'CCE-33563-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - id: 13030 @@ -518,8 +458,6 @@ checks: - cis_csc: ["5.1", "9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> restrictremotesam -> r:O:BAG:BAD:\(A;;RC;;;BA\)' - id: 13031 @@ -534,8 +472,6 @@ checks: - 'CCE-34651-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> None' - id: 13032 @@ -550,8 +486,6 @@ checks: - 'CCE-33719-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - id: 13033 @@ -566,8 +500,6 @@ checks: - 'CCE-33141-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - id: 13034 @@ -582,8 +514,6 @@ checks: - 'CCE-35410-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - id: 13035 @@ -598,8 +528,6 @@ checks: - 'CCE-35411-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - id: 13036 @@ -614,8 +542,6 @@ checks: - 'CCE-35786-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - id: 13037 @@ -630,8 +556,6 @@ checks: - 'CCE-35225-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - id: 13038 @@ -646,8 +570,6 @@ checks: - 'CCE-34993-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 13039 @@ -662,8 +584,6 @@ checks: - 'CCE-35302-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - id: 13040 @@ -678,8 +598,6 @@ checks: - 'CCE-33802-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> 1' - id: 13041 @@ -694,8 +612,6 @@ checks: - 'CCE-35447-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - id: 13042 @@ -710,8 +626,6 @@ checks: - 'CCE-35108-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - id: 13043 @@ -725,8 +639,6 @@ checks: - 'CCE-35008-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - id: 13044 @@ -741,8 +653,6 @@ checks: - 'CCE-35232-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - id: 13045 @@ -757,8 +667,6 @@ checks: - 'CCE-35338-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - id: 13046 @@ -773,8 +681,6 @@ checks: - 'CCE-35458-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - id: 13047 @@ -789,8 +695,6 @@ checks: - 'CCE-33784-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - id: 13048 @@ -805,8 +709,6 @@ checks: - 'CCE-33785-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - id: 13049 @@ -821,8 +723,6 @@ checks: - 'CCE-35429-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - id: 13050 @@ -837,8 +737,6 @@ checks: - 'CCE-35401-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - id: 13051 @@ -853,8 +751,6 @@ checks: - 'CCE-33788-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - id: 13052 @@ -869,8 +765,6 @@ checks: - 'CCE-33815-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - id: 13053 @@ -884,8 +778,6 @@ checks: - 'CCE-35459-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # 5 System Services @@ -925,8 +817,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon -> Start -> 4' - id: 13057 @@ -939,8 +829,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess -> Start -> 4' - id: 13058 @@ -979,8 +867,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator -> Start -> 4' - id: 13061 @@ -993,8 +879,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess -> Start -> 4' - id: 13062 @@ -1020,8 +904,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV -> Start -> 4' - id: 13064 @@ -1034,8 +916,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost -> Start -> 4' - id: 13065 @@ -1074,8 +954,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc -> Start -> 4' - id: 13068 @@ -1101,8 +979,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc -> Start -> 4' - id: 13070 @@ -1115,8 +991,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm -> Start -> 4' - id: 13071 @@ -1129,8 +1003,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager -> Start -> 4' - id: 13072 @@ -1143,8 +1015,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave -> Start -> 4' - id: 13073 @@ -1157,8 +1027,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvce -> Start -> 4' # 9 Windows Firewall with Advanced Security @@ -1174,8 +1042,6 @@ checks: - 'CCE-33160-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - id: 13075 @@ -1190,8 +1056,6 @@ checks: - 'CCE-33063-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - id: 13076 @@ -1206,8 +1070,6 @@ checks: - 'CCE-33098-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - id: 13077 @@ -1221,8 +1083,6 @@ checks: - 'CCE-33062-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 0' - id: 13078 @@ -1237,8 +1097,6 @@ checks: - 'CCE-34176-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - id: 13079 @@ -1253,8 +1111,6 @@ checks: - 'CCE-35083-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 13080 @@ -1269,8 +1125,6 @@ checks: - 'CCE-35252-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - id: 13081 @@ -1285,8 +1139,6 @@ checks: - 'CCE-35306-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' - id: 13082 @@ -1301,8 +1153,6 @@ checks: - 'CCE-33066-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - id: 13083 @@ -1317,8 +1167,6 @@ checks: - 'CCE-33161-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - id: 13084 @@ -1333,8 +1181,6 @@ checks: - 'CCE-33162-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - id: 13085 @@ -1348,8 +1194,6 @@ checks: - 'CCE-33065-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - id: 13086 @@ -1364,8 +1208,6 @@ checks: - 'CCE-33437-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - id: 13087 @@ -1380,8 +1222,6 @@ checks: - 'CCE-34356-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 13088 @@ -1396,8 +1236,6 @@ checks: - 'CCE-33436-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - id: 13089 @@ -1412,8 +1250,6 @@ checks: - 'CCE-34177-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' - id: 13090 @@ -1428,8 +1264,6 @@ checks: - 'CCE-35703-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - id: 13091 @@ -1444,8 +1278,6 @@ checks: - 'CCE-33069-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - id: 13092 @@ -1460,8 +1292,6 @@ checks: - 'CCE-33070-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - id: 13093 @@ -1475,8 +1305,6 @@ checks: - 'CCE-33068-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - id: 13094 @@ -1491,8 +1319,6 @@ checks: - 'CCE-35537-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - id: 13095 @@ -1507,8 +1333,6 @@ checks: - 'CCE-33099-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - id: 13096 @@ -1523,8 +1347,6 @@ checks: - 'CCE-35117-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - id: 13097 @@ -1539,8 +1361,6 @@ checks: - 'CCE-35421-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 13098 @@ -1555,8 +1375,6 @@ checks: - 'CCE-35116-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - id: 13099 @@ -1571,8 +1389,6 @@ checks: - 'CCE-33734-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # 18 Administrative templates (Computer) @@ -1587,8 +1403,6 @@ checks: - 'CCE-35799-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - id: 13101 @@ -1602,8 +1416,6 @@ checks: - 'CCE-35800-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' - id: 13102 @@ -1618,8 +1430,6 @@ checks: - 'CCE-41387-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization -> AllowInputPersonalization -> 0' - id: 13103 @@ -1632,8 +1442,6 @@ checks: - cis_csc: ["16.9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} -> DllName -> C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll' - id: 13104 @@ -1646,8 +1454,6 @@ checks: - cis_csc: ["16.2", "16.10"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - id: 13105 @@ -1660,8 +1466,6 @@ checks: - cis_csc: ["16.9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - id: 13106 @@ -1674,8 +1478,6 @@ checks: - cis_csc: ["5.7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - id: 13107 @@ -1688,8 +1490,6 @@ checks: - cis_csc: ["5.7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - id: 13108 @@ -1702,8 +1502,6 @@ checks: - cis_csc: ["16.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' - id: 13109 @@ -1718,8 +1516,6 @@ checks: - 'CCE-35486-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0' - id: 13110 @@ -1732,8 +1528,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10 -> Start -> 4' - id: 13111 @@ -1746,8 +1540,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -> SMB1 -> 0' - id: 13112 @@ -1760,8 +1552,6 @@ checks: - cis_csc: ["8.4", "8.3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -> DisableExceptionChainValidation -> 0' - id: 13113 @@ -1774,8 +1564,6 @@ checks: - cis_csc: ["8.4", "8.3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> MpEnablePus -> 1' - id: 13114 @@ -1790,8 +1578,6 @@ checks: - 'CCE-35815-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' - id: 13115 @@ -1806,8 +1592,6 @@ checks: - 'CCE-35438-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 13116 @@ -1822,8 +1606,6 @@ checks: - 'CCE-33790-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - id: 13117 @@ -1838,8 +1620,6 @@ checks: - 'CCE-33816-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - id: 13118 @@ -1854,8 +1634,6 @@ checks: - 'CCE-34597-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - id: 13119 @@ -1870,8 +1648,6 @@ checks: - 'CCE-35405-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - id: 13120 @@ -1886,8 +1662,6 @@ checks: - 'CCE-34022-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - id: 13121 @@ -1902,8 +1676,6 @@ checks: - 'CCE-34619-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - id: 13122 @@ -1918,8 +1690,6 @@ checks: - 'CCE-35406-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' - id: 13123 @@ -1932,8 +1702,6 @@ checks: - cis_csc: ["9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters -> NodeType -> 2' - id: 13124 @@ -1948,8 +1716,6 @@ checks: - 'CCE-34055-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient -> EnableMulticast -> 0' - id: 13125 @@ -1962,8 +1728,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation -> AllowInsecureGuestAuth -> 0' - id: 13126 @@ -1978,8 +1742,6 @@ checks: - 'CCE-33107-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - id: 13127 @@ -1992,8 +1754,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_ShowSharedAccessUI -> 0' - id: 13128 @@ -2008,8 +1768,6 @@ checks: - 'CCE-35554-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - id: 13129 @@ -2022,10 +1780,7 @@ checks: - cis_csc: ["3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\NETLOGON -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths -> \\*\SYSVOL -> r:RequireMutualAuthentication=1, RequireIntegrity=1' - id: 13130 @@ -2040,8 +1795,6 @@ checks: - 'CCE-35242-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' - id: 13131 @@ -2056,8 +1809,6 @@ checks: - 'CCE-35375-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' - id: 13132 @@ -2072,8 +1823,6 @@ checks: - 'CCE-41378-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config -> AutoConnectAllowedOEM -> 0' - id: 13133 @@ -2088,8 +1837,6 @@ checks: - 'CCE-35802-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - id: 13134 @@ -2102,8 +1849,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -> AllowProtectedCreds -> 1' - id: 13135 @@ -2118,8 +1863,6 @@ checks: - 'CCE-33231-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - id: 13136 @@ -2134,8 +1877,6 @@ checks: - 'CCE-35384-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - id: 13137 @@ -2150,8 +1891,6 @@ checks: - 'CCE-35384-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - id: 13138 @@ -2164,8 +1903,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableCdp -> 0' - id: 13139 @@ -2180,8 +1917,6 @@ checks: - 'CCE-35776-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - id: 13140 @@ -2196,8 +1931,6 @@ checks: - 'CCE-35781-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - id: 13141 @@ -2212,8 +1945,6 @@ checks: - 'CCE-33783-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - id: 13142 @@ -2226,8 +1957,6 @@ checks: - cis_csc: ["16.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockUserFromShowingAccountDetailsOnSignin -> 1' - id: 13143 @@ -2242,8 +1971,6 @@ checks: - 'CCE-33822-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - id: 13144 @@ -2258,8 +1985,6 @@ checks: - 'CCE-35207-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - id: 13145 @@ -2274,8 +1999,6 @@ checks: - 'CCE-34838-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - id: 13146 @@ -2290,8 +2013,6 @@ checks: - 'CCE-34837-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - id: 13147 @@ -2306,8 +2027,6 @@ checks: - 'CCE-35291-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> BlockDomainPicturePassword -> 1' - id: 13148 @@ -2322,8 +2041,6 @@ checks: - 'CCE-35095-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - id: 13149 @@ -2336,8 +2053,6 @@ checks: - cis_csc: ["9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> DCSettingIndex -> 0' - id: 13150 @@ -2350,8 +2065,6 @@ checks: - cis_csc: ["9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -> ACSettingIndex -> 0' - id: 13151 @@ -2366,8 +2079,6 @@ checks: - 'CCE-33782-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - id: 13152 @@ -2382,8 +2093,6 @@ checks: - 'CCE-35462-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - id: 13153 @@ -2398,8 +2107,6 @@ checks: - 'CCE-33801-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - id: 13154 @@ -2414,8 +2121,6 @@ checks: - 'CCE-35331-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - id: 13155 @@ -2430,8 +2135,6 @@ checks: - 'CCE-35392-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' - id: 13156 @@ -2446,8 +2149,6 @@ checks: - 'CCE-35391-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' - id: 13157 @@ -2462,8 +2163,6 @@ checks: - 'CCE-35803-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - id: 13158 @@ -2478,8 +2177,6 @@ checks: - 'CCE-35289-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - id: 13159 @@ -2494,8 +2191,6 @@ checks: - 'CCE-34771-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - id: 13160 @@ -2510,8 +2205,6 @@ checks: - 'CCE-33791-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> ff' - id: 13161 @@ -2524,8 +2217,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures -> EnhancedAntiSpoofing -> 1' - id: 13162 @@ -2538,8 +2229,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent -> DisableWindowsConsumerFeatures -> 1' - id: 13163 @@ -2552,8 +2241,6 @@ checks: - cis_csc: ["15.8", "15.9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect -> RequirePinForPairing -> 1' - id: 13164 @@ -2568,8 +2255,6 @@ checks: - 'CCE-32965-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - id: 13165 @@ -2584,8 +2269,6 @@ checks: - 'CCE-35194-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - id: 13166 @@ -2600,8 +2283,6 @@ checks: - 'CCE-41400-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> AllowTelemetry -> r:^0$|^1$' - id: 13167 @@ -2614,8 +2295,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DoNotShowFeedbackNotifications -> 1' - id: 13168 @@ -2630,8 +2309,6 @@ checks: - 'CCE-41380-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds -> AllowBuildPreview -> 0' - id: 13169 @@ -2644,8 +2321,6 @@ checks: - cis_csc: ["4.5", "3.4", "3.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode' - 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization -> DODownloadMode -> r:^3$' - id: 13170 @@ -2660,8 +2335,6 @@ checks: - 'CCE-34169-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - id: 13171 @@ -2676,8 +2349,6 @@ checks: - 'CCE-33975-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - id: 13172 @@ -2692,8 +2363,6 @@ checks: - 'CCE-35090-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - id: 13173 @@ -2708,8 +2377,6 @@ checks: - 'CCE-33428-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - id: 13174 @@ -2724,8 +2391,6 @@ checks: - 'CCE-34170-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - id: 13175 @@ -2740,8 +2405,6 @@ checks: - 'CCE-35091-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - id: 13176 @@ -2756,8 +2419,6 @@ checks: - 'CCE-33729-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - id: 13177 @@ -2772,8 +2433,6 @@ checks: - 'CCE-35288-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - id: 13178 @@ -2788,8 +2447,6 @@ checks: - 'CCE-33608-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - id: 13179 @@ -2804,8 +2461,6 @@ checks: - 'CCE-33745-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - id: 13180 @@ -2820,8 +2475,6 @@ checks: - 'CCE-33764-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - id: 13181 @@ -2836,8 +2489,6 @@ checks: - 'CCE-34776-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup -> DisableHomeGroup -> 1' - id: 13182 @@ -2850,8 +2501,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount -> DisableUserAuth -> 1' - id: 13183 @@ -2864,8 +2513,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> Cookies -> r:^0$|^1$' - id: 13184 @@ -2878,8 +2525,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> FormSuggest Passwords -> no' - id: 13185 @@ -2892,8 +2537,6 @@ checks: - cis_csc: ["7.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Security -> FlashClickToRunMode -> 1' - id: 13186 @@ -2908,8 +2551,6 @@ checks: - 'CCE-33826-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - id: 13187 @@ -2924,8 +2565,6 @@ checks: - 'CCE-34506-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - id: 13188 @@ -2940,8 +2579,6 @@ checks: - 'CCE-34697-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - id: 13189 @@ -2956,8 +2593,6 @@ checks: - 'CCE-33960-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - id: 13190 @@ -2972,8 +2607,6 @@ checks: - 'CCE-35723-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - id: 13191 @@ -2988,8 +2621,6 @@ checks: - 'CCE-35578-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - id: 13192 @@ -3004,8 +2635,6 @@ checks: - 'CCE-34136-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - id: 13193 @@ -3020,8 +2649,6 @@ checks: - 'CCE-34531-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - id: 13194 @@ -3036,8 +2663,6 @@ checks: - 'CCE-34822-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - id: 13195 @@ -3052,8 +2677,6 @@ checks: - 'CCE-41421-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortana -> 0' - id: 13196 @@ -3066,8 +2689,6 @@ checks: - cis_csc: ["16.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCortanaAboveLock -> 0' - id: 13197 @@ -3082,8 +2703,6 @@ checks: - 'CCE-35314-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - id: 13198 @@ -3098,8 +2717,6 @@ checks: - 'CCE-41372-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowSearchToUseLocation -> 0' - id: 13199 @@ -3114,8 +2731,6 @@ checks: - 'CCE-35807-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> AutoDownload -> 4' - id: 13200 @@ -3130,8 +2745,6 @@ checks: - 'CCE-35809-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> DisableOSUpgrade -> 1' - id: 13201 @@ -3146,8 +2759,6 @@ checks: - 'CCE-33833-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> LocalSettingOverrideSpynetReporting -> 0' - id: 13202 @@ -3162,8 +2773,6 @@ checks: - 'CCE-33865-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0' - id: 13203 @@ -3178,8 +2787,6 @@ checks: - 'CCE-33888-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableRemovableDriveScanning -> 0' - id: 13204 @@ -3194,8 +2801,6 @@ checks: - 'CCE-33906-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan -> DisableEmailScanning -> 0' - id: 13205 @@ -3208,8 +2813,6 @@ checks: - cis_csc: ["8.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -> ExploitGuard_ASR_Rules -> 1' - id: 13206 @@ -3222,28 +2825,16 @@ checks: - cis_csc: ["8.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D4F940AB-401B-4EFC-AADC-AD5F3C50688A -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 3B576869-A4EC-4529-8536-B80A7769E899 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> D3E037E1-3EB8-44C8-A917-57927947596D -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 26190899-1602-49E8-8B27-eB1D0A1CE869 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 -> 1' - - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4' - 'r:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -> B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 -> 1' - id: 13207 @@ -3256,8 +2847,6 @@ checks: - cis_csc: ["7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -> EnableNetworkProtection -> 1' - id: 13208 @@ -3272,8 +2861,6 @@ checks: - 'CCE-33478-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0' - id: 13209 @@ -3286,8 +2873,6 @@ checks: - cis_csc: ["8.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -> DisallowExploitProtectionOverride -> 1' - id: 13210 @@ -3302,10 +2887,7 @@ checks: - 'CCE-34026-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> ShellSmartScreenLevel -> Block' - id: 13211 @@ -3318,8 +2900,6 @@ checks: - cis_csc: ["2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> EnabledV9 -> 1' - id: 13212 @@ -3332,8 +2912,6 @@ checks: - cis_csc: ["7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverrideAppRepUnknown -> 1' - id: 13213 @@ -3346,8 +2924,6 @@ checks: - cis_csc: ["7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter -> PreventOverride -> 1' - id: 13214 @@ -3360,8 +2936,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR -> AllowGameDVR -> 0' - id: 13215 @@ -3374,8 +2948,6 @@ checks: - cis_csc: ["16.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowWindowsInkWorkspace -> r:^0$|^1$' - id: 13216 @@ -3390,8 +2962,6 @@ checks: - 'CCE-35431-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 1' - id: 13217 @@ -3406,8 +2976,6 @@ checks: - 'CCE-35400-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 13218 @@ -3422,8 +2990,6 @@ checks: - 'CCE-33891-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - id: 13219 @@ -3436,8 +3002,6 @@ checks: - cis_csc: ["16.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - id: 13220 @@ -3450,8 +3014,6 @@ checks: - cis_csc: ["16.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - id: 13221 @@ -3466,8 +3028,6 @@ checks: - 'CCE-35258-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - id: 13222 @@ -3482,8 +3042,6 @@ checks: - 'CCE-34458-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - id: 13223 @@ -3498,8 +3056,6 @@ checks: - 'CCE-34778-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - id: 13224 @@ -3514,8 +3070,6 @@ checks: - 'CCE-34779-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - id: 13225 @@ -3530,8 +3084,6 @@ checks: - 'CCE-35054-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - id: 13226 @@ -3546,8 +3098,6 @@ checks: - 'CCE-35416-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - id: 13227 @@ -3560,10 +3110,7 @@ checks: - cis_csc: ["3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuilds -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> ManagePreviewBuildsPolicyValue -> 0' - id: 13228 @@ -3576,12 +3123,8 @@ checks: - cis_csc: ["3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdates -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferFeatureUpdatesPeriodInDays -> n:^(\d+) compare >= 180' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> BranchReadinessLevel -> 32' - id: 13229 @@ -3594,10 +3137,7 @@ checks: - cis_csc: ["3.4", "3.5", "4.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdates -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -> DeferQualityUpdatesPeriodInDays -> 0' - id: 13230 @@ -3612,8 +3152,6 @@ checks: - 'CCE-35111-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - id: 13231 @@ -3628,8 +3166,6 @@ checks: - 'CCE-35111-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - id: 13232 @@ -3644,6 +3180,4 @@ checks: - 'CCE-33813-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index fe6e97ab0..a702f00d0 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -39,8 +39,6 @@ checks: - 'CCE-33958-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - id: 13501 @@ -55,8 +53,6 @@ checks: - 'CCE-34901-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> n:^(\d+) compare <= 4' - id: 13502 @@ -71,8 +67,6 @@ checks: - 'CCE-35007-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography -> ForceKeyProtection -> n:^(\d+) compare >= 1' # 5 System Services @@ -86,8 +80,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv -> Start -> 4' - id: 13504 @@ -100,8 +92,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker -> Start -> 4' - id: 13505 @@ -114,8 +104,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc -> Start -> 4' - id: 13506 @@ -128,8 +116,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc -> Start -> 4' - id: 13507 @@ -142,8 +128,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI -> Start -> 4' - id: 13508 @@ -156,8 +140,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc -> Start -> 4' - id: 13509 @@ -170,8 +152,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc -> Start -> 4' - id: 13510 @@ -184,8 +164,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc -> Start -> 4' - id: 13511 @@ -198,8 +176,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg -> Start -> 4' - id: 13512 @@ -212,8 +188,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport -> Start -> 4' - id: 13513 @@ -226,8 +200,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto -> Start -> 4' - id: 13514 @@ -240,8 +212,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv -> Start -> 4' - id: 13515 @@ -254,8 +224,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService -> Start -> 4' - id: 13516 @@ -268,8 +236,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService -> Start -> 4' - id: 13517 @@ -282,8 +248,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry -> Start -> 4' - id: 13518 @@ -296,8 +260,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer -> Start -> 4' - id: 13519 @@ -310,8 +272,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP -> Start -> 4' - id: 13520 @@ -324,8 +284,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc -> Start -> 4' - id: 13521 @@ -338,8 +296,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc -> Start -> 4' - id: 13522 @@ -352,8 +308,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService -> Start -> 4' - id: 13523 @@ -366,8 +320,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall -> Start -> 4' - id: 13524 @@ -380,8 +332,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM -> Start -> 4' # 18.1 Control Panel @@ -395,8 +345,6 @@ checks: - cis_csc: ["9.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> AllowOnlineTips -> 0' # 18.4 MSS (Legacy) @@ -412,8 +360,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters -> DisableSavePassword -> 1' - id: 13527 @@ -429,8 +375,6 @@ checks: - 'CCE-35469-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 493e0' - id: 13528 @@ -446,8 +390,6 @@ checks: - 'CCE-34614-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - id: 13529 @@ -463,8 +405,6 @@ checks: - 'CCE-34622-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - id: 13530 @@ -480,8 +420,6 @@ checks: - 'CCE-34623-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # 18.5 Network @@ -495,8 +433,6 @@ checks: - cis_csc: ["3", "13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableFontProviders -> 0' - id: 13532 @@ -511,14 +447,9 @@ checks: - 'CCE-34262-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - id: 13533 @@ -533,14 +464,9 @@ checks: - 'CCE-34073-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - id: 13534 @@ -555,8 +481,6 @@ checks: - 'CCE-33208-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' - id: 13535 @@ -569,8 +493,6 @@ checks: - cis_csc: ["9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> ff' - id: 13536 @@ -585,16 +507,10 @@ checks: - 'CCE-34326-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - id: 13537 @@ -609,8 +525,6 @@ checks: - 'CCE-35606-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # 18.8 System @@ -626,8 +540,6 @@ checks: - 'CCE-35626-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoUseStoreOpenWith -> 1' - id: 13539 @@ -642,8 +554,6 @@ checks: - 'CCE-35781-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - id: 13540 @@ -658,8 +568,6 @@ checks: - 'CCE-32945-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - id: 13541 @@ -674,8 +582,6 @@ checks: - 'CCE-35784-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - id: 13542 @@ -690,8 +596,6 @@ checks: - 'CCE-33153-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - id: 13543 @@ -705,8 +609,6 @@ checks: - 'CCE-33216-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - id: 13544 @@ -721,8 +623,6 @@ checks: - 'CCE-33817-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - id: 13545 @@ -737,8 +637,6 @@ checks: - 'CCE-34061-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - id: 13546 @@ -753,8 +651,6 @@ checks: - 'CCE-33246-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - id: 13547 @@ -769,8 +665,6 @@ checks: - 'CCE-33957-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - id: 13548 @@ -785,8 +679,6 @@ checks: - 'CCE-33255-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - id: 13549 @@ -801,11 +693,7 @@ checks: - 'CCE-34260-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - id: 13550 @@ -820,10 +708,7 @@ checks: - 'CCE-41396-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitBehavior -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -> DevicePKInitEnabled -> 1' - id: 13551 @@ -838,8 +723,6 @@ checks: - 'CCE-35101-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - id: 13552 @@ -854,8 +737,6 @@ checks: - 'CCE-34972-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - id: 13553 @@ -870,8 +751,6 @@ checks: - 'CCE-33662-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - id: 13554 @@ -886,8 +765,6 @@ checks: - 'CCE-33823-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - id: 13555 @@ -902,8 +779,6 @@ checks: - 'CCE-33661-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' - id: 13556 @@ -918,8 +793,6 @@ checks: - 'CCE-35135-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' # 18.9 Windows Components @@ -935,8 +808,6 @@ checks: - 'CCE-41397-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager -> AllowSharedLocalAppData -> 0' - id: 13558 @@ -949,8 +820,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera -> AllowCamera -> 0' - id: 13559 @@ -963,8 +832,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection -> DisableEnterpriseAuthProxy -> 1' - id: 13560 @@ -979,8 +846,6 @@ checks: - 'CCE-33743-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - id: 13561 @@ -993,8 +858,6 @@ checks: - cis_csc: ["9.1", "9.2", "13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging -> AllowMessageSync -> 0' - id: 13562 @@ -1007,8 +870,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI -> ShowOneBox -> 0' - id: 13563 @@ -1021,8 +882,6 @@ checks: - cis_csc: ["7.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons -> FlashPlayerEnabled -> 0' - id: 13564 @@ -1035,8 +894,6 @@ checks: - cis_csc: ["7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowInPrivate -> 0' - id: 13565 @@ -1049,8 +906,6 @@ checks: - cis_csc: ["7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> AllowPopups -> r:yes' - id: 13566 @@ -1063,8 +918,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes -> ShowSearchSuggestionsGlobal -> 0' - id: 13567 @@ -1077,8 +930,6 @@ checks: - cis_csc: ["3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> PreventAccessToAboutFlagsInMicrosoftEdge -> 1' - id: 13568 @@ -1091,8 +942,6 @@ checks: - cis_csc: ["7.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main -> HideLocalHostIP -> 1' - id: 13569 @@ -1105,8 +954,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall -> DisablePushToInstall -> 1' - id: 13570 @@ -1120,8 +967,6 @@ checks: - 'CCE-35255-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDenyTSConnections -> 0' - id: 13571 @@ -1136,8 +981,6 @@ checks: - 'CCE-34496-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - id: 13572 @@ -1152,8 +995,6 @@ checks: - 'CCE-34698-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - id: 13573 @@ -1168,8 +1009,6 @@ checks: - 'CCE-34790-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - id: 13574 @@ -1185,8 +1024,6 @@ checks: - 'CCE-35595-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - id: 13575 @@ -1201,8 +1038,6 @@ checks: - 'CCE-35599-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - id: 13576 @@ -1215,8 +1050,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowCloudSearch -> 0' - id: 13577 @@ -1228,8 +1061,6 @@ checks: - cis: ["18.9.65.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - id: 13578 @@ -1246,8 +1077,6 @@ checks: - 'CCE-35811-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore -> RemoveWindowsStore -> 1' - id: 13579 @@ -1259,8 +1088,6 @@ checks: - cis: ["18.9.76.3.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - id: 13580 @@ -1275,8 +1102,6 @@ checks: - 'CCE-33880-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' - id: 13581 @@ -1289,8 +1114,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -> AllowSuggestedAppsInWindowsInkWorkspace -> 0' - id: 13582 @@ -1305,8 +1128,6 @@ checks: - 'CCE-35086-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - id: 13583 @@ -1321,8 +1142,6 @@ checks: - 'CCE-33146-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - id: 13584 @@ -1337,6 +1156,4 @@ checks: - 'CCE-33740-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' diff --git a/sca/windows/cis_win2012r2_domainL1.yml b/sca/windows/cis_win2012r2_domainL1.yml index 61063b598..a4944c705 100644 --- a/sca/windows/cis_win2012r2_domainL1.yml +++ b/sca/windows/cis_win2012r2_domainL1.yml @@ -41,8 +41,6 @@ checks: - 'CCE-37167-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' @@ -59,8 +57,6 @@ checks: - 'CCE-36147-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - id: 11002 @@ -75,8 +71,6 @@ checks: - 'CCE-37615-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - id: 11003 @@ -91,8 +85,6 @@ checks: - 'CCE-37850-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - id: 11004 @@ -107,8 +99,6 @@ checks: - 'CCE-35907-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - id: 11005 @@ -123,8 +113,6 @@ checks: - 'CCE-37701-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 11006 @@ -139,8 +127,6 @@ checks: - 'CCE-37848-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SubmitControl -> 0' - id: 11007 @@ -156,8 +142,6 @@ checks: - 'CCE-35904-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters -> LDAPServerIntegrity -> 2' - id: 11008 @@ -172,8 +156,6 @@ checks: - 'CCE-36921-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RefusePasswordChange -> 0' - id: 11009 @@ -188,8 +170,6 @@ checks: - 'CCE-36142-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - id: 11010 @@ -204,8 +184,6 @@ checks: - 'CCE-37130-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - id: 11011 @@ -220,8 +198,6 @@ checks: - 'CCE-37222-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - id: 11012 @@ -236,8 +212,6 @@ checks: - 'CCE-37508-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - id: 11013 @@ -252,8 +226,6 @@ checks: - 'CCE-37614-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - id: 11014 @@ -268,8 +240,6 @@ checks: - 'CCE-36056-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - id: 11015 @@ -284,8 +254,6 @@ checks: - 'CCE-37637-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - id: 11016 @@ -300,8 +268,6 @@ checks: - 'CCE-38235-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' @@ -317,8 +283,6 @@ checks: - 'CCE-37622-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - id: 11018 @@ -333,8 +297,6 @@ checks: - 'CCE-38333-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - id: 11019 @@ -349,8 +311,6 @@ checks: - 'CCE-36325-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - id: 11020 @@ -365,8 +325,6 @@ checks: - 'CCE-36269-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - id: 11021 @@ -381,8 +339,6 @@ checks: - 'CCE-37863-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - id: 11022 @@ -397,8 +353,6 @@ checks: - 'CCE-38046-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' @@ -414,8 +368,6 @@ checks: - 'CCE-37864-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - id: 11024 @@ -430,8 +382,6 @@ checks: - 'CCE-35988-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - id: 11025 @@ -446,8 +396,6 @@ checks: - 'CCE-37972-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' # Section 2.3 - Security Options @@ -463,8 +411,6 @@ checks: - 'CCE-38119-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - id: 11027 @@ -479,8 +425,6 @@ checks: - 'CCE-36148-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - id: 11028 @@ -495,8 +439,6 @@ checks: - 'CCE-38258-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:lsarpc|netlogon|samr' - id: 11029 @@ -511,8 +453,6 @@ checks: - 'CCE-37194-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - id: 11030 @@ -527,8 +467,6 @@ checks: - 'CCE-36347-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' - id: 11031 @@ -543,8 +481,6 @@ checks: - 'CCE-36021-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - id: 11032 @@ -559,8 +495,6 @@ checks: - 'CCE-38095-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - id: 11033 title: "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" @@ -574,8 +508,6 @@ checks: - 'CCE-37623-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - id: 11034 @@ -590,8 +522,6 @@ checks: - 'CCE-38341-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - id: 11035 @@ -606,8 +536,6 @@ checks: - 'CCE-37035-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - id: 11036 @@ -622,8 +550,6 @@ checks: - 'CCE-38047-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - id: 11037 @@ -638,8 +564,6 @@ checks: - 'CCE-37755-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - id: 11038 @@ -654,8 +578,6 @@ checks: - 'CCE-36326-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - id: 11039 @@ -670,8 +592,6 @@ checks: - 'CCE-36270-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 11040 @@ -686,8 +606,6 @@ checks: - 'CCE-36173-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - id: 11041 @@ -702,8 +620,6 @@ checks: - 'CCE-36858-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1' - id: 11042 @@ -718,8 +634,6 @@ checks: - 'CCE-37553-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - id: 11043 @@ -735,8 +649,6 @@ checks: - 'CCE-37835-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - id: 11044 @@ -751,8 +663,6 @@ checks: - 'CCE-36788-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' - id: 11045 @@ -766,8 +676,6 @@ checks: - 'CCE-37885-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - id: 11046 @@ -782,8 +690,6 @@ checks: - 'CCE-37644-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - id: 11047 @@ -798,8 +704,6 @@ checks: - 'CCE-36494-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - id: 11048 @@ -814,8 +718,6 @@ checks: - 'CCE-36863-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - id: 11049 @@ -830,8 +732,6 @@ checks: - 'CCE-37029-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> 2' - id: 11050 @@ -846,8 +746,6 @@ checks: - 'CCE-36864-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - id: 11051 @@ -862,8 +760,6 @@ checks: - 'CCE-36533-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - id: 11052 @@ -878,8 +774,6 @@ checks: - 'CCE-37057-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - id: 11053 @@ -894,8 +788,6 @@ checks: - 'CCE-36869-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - id: 11054 @@ -910,8 +802,6 @@ checks: - 'CCE-36866-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - id: 11055 @@ -925,8 +815,6 @@ checks: - 'CCE-37064-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # Section 9.1 - Domain Profile @@ -942,8 +830,6 @@ checks: - 'CCE-36062-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - id: 11057 @@ -958,8 +844,6 @@ checks: - 'CCE-38117-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - id: 11058 @@ -974,8 +858,6 @@ checks: - 'CCE-36146-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - id: 11059 @@ -989,8 +871,6 @@ checks: - 'CCE-38041-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' - id: 11060 @@ -1005,8 +885,6 @@ checks: - 'CCE-37482-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - id: 11061 @@ -1021,8 +899,6 @@ checks: - 'CCE-36088-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 11062 @@ -1037,8 +913,6 @@ checks: - 'CCE-37523-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - id: 11063 @@ -1053,8 +927,6 @@ checks: - 'CCE-36393-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile @@ -1070,8 +942,6 @@ checks: - 'CCE-38239-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - id: 11065 @@ -1086,8 +956,6 @@ checks: - 'CCE-38042-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - id: 11066 @@ -1102,8 +970,6 @@ checks: - 'CCE-38332-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - id: 11067 @@ -1117,8 +983,6 @@ checks: - 'CCE-37621-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - id: 11068 @@ -1133,8 +997,6 @@ checks: - 'CCE-37569-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - id: 11069 @@ -1149,8 +1011,6 @@ checks: - 'CCE-38178-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 11070 @@ -1165,8 +1025,6 @@ checks: - 'CCE-35972-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - id: 11071 @@ -1181,8 +1039,6 @@ checks: - 'CCE-37387-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile @@ -1198,8 +1054,6 @@ checks: - 'CCE-37862-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - id: 11073 @@ -1214,8 +1068,6 @@ checks: - 'CCE-36057-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - id: 11074 @@ -1230,8 +1082,6 @@ checks: - 'CCE-37434-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - id: 11075 @@ -1245,8 +1095,6 @@ checks: - 'CCE-38043-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 0' @@ -1262,8 +1110,6 @@ checks: - 'CCE-37861-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 0' - id: 11077 @@ -1278,8 +1124,6 @@ checks: - 'CCE-36268-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 0' - id: 11078 @@ -1294,8 +1138,6 @@ checks: - 'CCE-37266-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - id: 11079 @@ -1310,8 +1152,6 @@ checks: - 'CCE-36395-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 11080 @@ -1326,8 +1166,6 @@ checks: - 'CCE-37265-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - id: 11081 @@ -1342,8 +1180,6 @@ checks: - 'CCE-36394-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel @@ -1358,8 +1194,6 @@ checks: - 'CCE-38347-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - id: 11083 @@ -1373,8 +1207,6 @@ checks: - 'CCE-38348-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' # Section 18.3 - MS Security Guide @@ -1393,8 +1225,6 @@ checks: - 'CCE-38444-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' # Section 18.4 - MSS (Legacy) @@ -1412,8 +1242,6 @@ checks: - 'CCE-37067-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 11086 @@ -1429,8 +1257,6 @@ checks: - 'CCE-36871-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - id: 11087 @@ -1446,8 +1272,6 @@ checks: - 'CCE-36535-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - id: 11088 @@ -1463,8 +1287,6 @@ checks: - 'CCE-37988-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - id: 11089 @@ -1480,8 +1302,6 @@ checks: - 'CCE-36879-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - id: 11090 @@ -1497,8 +1317,6 @@ checks: - 'CCE-36351-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - id: 11091 @@ -1514,8 +1332,6 @@ checks: - 'CCE-37993-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - id: 11092 @@ -1531,8 +1347,6 @@ checks: - 'CCE-36880-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' # Section 18.5 - Network @@ -1548,8 +1362,6 @@ checks: - 'CCE-38002-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - id: 11094 @@ -1564,8 +1376,6 @@ checks: - 'CCE-38188-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - id: 11095 @@ -1580,8 +1390,6 @@ checks: - 'CCE-38338-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' # Section 18.8 - System @@ -1597,8 +1405,6 @@ checks: - 'CCE-36925-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - id: 11097 @@ -1613,8 +1419,6 @@ checks: - 'CCE-37912-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - id: 11098 @@ -1629,8 +1433,6 @@ checks: - 'CCE-36169-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - id: 11099 @@ -1645,8 +1447,6 @@ checks: - 'CCE-36169-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - id: 11100 @@ -1661,8 +1461,6 @@ checks: - 'CCE-37712-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' # Section 18.8 - System @@ -1678,8 +1476,6 @@ checks: - 'CCE-36625-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - id: 11102 @@ -1694,8 +1490,6 @@ checks: - 'CCE-36096-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - id: 11103 @@ -1710,8 +1504,6 @@ checks: - 'CCE-36920-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - id: 11104 @@ -1726,8 +1518,6 @@ checks: - 'CCE-38353-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - id: 11105 @@ -1742,8 +1532,6 @@ checks: - 'CCE-37838-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - id: 11106 @@ -1758,8 +1546,6 @@ checks: - 'CCE-35894-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - id: 11107 @@ -1774,8 +1560,6 @@ checks: - 'CCE-35893-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - id: 11108 @@ -1790,8 +1574,6 @@ checks: - 'CCE-37528-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - id: 11109 @@ -1806,8 +1588,6 @@ checks: - 'CCE-36881-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> DCSettingIndex -> 1' - id: 11110 @@ -1822,8 +1602,6 @@ checks: - 'CCE-37066-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -> ACSettingIndex -> 1' - id: 11111 @@ -1838,8 +1616,6 @@ checks: - 'CCE-36388-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - id: 11112 @@ -1854,8 +1630,6 @@ checks: - 'CCE-37281-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' # Section 18.9 - Windows Components @@ -1871,8 +1645,6 @@ checks: - 'CCE-38354-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - id: 11114 @@ -1887,8 +1659,6 @@ checks: - 'CCE-37636-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - id: 11115 @@ -1903,8 +1673,6 @@ checks: - 'CCE-38217-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - id: 11116 @@ -1919,8 +1687,6 @@ checks: - 'CCE-36875-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' - id: 11117 @@ -1935,8 +1701,6 @@ checks: - 'CCE-37534-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - id: 11118 @@ -1951,8 +1715,6 @@ checks: - 'CCE-36512-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - id: 11119 @@ -1967,8 +1729,6 @@ checks: - 'CCE-37775-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - id: 11120 @@ -1983,8 +1743,6 @@ checks: - 'CCE-37948-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - id: 11121 @@ -1999,8 +1757,6 @@ checks: - 'CCE-37145-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - id: 11122 @@ -2015,8 +1771,6 @@ checks: - 'CCE-37695-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - id: 11123 @@ -2031,8 +1785,6 @@ checks: - 'CCE-38276-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - id: 11124 @@ -2047,8 +1799,6 @@ checks: - 'CCE-37526-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - id: 11125 @@ -2063,8 +1813,6 @@ checks: - 'CCE-36160-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - id: 11126 @@ -2079,8 +1827,6 @@ checks: - 'CCE-36092-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - id: 11127 @@ -2095,8 +1841,6 @@ checks: - 'CCE-37809-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - id: 11128 @@ -2111,8 +1855,6 @@ checks: - 'CCE-36660-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - id: 11129 @@ -2127,8 +1869,6 @@ checks: - 'CCE-36809-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - id: 11130 @@ -2143,8 +1883,6 @@ checks: - 'CCE-36939-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - id: 11131 @@ -2159,8 +1897,6 @@ checks: - 'CCE-36223-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - id: 11132 @@ -2175,8 +1911,6 @@ checks: - 'CCE-36509-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - id: 11133 @@ -2191,8 +1925,6 @@ checks: - 'CCE-37929-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - id: 11134 @@ -2207,8 +1939,6 @@ checks: - 'CCE-37567-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - id: 11135 @@ -2223,8 +1953,6 @@ checks: - 'CCE-36627-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - id: 11136 @@ -2239,8 +1967,6 @@ checks: - 'CCE-37946-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - id: 11137 @@ -2255,8 +1981,6 @@ checks: - 'CCE-38180-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - id: 11138 @@ -2271,8 +1995,6 @@ checks: - 'CCE-37126-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - id: 11139 @@ -2287,8 +2009,6 @@ checks: - 'CCE-38277-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - id: 11140 @@ -2303,8 +2023,6 @@ checks: - 'CCE-35859-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - id: 11141 @@ -2319,8 +2037,6 @@ checks: - 'CCE-37112-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - id: 11142 @@ -2335,8 +2051,6 @@ checks: - 'CCE-36978-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - id: 11143 @@ -2351,8 +2065,6 @@ checks: - 'CCE-36400-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - id: 11144 @@ -2367,8 +2079,6 @@ checks: - 'CCE-36919-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 11145 @@ -2383,8 +2093,6 @@ checks: - 'CCE-36977-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - id: 11146 @@ -2397,8 +2105,6 @@ checks: - cis_csc: ["16.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - id: 11147 @@ -2411,8 +2117,6 @@ checks: - cis_csc: ["16.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - id: 11148 @@ -2427,8 +2131,6 @@ checks: - 'CCE-36310-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - id: 11149 @@ -2443,8 +2145,6 @@ checks: - 'CCE-37726-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - id: 11150 @@ -2459,8 +2159,6 @@ checks: - 'CCE-38318-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - id: 11151 @@ -2475,8 +2173,6 @@ checks: - 'CCE-36254-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - id: 11152 @@ -2491,8 +2187,6 @@ checks: - 'CCE-38223-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - id: 11153 @@ -2507,8 +2201,6 @@ checks: - 'CCE-36000-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - id: 11154 @@ -2523,8 +2215,6 @@ checks: - 'CCE-36172-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - id: 11155 @@ -2539,8 +2229,6 @@ checks: - 'CCE-36172-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - id: 11156 @@ -2555,6 +2243,4 @@ checks: - 'CCE-37027-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 96ccf72b6..66a060278 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -40,8 +40,6 @@ checks: - 'CCE-37942-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' # Section 18.4 - MSS (Legacy) @@ -58,8 +56,6 @@ checks: - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' - id: 11502 @@ -75,8 +71,6 @@ checks: - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - id: 11503 @@ -92,8 +86,6 @@ checks: - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - id: 11504 @@ -109,8 +101,6 @@ checks: - 'https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # Section 18.5 - Network @@ -126,14 +116,9 @@ checks: - 'CCE-38170-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - id: 11506 @@ -148,14 +133,9 @@ checks: - 'CCE-37959-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' - id: 11507 @@ -170,8 +150,6 @@ checks: - 'CCE-37699-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' - id: 11508 @@ -184,8 +162,6 @@ checks: - cis_csc: ["9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' - id: 11509 @@ -200,16 +176,10 @@ checks: - 'CCE-37481-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - id: 11510 @@ -224,8 +194,6 @@ checks: - 'CCE-36109-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' - id: 11511 @@ -240,8 +208,6 @@ checks: - 'CCE-37911-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - id: 11512 @@ -256,8 +222,6 @@ checks: - 'CCE-36203-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - id: 11513 @@ -272,8 +236,6 @@ checks: - 'CCE-37163-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - id: 11514 @@ -287,8 +249,6 @@ checks: - 'CCE-36352-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - id: 11515 @@ -303,8 +263,6 @@ checks: - 'CCE-36884-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - id: 11516 @@ -319,8 +277,6 @@ checks: - 'CCE-38275-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - id: 11517 @@ -335,8 +291,6 @@ checks: - 'CCE-37090-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - id: 11518 @@ -351,8 +305,6 @@ checks: - 'CCE-36628-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - id: 11519 @@ -367,8 +319,6 @@ checks: - 'CCE-36174-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - id: 11520 @@ -383,8 +333,6 @@ checks: - 'CCE-35964-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - id: 11521 @@ -399,8 +347,6 @@ checks: - 'CCE-36343-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' - id: 11522 @@ -415,8 +361,6 @@ checks: - 'CCE-38161-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' - id: 11523 @@ -431,8 +375,6 @@ checks: - 'CCE-36648-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' - id: 11524 @@ -447,8 +389,6 @@ checks: - 'CCE-36931-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' - id: 11525 @@ -463,8 +403,6 @@ checks: - 'CCE-37843-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' # Section 18.9 - System @@ -480,8 +418,6 @@ checks: - 'CCE-36886-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' - id: 11527 @@ -495,8 +431,6 @@ checks: - 'CCE-37708-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' - id: 11528 @@ -511,8 +445,6 @@ checks: - 'CCE-37696-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - id: 11529 @@ -527,8 +459,6 @@ checks: - 'CCE-37778-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - id: 11530 @@ -543,8 +473,6 @@ checks: - 'CCE-37477-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' - id: 11531 @@ -560,8 +488,6 @@ checks: - https://workbench.cisecurity.org/benchmarks/766 condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - id: 11532 @@ -576,8 +502,6 @@ checks: - 'CCE-37949-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' - id: 11533 @@ -592,8 +516,6 @@ checks: - 'CCE-36937-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' - id: 11534 @@ -605,8 +527,6 @@ checks: - cis: ["18.9.65.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' - id: 11535 @@ -618,8 +538,6 @@ checks: - cis: ["18.9.76.3.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' - id: 11536 @@ -634,8 +552,6 @@ checks: - 'CCE-37524-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' - id: 11537 @@ -650,8 +566,6 @@ checks: - 'CCE-37927-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' - id: 11538 @@ -666,6 +580,4 @@ checks: - 'CCE-36499-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' diff --git a/sca/windows/cis_win2012r2_memberL1.yml b/sca/windows/cis_win2012r2_memberL1.yml index a8b465d11..4abe8ab0b 100644 --- a/sca/windows/cis_win2012r2_memberL1.yml +++ b/sca/windows/cis_win2012r2_memberL1.yml @@ -42,8 +42,6 @@ checks: - 'CCE-37167-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> MaximumPasswordAge -> n:^(\d+) compare <= 60' @@ -60,8 +58,6 @@ checks: - 'CCE-36147-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> NoConnectedUser -> 3' - id: 12002 @@ -76,8 +72,6 @@ checks: - 'CCE-37615-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - id: 12003 @@ -92,8 +86,6 @@ checks: - 'CCE-37850-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> SCENoApplyLegacyAuditPolicy -> 1' - id: 12004 @@ -109,8 +101,6 @@ checks: - 'CCE-35907-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - id: 12005 @@ -125,8 +115,6 @@ checks: - 'CCE-37701-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 12006 @@ -141,8 +129,6 @@ checks: - 'CCE-37942-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - id: 12007 @@ -157,8 +143,6 @@ checks: - 'CCE-36142-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - id: 12008 @@ -173,8 +157,6 @@ checks: - 'CCE-37130-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - id: 12009 @@ -189,8 +171,6 @@ checks: - 'CCE-37222-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - id: 12010 @@ -205,8 +185,6 @@ checks: - 'CCE-37508-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - id: 12011 @@ -221,8 +199,6 @@ checks: - 'CCE-37614-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - id: 12012 @@ -237,8 +213,6 @@ checks: - 'CCE-36056-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - id: 12013 @@ -253,8 +227,6 @@ checks: - 'CCE-37637-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - id: 12014 @@ -269,7 +241,6 @@ checks: - 'CCE-38235-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs' - 'not r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> 0' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> InactivityTimeoutSecs -> n:^(\d+) compare <= 900' @@ -285,7 +256,6 @@ checks: - 'CCE-37622-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare <= 14' @@ -301,8 +271,6 @@ checks: - 'CCE-38240-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ForceUnlockLogon -> 1' - id: 12017 @@ -317,8 +285,6 @@ checks: - 'CCE-38333-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - id: 12018 @@ -333,8 +299,6 @@ checks: - 'CCE-36325-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - id: 12019 @@ -349,8 +313,6 @@ checks: - 'CCE-36269-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - id: 12020 @@ -365,8 +327,6 @@ checks: - 'CCE-37863-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - id: 12021 @@ -381,8 +341,6 @@ checks: - 'CCE-38046-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> 0' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' @@ -398,8 +356,6 @@ checks: - 'CCE-37864-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - id: 12023 @@ -414,8 +370,6 @@ checks: - 'CCE-35988-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - id: 12024 @@ -430,8 +384,6 @@ checks: - 'CCE-37972-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 12025 @@ -447,8 +399,6 @@ checks: - 'CCE-36170-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> SMBServerNameHardeningLevel -> n:^(\d+) compare >= 1' - id: 12026 @@ -463,8 +413,6 @@ checks: - 'CCE-36316-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - id: 12027 @@ -479,8 +427,6 @@ checks: - 'CCE-36316-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - id: 12028 @@ -495,8 +441,6 @@ checks: - 'CCE-36148-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - id: 12029 @@ -511,8 +455,6 @@ checks: - 'CCE-38258-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionPipes -> r:\S*' - id: 12030 @@ -527,8 +469,6 @@ checks: - 'CCE-37194-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths -> Machine -> r:System\\CurrentControlSet\\Control\\ProductOptions|System\\CurrentControlSet\\Control\\Server Applications|Software\\Microsoft\\Windows NT\\CurrentVersion' - id: 12031 @@ -543,8 +483,6 @@ checks: - 'CCE-36347-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths -> Machine -> r:Software\\Microsoft\\Windows NT\\CurrentVersion\\Print|Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows|System\\CurrentControlSet\\Control\\Print\\Printers|System\\CurrentControlSet\\Services\\Eventlog|Software\\Microsoft\\OLAP Server|System\\CurrentControlSet\\Control\\ContentIndex|System\\CurrentControlSet\\Control\\Terminal Server|System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig|System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration|Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib|System\\CurrentControlSet\\Services\\SysmonLog|System\\CurrentControlSet\\Services\\CertSvc|System\\CurrentControlSet\\Services\\WINS' - id: 12032 @@ -559,8 +497,6 @@ checks: - 'CCE-36021-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - id: 12033 @@ -575,8 +511,6 @@ checks: - 'CCE-38095-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - id: 12034 @@ -591,8 +525,6 @@ checks: - 'CCE-37623-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - id: 12035 @@ -607,8 +539,6 @@ checks: - 'CCE-38341-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> UseMachineId -> 1' - id: 12036 @@ -623,8 +553,6 @@ checks: - 'CCE-37035-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> allownullsessionfallback -> 0' - id: 12037 @@ -639,8 +567,6 @@ checks: - 'CCE-38047-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u -> AllowOnlineID -> 0' - id: 12038 @@ -655,8 +581,6 @@ checks: - 'CCE-37755-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -> SupportedEncryptionTypes -> 2147483644' - id: 12039 @@ -671,8 +595,6 @@ checks: - 'CCE-36326-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - id: 12040 @@ -687,8 +609,6 @@ checks: - 'CCE-36270-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters -> EnableForcedLogOff -> 1' - id: 12041 @@ -703,8 +623,6 @@ checks: - 'CCE-36173-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - id: 12042 title: "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" @@ -718,8 +636,6 @@ checks: - 'CCE-36858-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:(/d+) compare >= 1' - id: 12043 @@ -734,8 +650,6 @@ checks: - 'CCE-37553-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - id: 12044 @@ -751,8 +665,6 @@ checks: - 'CCE-37835-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - id: 12045 @@ -767,8 +679,6 @@ checks: - 'CCE-36788-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ShutdownWithoutLogon -> 0' - id: 12046 @@ -782,8 +692,6 @@ checks: - 'CCE-37885-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - id: 12047 @@ -798,8 +706,6 @@ checks: - 'CCE-37644-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - id: 12048 @@ -814,8 +720,6 @@ checks: - 'CCE-36494-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> FilterAdministratorToken -> 1' - id: 12049 @@ -830,8 +734,6 @@ checks: - 'CCE-36863-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableUIADesktopToggle -> 0' - id: 12050 @@ -846,8 +748,6 @@ checks: - 'CCE-37029-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorAdmin -> r:^2$' - id: 12051 @@ -862,8 +762,6 @@ checks: - 'CCE-36864-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> ConsentPromptBehaviorUser -> 0' - id: 12052 @@ -878,8 +776,6 @@ checks: - 'CCE-36533-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection' - 'r:HKEY_LOCAL_MACHINE\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableInstallerDetection -> 1' - id: 12053 @@ -894,8 +790,6 @@ checks: - 'CCE-37057-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableSecureUIAPaths -> 1' - id: 12054 @@ -910,8 +804,6 @@ checks: - 'CCE-36869-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableLUA -> 1' - id: 12055 @@ -926,8 +818,6 @@ checks: - 'CCE-36866-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> PromptOnSecureDesktop -> 1' - id: 12056 @@ -941,8 +831,6 @@ checks: - 'CCE-37064-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> EnableVirtualization -> 1' # Section 9.1 - Domain Profile @@ -958,8 +846,6 @@ checks: - 'CCE-36062-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> EnableFirewall -> 1' - id: 12058 @@ -974,8 +860,6 @@ checks: - 'CCE-38117-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultInboundAction -> 1' - id: 12059 @@ -990,8 +874,6 @@ checks: - 'CCE-36146-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DefaultOutboundAction -> 0' - id: 12060 @@ -1005,8 +887,6 @@ checks: - 'CCE-38041-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile -> DisableNotifications -> 1' - id: 12061 @@ -1021,8 +901,6 @@ checks: - 'CCE-37482-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' - id: 12062 @@ -1037,8 +915,6 @@ checks: - 'CCE-36088-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 12063 @@ -1053,8 +929,6 @@ checks: - 'CCE-37523-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogDroppedPackets -> 1' - id: 12064 @@ -1069,8 +943,6 @@ checks: - 'CCE-36393-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging -> LogSuccessfulConnections -> 1' # Section 9.2 - Private Profile @@ -1086,8 +958,6 @@ checks: - 'CCE-38239-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - id: 12066 @@ -1102,8 +972,6 @@ checks: - 'CCE-38042-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultInboundAction -> 1' - id: 12067 @@ -1118,8 +986,6 @@ checks: - 'CCE-38332-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DefaultOutboundAction -> 0' - id: 12068 @@ -1133,8 +999,6 @@ checks: - 'CCE-37621-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> DisableNotifications -> 1' - id: 12069 @@ -1149,8 +1013,6 @@ checks: - 'CCE-37569-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' - id: 12070 @@ -1165,8 +1027,6 @@ checks: - 'CCE-38178-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 12071 @@ -1181,8 +1041,6 @@ checks: - 'CCE-35972-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogDroppedPackets -> 1' - id: 12072 @@ -1197,8 +1055,6 @@ checks: - 'CCE-37387-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging -> LogSuccessfulConnections -> 1' # Sectin 9.3 - Public Profile @@ -1214,8 +1070,6 @@ checks: - 'CCE-37862-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - id: 12074 @@ -1230,8 +1084,6 @@ checks: - 'CCE-36057-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultInboundAction -> 1' - id: 12075 @@ -1246,8 +1098,6 @@ checks: - 'CCE-37434-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DefaultOutboundAction -> 0' - id: 12076 @@ -1261,8 +1111,6 @@ checks: - 'CCE-38043-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> DisableNotifications -> 1' - id: 12077 @@ -1277,8 +1125,6 @@ checks: - 'CCE-37861-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalPolicyMerge -> 1' - id: 12078 @@ -1293,8 +1139,6 @@ checks: - 'CCE-36268-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> AllowLocalIPsecPolicyMerge -> 1' - id: 12079 @@ -1309,8 +1153,6 @@ checks: - 'CCE-37266-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFilePath -> r:%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log' - id: 12080 @@ -1325,8 +1167,6 @@ checks: - 'CCE-36395-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogFileSize -> n:^(\d+) compare >= 16384' - id: 12081 @@ -1341,8 +1181,6 @@ checks: - 'CCE-37265-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogDroppedPackets -> 1' - id: 12082 @@ -1357,8 +1195,6 @@ checks: - 'CCE-36394-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging -> LogSuccessfulConnections -> 1' # Section 18.1 - Control Panel @@ -1373,8 +1209,6 @@ checks: - 'CCE-38347-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenCamera -> 1' - id: 12084 @@ -1388,8 +1222,6 @@ checks: - 'CCE-38348-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization -> NoLockScreenSlideshow -> 1' # Section 18.2 - LAPS @@ -1416,8 +1248,6 @@ checks: - cis_csc: ["16.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PwdExpirationProtectionEnabled -> 1' - id: 12087 @@ -1430,8 +1260,6 @@ checks: - cis_csc: ["16.9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> AdmPwdEnabled -> 1' - id: 12088 @@ -1444,8 +1272,6 @@ checks: - cis_csc: ["5.7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordComplexity -> 4' - id: 12089 @@ -1458,8 +1284,6 @@ checks: - cis_csc: ["5.7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordLength -> n:^(\d+) compare >= 15' - id: 12090 @@ -1472,8 +1296,6 @@ checks: - cis_csc: ["16.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd -> PasswordAgeDays -> n:^(\d+) compare <= 30' # Section 18.3 - MS Security Guide @@ -1492,8 +1314,6 @@ checks: - 'CCE-37069-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> LocalAccountTokenFilterPolicy -> 0' - id: 12092 @@ -1511,8 +1331,6 @@ checks: - 'CCE-38444-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> UseLogonCredential -> 0' # Section 18.4 - MSS (Legacy) @@ -1530,8 +1348,6 @@ checks: - 'CCE-37067-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 12094 @@ -1547,8 +1363,6 @@ checks: - 'CCE-36871-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - id: 12095 @@ -1564,8 +1378,6 @@ checks: - 'CCE-36535-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - id: 12096 @@ -1581,8 +1393,6 @@ checks: - 'CCE-37988-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> EnableICMPRedirect -> 0' - id: 12097 @@ -1598,8 +1408,6 @@ checks: - 'CCE-36879-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters -> NoNameReleaseOnDemand -> 1' - id: 12098 @@ -1615,8 +1423,6 @@ checks: - 'CCE-36351-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - id: 12099 @@ -1632,8 +1438,6 @@ checks: - 'CCE-37993-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - id: 12100 @@ -1649,8 +1453,6 @@ checks: - 'CCE-36880-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' # Section 18.5 - Network @@ -1666,8 +1468,6 @@ checks: - 'CCE-38002-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_AllowNetBridge_NLA -> 0' - id: 12102 @@ -1682,8 +1482,6 @@ checks: - 'CCE-38188-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections -> NC_StdDomainUserSetLocation -> 1' - id: 12103 @@ -1698,8 +1496,6 @@ checks: - 'CCE-38338-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fMinimizeConnections -> 1' # Section 18.8 - System @@ -1715,8 +1511,6 @@ checks: - 'CCE-36925-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit -> ProcessCreationIncludeCmdLine_Enabled -> 0' - id: 12105 @@ -1731,8 +1525,6 @@ checks: - 'CCE-37912-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch -> DriverLoadPolicy -> 3' - id: 12106 @@ -1747,8 +1539,6 @@ checks: - 'CCE-36169-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - id: 12107 @@ -1763,8 +1553,6 @@ checks: - 'CCE-36169-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoGPOListChanges -> 0' - id: 12108 @@ -1779,8 +1567,6 @@ checks: - 'CCE-37712-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableBkGndGroupPolicy -> 0' - id: 12109 @@ -1795,8 +1581,6 @@ checks: - 'CCE-38353-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontDisplayNetworkSelectionUI -> 1' - id: 12110 @@ -1811,8 +1595,6 @@ checks: - 'CCE-37838-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DontEnumerateConnectedUsers -> 1' - id: 12111 @@ -1827,8 +1609,6 @@ checks: - 'CCE-35894-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnumerateLocalUsers -> 0' - id: 12112 @@ -1843,8 +1623,6 @@ checks: - 'CCE-35893-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> DisableLockScreenAppNotifications -> 1' - id: 12113 @@ -1859,8 +1637,6 @@ checks: - 'CCE-37528-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> AllowDomainPINLogon -> 0' - id: 12114 @@ -1875,8 +1651,6 @@ checks: - 'CCE-36388-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - id: 12115 @@ -1891,8 +1665,6 @@ checks: - 'CCE-37281-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - id: 12116 @@ -1908,8 +1680,6 @@ checks: - 'CCE-37346-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' # Section 18.9 - Windows Components @@ -1925,8 +1695,6 @@ checks: - 'CCE-38354-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> MSAOptional -> 1' - id: 12118 @@ -1941,8 +1709,6 @@ checks: - 'CCE-37636-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoAutoplayfornonVolume -> 1' - id: 12119 @@ -1957,8 +1723,6 @@ checks: - 'CCE-38217-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoAutorun -> 1' - id: 12120 @@ -1973,8 +1737,6 @@ checks: - 'CCE-36875-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' - id: 12121 @@ -1989,8 +1751,6 @@ checks: - 'CCE-37534-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI -> DisablePasswordReveal -> 1' - id: 12122 @@ -2005,8 +1765,6 @@ checks: - 'CCE-36512-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI -> EnumerateAdministrators -> 0' - id: 12123 @@ -2021,8 +1779,6 @@ checks: - 'CCE-37775-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> Retention -> 0' - id: 12124 @@ -2037,8 +1793,6 @@ checks: - 'CCE-37948-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application -> MaxSize -> n:^(\d+) compare >= 32768' - id: 12125 @@ -2053,8 +1807,6 @@ checks: - 'CCE-37145-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> Retention -> 0' - id: 12126 @@ -2069,8 +1821,6 @@ checks: - 'CCE-37695-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security -> MaxSize -> n:^(\d+) compare >= 196608' - id: 12127 @@ -2085,8 +1835,6 @@ checks: - 'CCE-38276-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> Retention -> 0' - id: 12128 @@ -2101,8 +1849,6 @@ checks: - 'CCE-37526-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup -> MaxSize -> n:^(\d+) compare >= 32768' - id: 12129 @@ -2117,8 +1863,6 @@ checks: - 'CCE-36160-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> Retention -> 0' - id: 12130 @@ -2133,8 +1877,6 @@ checks: - 'CCE-36092-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System -> MaxSize -> n:^(\d+) compare >= 32768' - id: 12131 @@ -2149,8 +1891,6 @@ checks: - 'CCE-37809-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoDataExecutionPrevention -> 0' - id: 12132 @@ -2165,8 +1905,6 @@ checks: - 'CCE-36660-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer -> NoHeapTerminationOnCorruption -> 0' - id: 12133 @@ -2181,8 +1919,6 @@ checks: - 'CCE-36809-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> PreXPSP2ShellProtocolBehavior -> 0' - id: 12134 @@ -2197,8 +1933,6 @@ checks: - 'CCE-36939-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive -> DisableFileSyncNGSC -> 1' - id: 12135 @@ -2213,8 +1947,6 @@ checks: - 'CCE-36939-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Skydrive -> DisableFileSync -> 1' - id: 12136 @@ -2229,8 +1961,6 @@ checks: - 'CCE-36223-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - id: 12137 @@ -2245,8 +1975,6 @@ checks: - 'CCE-36509-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - id: 12138 @@ -2261,8 +1989,6 @@ checks: - 'CCE-37929-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - id: 12139 @@ -2277,8 +2003,6 @@ checks: - 'CCE-37567-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fEncryptRPCTraffic -> 1' - id: 12140 @@ -2293,8 +2017,6 @@ checks: - 'CCE-36627-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - id: 12141 @@ -2309,8 +2031,6 @@ checks: - 'CCE-37946-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DeleteTempDirsOnExit -> 1' - id: 12142 @@ -2325,8 +2045,6 @@ checks: - 'CCE-38180-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> PerSessionTempDir -> 1' - id: 12143 @@ -2341,8 +2059,6 @@ checks: - 'CCE-37126-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds -> DisableEnclosureDownload -> 1' - id: 12144 @@ -2357,8 +2073,6 @@ checks: - 'CCE-38277-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> AllowIndexingEncryptedStoresOrItems -> 0' - id: 12145 @@ -2373,8 +2087,6 @@ checks: - 'CCE-35859-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System -> EnableSmartScreen -> 2' - id: 12146 @@ -2389,8 +2101,6 @@ checks: - 'CCE-37112-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent -> DefaultConsent -> 1' - id: 12147 @@ -2405,8 +2115,6 @@ checks: - 'CCE-36978-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> AutoApproveOSDumps -> 0' - id: 12148 @@ -2421,8 +2129,6 @@ checks: - 'CCE-36400-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> EnableUserControl -> 0' - id: 12149 @@ -2437,8 +2143,6 @@ checks: - 'CCE-36919-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 12150 @@ -2453,8 +2157,6 @@ checks: - 'CCE-36977-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableAutomaticRestartSignOn -> 1' - id: 12151 @@ -2467,8 +2169,6 @@ checks: - cis_csc: ["16.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -> EnableScriptBlockLogging -> 0' - id: 12152 @@ -2481,8 +2181,6 @@ checks: - cis_csc: ["16.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription -> EnableTranscripting -> 0' - id: 12153 @@ -2497,8 +2195,6 @@ checks: - 'CCE-36310-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowBasic -> 0' - id: 12154 @@ -2513,8 +2209,6 @@ checks: - 'CCE-37726-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowUnencryptedTraffic -> 0' - id: 12155 @@ -2529,8 +2223,6 @@ checks: - 'CCE-38318-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -> AllowDigest -> 0' - id: 12156 @@ -2545,8 +2237,6 @@ checks: - 'CCE-36254-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowBasic -> 0' - id: 12157 @@ -2561,8 +2251,6 @@ checks: - 'CCE-38223-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowUnencryptedTraffic -> 0' - id: 12158 @@ -2577,8 +2265,6 @@ checks: - 'CCE-36000-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> DisableRunAs -> 1' - id: 12159 @@ -2593,8 +2279,6 @@ checks: - 'CCE-36172-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - id: 12160 @@ -2609,8 +2293,6 @@ checks: - 'CCE-36172-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> ScheduledInstallDay -> 0' - id: 12161 @@ -2625,6 +2307,4 @@ checks: - 'CCE-37027-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' From 09567e0359415d1ad1cfb702924db512800fd7cb Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 16 Aug 2019 08:33:05 +0200 Subject: [PATCH 244/247] Remove registry checks from generic policy and win2012r2_memberL2 --- sca/windows/cis_win2012r2_memberL2.yml | 102 ------------------ sca/windows/sca_win_audit.yml | 144 ------------------------- 2 files changed, 246 deletions(-) diff --git a/sca/windows/cis_win2012r2_memberL2.yml b/sca/windows/cis_win2012r2_memberL2.yml index 6f6504061..03c8747d2 100644 --- a/sca/windows/cis_win2012r2_memberL2.yml +++ b/sca/windows/cis_win2012r2_memberL2.yml @@ -38,8 +38,6 @@ checks: - 'CCE-38240-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> CachedLogonsCount -> r:^0$|^1$|^2$|^3$|^4$' # Section 2.3.10 - Network access @@ -55,8 +53,6 @@ checks: - 'CCE-38119-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' # Section 18.4 - MSS (Legacy) @@ -72,8 +68,6 @@ checks: - 'CCE-36868-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> KeepAliveTime -> 300000' - id: 12503 @@ -88,8 +82,6 @@ checks: - 'CCE-38065-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> PerformRouterDiscovery -> 0' - id: 12504 @@ -104,8 +96,6 @@ checks: - 'CCE-37846-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - id: 12505 @@ -120,8 +110,6 @@ checks: - 'CCE-36051-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' # Section 18.5.9 - Link-Layer Topology Discovery @@ -137,14 +125,9 @@ checks: - 'CCE-38170-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowLLTDIOOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableLLTDIO -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitLLTDIOOnPrivateNet -> 0' - id: 12507 @@ -159,14 +142,9 @@ checks: - 'CCE-37959-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnDomain -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> AllowRspndrOnPublicNet -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> EnableRspndr -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD -> ProhibitRspndrOnPrivateNet -> 0' # Section 18.5.10 - Microsoft Peer-to-Peer Networking Services @@ -182,8 +160,6 @@ checks: - 'CCE-37699-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet -> Disabled -> 1' # Section 18.5.19.2 - Parameters @@ -196,8 +172,6 @@ checks: - cis_csc: ["9"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> DisabledComponents -> 255' # Section 18.5.20 - Windows Connect Now @@ -213,16 +187,10 @@ checks: - 'CCE-37481-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> EnableRegistrars -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableUPnPRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableInBand802DOT11Registrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableFlashConfigRegistrar -> 0' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars -> DisableWPDRegistrar -> 0' - id: 12511 @@ -237,8 +205,6 @@ checks: - 'CCE-36109-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI -> DisableWcnUi -> 1' # Section 18.5.21 - Windows Connection Manager @@ -254,8 +220,6 @@ checks: - 'CCE-37627-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy -> fBlockNonDomain -> 1' # Section 18.8.22.1 - Internet Communication settings @@ -269,8 +233,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC -> PreventHandwritingDataSharing -> 1' - id: 12514 @@ -285,8 +247,6 @@ checks: - 'CCE-37911-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports -> PreventHandwritingErrorReports -> 1' - id: 12515 @@ -301,8 +261,6 @@ checks: - 'CCE-37163-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard -> ExitOnMSICW -> 1' - id: 12516 @@ -316,8 +274,6 @@ checks: - 'CCE-36352-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control' - - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration' - 'r:HKEY_LOCAL_MACHINE\Policies\Microsoft\Windows\Registration Wizard Control -> NoRegistration -> 1' - id: 12517 @@ -332,8 +288,6 @@ checks: - 'CCE-36884-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - id: 12518 @@ -348,8 +302,6 @@ checks: - 'CCE-38275-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoOnlinePrintsWizard -> 1' - id: 12519 @@ -364,8 +316,6 @@ checks: - 'CCE-37090-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - id: 12520 @@ -380,8 +330,6 @@ checks: - 'CCE-36628-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - id: 12521 @@ -396,8 +344,6 @@ checks: - 'CCE-36174-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows -> CEIPEnable -> 0' - id: 12522 @@ -412,11 +358,7 @@ checks: - 'CCE-35964-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' # Section 18.8.26 - Locale Services @@ -432,8 +374,6 @@ checks: - 'CCE-36343-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International -> BlockUserInputMethodsForSignIn -> 1' # Section 18.8.36 - Remote Procedure Call @@ -449,8 +389,6 @@ checks: - 'CCE-36559-3' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' # Section 18.8.44.5 - Microsoft Support Diagnostic Tool @@ -466,8 +404,6 @@ checks: - 'CCE-38161-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy -> DisableQueryRemoteServer -> 0' # Section 18.8.44.11 - Windows Performance PerfTrack @@ -483,8 +419,6 @@ checks: - 'CCE-36648-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} -> ScenarioExecutionEnabled -> 0' # Section 18.8.46 User Profiles @@ -500,8 +434,6 @@ checks: - 'CCE-36931-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo -> DisabledByGroupPolicy -> 1' # Section 18.8.49.1 - Time Providers @@ -517,8 +449,6 @@ checks: - 'CCE-37843-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient -> Enabled -> 1' - id: 12529 @@ -533,8 +463,6 @@ checks: - 'CCE-37319-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer -> Enabled -> 0' # Section 18.9.39 - Location and Sensors @@ -549,8 +477,6 @@ checks: - 'CCE-38225-9' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableWindowsLocationProvider -> 1' - id: 12531 @@ -565,8 +491,6 @@ checks: - 'CCE-36886-0' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors -> DisableLocation -> 1' # Section 18.9.58.3.2 - Connections @@ -581,8 +505,6 @@ checks: - 'CCE-37708-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fSingleSessionPerUser -> 1' # Section 18.9.58.3.3 Device and Resource Redirection @@ -598,8 +520,6 @@ checks: - 'CCE-37696-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1' - id: 12534 @@ -614,8 +534,6 @@ checks: - 'CCE-37778-8' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableLPT -> 1' - id: 12535 @@ -630,8 +548,6 @@ checks: - 'CCE-37477-7' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisablePNPRedir -> 1' # Section 18.9.58.3.10 - Session Time Limits @@ -647,8 +563,6 @@ checks: - 'CCE-37562-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxIdleTime -> n:^(\d+) compare <= 900000' - id: 12537 @@ -663,8 +577,6 @@ checks: - 'CCE-37949-5' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MaxDisconnectionTime -> 60000' # Section 18.9.60.1 - OCR @@ -680,8 +592,6 @@ checks: - 'CCE-36937-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search -> ConnectedSearchPrivacy -> 3' # Section 18.9.56 - Software Protection Platform @@ -694,8 +604,6 @@ checks: - cis: ["18.9.65.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform -> NoGenTicket -> 1' # Section 18.9.76.3 - MAPS @@ -708,8 +616,6 @@ checks: - cis: ["18.9.76.3.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet -> SpynetReporting -> 0' # Section - 18.9.76.9 - Reporting @@ -725,8 +631,6 @@ checks: - 'CCE-36950-4' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting -> DisableGenericRePorts -> 1' # Section 18.9.85 - Windows Installer @@ -742,8 +646,6 @@ checks: - 'CCE-37524-6' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> SafeForScripting -> 0' # Section 18.9.97.2 - WinRM Service @@ -759,8 +661,6 @@ checks: - 'CCE-37927-1' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service -> AllowAutoConfig -> 0' # Section 18.9.98 - Windows Remote Shell @@ -776,6 +676,4 @@ checks: - 'CCE-36499-2' condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS -> AllowRemoteShellAccess -> 0' diff --git a/sca/windows/sca_win_audit.yml b/sca/windows/sca_win_audit.yml index d2c989ae8..4681d4c43 100644 --- a/sca/windows/sca_win_audit.yml +++ b/sca/windows/sca_win_audit.yml @@ -31,8 +31,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LimitBlankPasswordUse -> 1' - id: 14001 @@ -44,8 +42,6 @@ checks: - cis_csc: ["6"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> CrashOnAuditFail -> 0' - id: 14002 @@ -57,8 +53,6 @@ checks: - cis_csc: ["5.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AllocateDASD -> 0' - id: 14003 @@ -70,8 +64,6 @@ checks: - cis_csc: ["5.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers -> AddPrinterDrivers -> 1' - id: 14004 @@ -83,8 +75,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireSignOrSeal -> 1' - id: 14005 @@ -96,8 +86,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SealSecureChannel -> 1' - id: 14006 title: "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" @@ -108,8 +96,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> SignSecureChannel -> 1' - id: 14007 @@ -121,8 +107,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> DisablePasswordChange -> 0' - id: 14008 @@ -134,8 +118,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters -> RequireStrongKey -> 1' - id: 14009 @@ -147,8 +129,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DontDisplayLastUserName -> 1' - id: 14010 @@ -160,8 +140,6 @@ checks: - cis_csc: ["8"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableCAD -> 0' - id: 14011 @@ -173,8 +151,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> PasswordExpiryWarning -> n:^(\d+) compare >= 5 && n:^(\d+) compare <= 14' - id: 14012 @@ -186,8 +162,6 @@ checks: - cis_csc: ["16.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScRemoveOption -> r:^1$|^2$|^3$' - id: 14013 @@ -199,8 +173,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> RequireSecuritySignature -> 1' - id: 14014 @@ -212,8 +184,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnableSecuritySignature -> 1' - id: 14015 @@ -225,8 +195,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters -> EnablePlainTextPassword -> 0' - id: 14016 @@ -238,8 +206,6 @@ checks: - cis_csc: ["3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> AutoDisconnect -> n:^(\d+) compare <= 15' - id: 14017 @@ -251,8 +217,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RequireSecuritySignature -> 1' - id: 14018 @@ -264,8 +228,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> EnableSecuritySignature -> 1' - id: 14019 @@ -277,8 +239,6 @@ checks: - cis_csc: ["16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RestrictAnonymousSAM -> 1' - id: 14020 @@ -290,8 +250,6 @@ checks: - cis_csc: ["16.14"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> DisableDomainCreds -> 1' - id: 14021 @@ -303,8 +261,6 @@ checks: - cis_csc: ["14, 16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> EveryoneIncludesAnonymous -> 0' - id: 14022 @@ -316,8 +272,6 @@ checks: - cis_csc: ["14, 16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> RestrictNullSessAccess -> 1' - id: 14023 @@ -329,8 +283,6 @@ checks: - cis_csc: ["14, 16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares' - 'not r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters -> NullSessionShares -> r:\.' - id: 14024 @@ -342,8 +294,6 @@ checks: - cis_csc: ["14, 16"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> ForceGuest -> 0' - id: 14025 @@ -355,8 +305,6 @@ checks: - cis_csc: ["16.14"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> NoLMHash -> 1' - id: 14026 @@ -368,8 +316,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa -> LmCompatibilityLevel -> 5' - id: 14027 @@ -381,8 +327,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP -> LDAPClientIntegrity -> n:^(\d+) compare >= 1' - id: 14028 @@ -394,8 +338,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinClientSec -> 537395200' - id: 14029 @@ -409,8 +351,6 @@ checks: - https://workbench.cisecurity.org/benchmarks/288 condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 -> NTLMMinServerSec -> 537395200' - id: 14030 @@ -420,8 +360,6 @@ checks: remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\System objects: Require case insensitivity for non- Windows subsystems." condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel -> ObCaseInsensitive -> 1' - id: 14031 @@ -433,8 +371,6 @@ checks: - cis_csc: ["14.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode' - 'r:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager -> ProtectionMode -> 1' - id: 14032 @@ -446,8 +382,6 @@ checks: - cis_csc: ["9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile -> EnableFirewall -> 1' - id: 14033 @@ -459,8 +393,6 @@ checks: - cis_csc: ["9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile -> EnableFirewall -> 1' - id: 14034 @@ -471,8 +403,6 @@ checks: - nist_800_53: ["AU.6"] condition: all rules: - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System' - - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools' - 'r:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools -> 0' - id: 14035 @@ -486,8 +416,6 @@ checks: - https://support.microsoft.com/es-es/help/825750/how-to-disable-dcom-support-in-windows condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE' - - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM' - 'r:HKEY_LOCAL_MACHINE\Software\Microsoft\OLE -> EnableDCOM -> Y' - id: 14036 @@ -498,8 +426,6 @@ checks: - nist_800_53: ["AU.6", "SI.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA -> LMCompatibilityLevel -> r:^5$' # Disabled by some Malwares (sometimes by McAfee and Symantec @@ -512,11 +438,6 @@ checks: - nist_800_53: ["AU.6"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisableoverride' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> FirewallDisableNotify -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> antivirusoverride -> 0' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> firewalldisablenotify -> 0' @@ -531,8 +452,6 @@ checks: - nist_800_53: ["AU.6", "SC.7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile' - - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall' - 'r:HKEY_LOCAL_MACHINE\software\policies\microsoft\windowsfirewall\domainprofile -> enablefirewall -> 1' - id: 14039 @@ -542,8 +461,6 @@ checks: - nist_800_53: ["SI.4"] condition: all rules: - - 'r:HKLM\System\CurrentControlSet\Control\Lsa' - - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous' - 'r:HKLM\System\CurrentControlSet\Control\Lsa -> RestrictAnonymous -> 1' - id: 14040 @@ -556,11 +473,7 @@ checks: - https://windowsir.blogspot.com/2007/04/something-new-to-look-for.html condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -> DoReport -> 0' - id: 14041 @@ -572,7 +485,6 @@ checks: condition: any rules: - 'not r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> DefaultPassword' - - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 14042 @@ -598,8 +510,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> AutoAdminLogon -> 0' - id: 14044 @@ -613,8 +523,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -> DisableIPSourceRouting -> 2' - id: 14045 @@ -628,8 +536,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> DisableIPSourceRouting -> 2' - id: 14046 @@ -643,8 +549,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> SafeDllSearchMode -> 1' - id: 14047 @@ -658,8 +562,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> ScreenSaverGracePeriod -> n:^(\d+) compare <= 5' - id: 14048 @@ -673,8 +575,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security -> WarningLevel -> n:^(\d+) compare <= 90' - id: 14049 @@ -686,8 +586,6 @@ checks: - cis_csc: ["3.7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} -> NoBackgroundPolicy -> 0' - id: 14050 @@ -699,8 +597,6 @@ checks: - cis_csc: ["2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableWebPnPDownload -> 1' - id: 14051 @@ -712,8 +608,6 @@ checks: - cis_csc: ["7"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoWebServices -> 1' - id: 14052 @@ -725,8 +619,6 @@ checks: - cis_csc: ["13.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers -> DisableHTTPPrinting -> 1' - id: 14053 @@ -738,8 +630,6 @@ checks: - cis_csc: ["9.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowUnsolicited -> 0' - id: 14054 @@ -751,8 +641,6 @@ checks: - cis_csc: ["5.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fAllowToGetHelp -> 0' - id: 14055 @@ -764,8 +652,6 @@ checks: - cis_csc: ["8.3"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDriveTypeAutoRun -> 255' - id: 14056 @@ -777,8 +663,6 @@ checks: - cis_csc: ["16.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> DisablePasswordSaving -> 1' - id: 14057 @@ -790,8 +674,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCdm -> 1' - id: 14058 @@ -803,8 +685,6 @@ checks: - cis_csc: ["16.14"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fPromptForPassword -> 1' - id: 14059 @@ -816,8 +696,6 @@ checks: - cis_csc: ["3.4"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> MinEncryptionLevel -> 3' - id: 14060 @@ -829,8 +707,6 @@ checks: - cis_csc: ["5.1"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer -> AlwaysInstallElevated -> 0' - id: 14061 title: "Ensure 'Configure Automatic Updates' is set to 'Enabled'" @@ -841,8 +717,6 @@ checks: - cis_csc: ["4.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoUpdate -> 0' - id: 14062 @@ -854,8 +728,6 @@ checks: - cis_csc: ["4.5"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -> NoAutoRebootWithLoggedOnUsers -> 0' - id: 14063 @@ -869,8 +741,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters -> TcpMaxDataRetransmissions -> 3' - id: 14064 @@ -884,8 +754,6 @@ checks: - https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/ condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' - - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions' - 'r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -> TcpMaxDataRetransmissions -> 3' - id: 14065 @@ -897,8 +765,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion -> DisableContentFileUpdates -> 1' - id: 14066 @@ -910,8 +776,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoPublishingWizard -> 1' - id: 14067 @@ -923,8 +787,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client -> CEIP -> 2' - id: 14068 @@ -936,8 +798,6 @@ checks: - cis_csc: ["13"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting -> Disabled -> 1' - id: 14069 @@ -949,8 +809,6 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> EnableAuthEpResolution -> 1' - id: 14070 @@ -962,6 +820,4 @@ checks: - cis_csc: ["9.1", "9.2"] condition: all rules: - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' - - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients' - 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc -> RestrictRemoteClients -> 1' From 783206fb9a1ff38af542e1b5e2adca5ef61c7feb Mon Sep 17 00:00:00 2001 From: Cristina Maria Garrido Lopez Date: Fri, 16 Aug 2019 12:18:39 +0200 Subject: [PATCH 245/247] Remove strange character which skips policy --- sca/darwin/15/cis_apple_macOS_10.11.yml | 2 +- sca/darwin/16/cis_apple_macOS_10.12.yml | 2 +- sca/darwin/17/cis_apple_macOS_10.13.yml | 2 +- sca/windows/cis_win10_enterprise_L1.yml | 2 +- sca/windows/cis_win10_enterprise_L2.yml | 6 +++--- sca/windows/cis_win2012r2_domainL2.yml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/sca/darwin/15/cis_apple_macOS_10.11.yml b/sca/darwin/15/cis_apple_macOS_10.11.yml index 01dae7c3c..ce7568071 100644 --- a/sca/darwin/15/cis_apple_macOS_10.11.yml +++ b/sca/darwin/15/cis_apple_macOS_10.11.yml @@ -171,7 +171,7 @@ checks: # 2.5.1 Disable "Wake for network access" (Scored) - id: 7511 title: "Disable \"Wake for network access\"" - description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode." + description: "This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode." rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: diff --git a/sca/darwin/16/cis_apple_macOS_10.12.yml b/sca/darwin/16/cis_apple_macOS_10.12.yml index 6a364e39f..99001adf6 100644 --- a/sca/darwin/16/cis_apple_macOS_10.12.yml +++ b/sca/darwin/16/cis_apple_macOS_10.12.yml @@ -159,7 +159,7 @@ checks: # 2.5.1 Disable "Wake for network access" (Scored) - id: 8010 title: "Disable \"Wake for network access\"" - description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." + description: "This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0 Note: The -c flag means \"wall power.\" Different settings must be used for other power sources." compliance: diff --git a/sca/darwin/17/cis_apple_macOS_10.13.yml b/sca/darwin/17/cis_apple_macOS_10.13.yml index 839ebb450..adb6c49b3 100644 --- a/sca/darwin/17/cis_apple_macOS_10.13.yml +++ b/sca/darwin/17/cis_apple_macOS_10.13.yml @@ -160,7 +160,7 @@ checks: # 2.5.1 Disable "Wake for network access" (Scored) - id: 8510 title: "Disable \"Wake for network access\"" - description: "This feature allows other users to be able to access your computer’s shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." + description: "This feature allows other users to be able to access your computer's shared resources, such as shared printers or iTunes playlists, even when your computer is in sleep mode. In a closed network when only authorized devices could wake a computer it could be valuable to wake computers in order to do management push activity. Where mobile workstations and agents exist the device will more likely check in to receive updates when already awake. Mobile devices should not be listening for signals on unmanaged network where untrusted devices could send wake signals." rationale: "Disabling this feature mitigates the risk of an attacker remotely waking the system and gaining access." remediation: "Run the following command in Terminal: sudo pmset -a womp 0" compliance: diff --git a/sca/windows/cis_win10_enterprise_L1.yml b/sca/windows/cis_win10_enterprise_L1.yml index 118754f71..de61a939b 100644 --- a/sca/windows/cis_win10_enterprise_L1.yml +++ b/sca/windows/cis_win10_enterprise_L1.yml @@ -2518,7 +2518,7 @@ checks: - id: 13184 title: "Ensure 'Configure Password Manager' is set to 'Disabled'" description: "This setting lets you decide whether employees can save their passwords locally, using Password Manager." - rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user’s desktop (including a coworker who sits down at a user’s desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." + rationale: "Using Password Manager can potentially makes it easier for an unauthorized user who gains access to the user's desktop (including a coworker who sits down at a user's desk soon after the user walks away and forgets to lock their workstation), to log in to sites as the user, without needing to know or enter the password." remediation: "To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Microsoft Edge\\Configure Password Manager" compliance: - cis: ["18.9.45.5"] diff --git a/sca/windows/cis_win10_enterprise_L2.yml b/sca/windows/cis_win10_enterprise_L2.yml index a702f00d0..c92800c22 100644 --- a/sca/windows/cis_win10_enterprise_L2.yml +++ b/sca/windows/cis_win10_enterprise_L2.yml @@ -97,7 +97,7 @@ checks: - id: 13505 title: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'" description: "This service monitors the current location of the system and manages geofences (a geographical location with associated events). The recommended state for this setting is: Disabled." - rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." + rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\Geolocation Service" compliance: - cis: ["5.5"] @@ -168,7 +168,7 @@ checks: - id: 13511 title: "Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'" - description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’. The recommended state for this setting is: Disabled." + description: "This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer'. The recommended state for this setting is: Disabled." rationale: "Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff." remediation: "To establish the recommended configuration via GP, set the following UI path to: Disabled. Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\PNRP Machine Name Publication Service" compliance: @@ -837,7 +837,7 @@ checks: - id: 13560 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." - rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." + rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.39.2"] diff --git a/sca/windows/cis_win2012r2_domainL2.yml b/sca/windows/cis_win2012r2_domainL2.yml index 66a060278..82137c1a8 100644 --- a/sca/windows/cis_win2012r2_domainL2.yml +++ b/sca/windows/cis_win2012r2_domainL2.yml @@ -409,7 +409,7 @@ checks: - id: 11526 title: "Ensure 'Turn off location' is set to 'Enabled'" description: "This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled." - rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." + rationale: "This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments." remediation: "To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Location and Sensors\\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer)." compliance: - cis: ["18.9.39.2"] From 2074ffc08fc4e25e6ad9eee8126cdd2db2935daa Mon Sep 17 00:00:00 2001 From: Skeptor Date: Mon, 19 Aug 2019 11:25:14 +0200 Subject: [PATCH 246/247] Extend information on default paths for web_vuln policy --- sca/applications/web_vulnerabilities.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sca/applications/web_vulnerabilities.yml b/sca/applications/web_vulnerabilities.yml index dc898144d..e8f0993be 100644 --- a/sca/applications/web_vulnerabilities.yml +++ b/sca/applications/web_vulnerabilities.yml @@ -21,7 +21,9 @@ requirements: - 'f:$php.ini' - 'd:$web_dirs' -# Set variables to match your installation +# In case your configuration files are not located on these paths, set the variables to match your php.ini file and your web directory +# Other possible default locations for php.ini: /var/www/conf/php.ini,/etc/php5/apache2/php.ini +# Other possible default locations for web directory: /var/htdocs,/home/httpd,/usr/local/apache,/usr/local/apache2,/usr/local/www variables: $php.ini: /etc/php.ini $web_dirs: /var/www From edf0616a9d70b819fef178451c87f97778940164 Mon Sep 17 00:00:00 2001 From: Chema Martinez Date: Tue, 20 Aug 2019 05:09:08 -0700 Subject: [PATCH 247/247] Remove rule for Solaris in generic SCA policy --- sca/generic/sca_unix_audit.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sca/generic/sca_unix_audit.yml b/sca/generic/sca_unix_audit.yml index bf241d306..26bcfa147 100644 --- a/sca/generic/sca_unix_audit.yml +++ b/sca/generic/sca_unix_audit.yml @@ -261,14 +261,13 @@ checks: title: "Ensure password expiration is 365 days or less" description: "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days." rationale: "The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity." - remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs or /etc/default/passwd (Solaris)." + remediation: "Set the PASS_MAX_DAYS parameter to conform to site policy in /etc/login.defs." compliance: - cis_csc: ["4.4", "16"] references: - https://www.thegeekdiary.com/understanding-etclogin-defs-file condition: any rules: - - 'f:/etc/default/passwd -> n:^MAXWEEKS=(\d+)$ compare <= 52' - 'f:/etc/login.defs -> n:^PASS_MAX_DAYS\s*\t*(\d+)$ compare <= 365' - id: 4020